Navigating Global Compliance Issues
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
Introduction
In a world facing ever-intensifying regulatory and stakeholder scrutiny, increasing globalisation but also local divergence, it has never been more important – or challenging – for multinational organisations to be able to navigate global compliance issues. How do organisations develop a robust approach to compliance and seek not only to overcome the challenges faced in today’s global market, but also to thrive from them? Drawing on insights across our international team, we explore some of the many compliance challenges posed across the world and what they might mean for organisations.
This chapter serves as a ‘survival guide’ for in-house legal and compliance teams by providing guidance and tools at every stage of the compliance process including – under ‘Preparing for global compliance risks’, below – a checklist tool for managing crises and internal investigations.
Compliance risks and what to be thinking about now
International business expansion has brought countless challenges, few of which are as alarming as the growing exposure to bribery, corruption, money laundering, sanctions allegations and enforcements. As companies move into new and emerging markets, risks of fraud and corruption follow right behind. In response, US and European governments have devised their own legal regimes for counteracting threats to business abroad, as have several governments in other regions. For example, many countries within the Arabian Gulf, Africa, Asia and South America prohibit the bribery of foreign public officials as well as domestic bribery, although with varying levels of enforcement. At the same time, legislators and regulators are imposing ever stricter compliance requirements on companies around the world, from dealing with whistleblowers to preventing human rights violations in supply chains. This has created a labyrinth of legal risks for organisations to navigate. Here, we highlight some of the key ones to be thinking about.
Know the risk vulnerabilities in your business
Behavioural misconduct risks (such as bribery and corruption) depend on the countries you are working in and the nature or sector of your business.
For example, the Asia-Pacific region is a highly dynamic market, comprising a broad spectrum of economic, political and cultural systems. Well-developed and more developing economies reside in close proximity to each other, as do some of the most open and protected markets in the world. Within Transparency International’s Corruption Perceptions Index 2021,[2] there is a diverse range of rankings from New Zealand, Finland and Denmark (each with a score of 88) to North Korea (score of 16) and South Sudan (11). Each country needs to be considered individually when assessing bribery and corruption risks. Some common themes characterise bribery and corruption risks in the Asia-Pacific region:
- deeply rooted traditional influences on east Asian business culture, particularly concerning an emphasis on relationships, giving gifts and reciprocal patronage;
- a record pace and scale of foreign direct investment in some of the rapidly growing economies, particularly Thailand, Indonesia and Vietnam, which has created a flood of capital, and which can be abused by inadequate internal controls;
- massive infrastructure spending – the region is transforming at an unprecedented speed to build hospitals, airports, highways, telecommunications, utilities and high-speed rail; and
- the pressure to sustain and expand growth is profound in the region. One consequence of high single-digit and double-digit growth in the Asia-Pacific emerging economies is an expectation that this will continue indefinitely, leading sometimes to unrealistic targets. This can create a ‘growth at any price’ culture, which can lead to corruption, fraud or unethical behaviour to maintain a growth forward image.
In terms of sector-based risks, considering the financial services sector for example, asset management firms have been the focus of scrutiny by the US Securities and Exchange Commission (SEC) and US Department of Justice (DOJ) for several years. US regulators view sovereign wealth funds as instrumentalities of their respective governments and, accordingly, consider sovereign wealth fund employees to be foreign government officials for the purposes of anti-bribery and corruption enforcement. Consequently, asset management firms need to be particularly careful about assessing the full range of counterparties, clients and other business relationships that may fall with the broad definitions of ‘government officials’ or ‘affiliates’. Similarly, private equity firms and hedge funds that invest in international markets and corporations can find themselves in a dangerous or costly position if anti-bribery violations occur at the portfolio level. This emphasises the need for risk-based anticorruption due diligence procedures to assess bribery and corruption risks and to develop a plan to monitor and mitigate those risks.
Sanctions and trade controls related risks
Various sanctions regimes (and companies’ efforts to comply with them) had already garnered a huge number of compliance resources even before the start of the war in Ukraine in February 2022, with key focuses being on the economic sanctions and other restrictive measures imposed by the European Union and the UK and US governments. The sanctions imposed on Russia in response to the war have brought the importance of compliance with sanctions, export controls and other restrictive measures into sharp focus. It has highlighted how quickly the landscape can change and, therefore, how quickly organisations must be able to adapt. Sanctions and export control compliance is expected to be a key priority for relevant enforcement agencies in the years ahead, including those agencies that impose, administer and enforce sanctions, such as the US Treasury Department’s Office of Foreign Assets Control and the US Commerce Department’s Bureau of Industry and Security in the United States, the Office of Financial Sanctions Implementation in the United Kingdom, the customs office and state prosecutors in Germany and equivalent agencies across EU Member States. Additionally, some industry regulators (e.g., financial services regulators) are expected to focus on ensuring that companies have implemented tailored and effective risk-based sanctions compliance controls.[3]
ESG risks
For major companies, environmental, social and governance (ESG) issues are not a new phenomenon, but the spotlight has intensified. There is now a raft of ESG-related regulations and legal risk issues that did not exist 10 years ago. That will only escalate, leading to greater investigations and enforcement risk, alongside the potential for litigation and reputational damage.
ESG issues do not exist in a vacuum. They are interrelated with, and in some cases are a rebranding of, many other risks, including market abuse and fraud risk relating to company disclosures, public statements and regulatory filings; sanctions and export control risks; and money laundering. All of these can result in criminal liability. A robust approach to compliance and governance issues is therefore essential to protect against a range of ESG and related risks.
Global compliance teams should be alive to the risks arising from increased scrutiny of company disclosures and public statements on ESG. There is a strong focus on what companies are saying about their ESG efforts and the impact of the ESG agenda on their business and outlook. As with all company disclosures, public statements about ESG issues need to be carefully calibrated and reflect reality to avoid any allegations of ‘greenwashing’, fraud or breach of market regulations. Assurance and verification are therefore key.
It will also be important for compliance teams to keep up to date with the fast-evolving law in this area. In the past five years, many new laws have been enacted in respect of transparency and due diligence within supply chains. More laws are on the horizon that will create further due diligence and related obligations on companies aimed at identifying, preventing and mitigating actual and potential adverse effects on human rights, including labour rights, and the environment. In this context, the European Commission’s proposal on sustainable corporate governance includes a proposed Directive that would create obligations on large companies (and smaller companies in particularly sensitive sectors) to carry out due diligence in their global supply chains with the above-mentioned aims.
Compliance teams will have to consider whether they need to adapt their existing processes to meet the differing requirements of the various laws to which they may be subject. This may include updating their risk assessment processes and codes of conduct and policies, reviewing supplier due diligence and management processes, considering whether further contractual assurances from business partners are required, establishing or amending complaint mechanisms, and ensuring monitoring procedures sufficiently take into account ESG issues.
The focus on ESG brings the need for robust compliance and governance into sharp focus. On the one hand, this creates even greater pressure on compliance measures but it also creates an opportunity for compliance teams when looking to justify investment or seeking board buy-in for certain activities.
Cybersecurity risks
In the wake of high-profile cyberattacks during the past few years, and particularly in the midst of the global pandemic when many organisations were operating more remotely than ever, organisations have had to focus their attention increasingly on cybersecurity, and the relevant policies and procedures to prevent and minimise the damage caused by cyberattacks. Attackers are becoming ever more professional and phenomena such as hackers for hire or state-sponsored hackers are blurring the lines between organised crime and cyberwarfare. Cyberattacks can come in many forms. One of the most well known is ransomware, a type of hack in which the perpetrator encrypts a company’s data or otherwise disrupts a company’s systems and will only release the data or cease the interruption if paid a ransom. Often, failure to pay can result in the destruction or leak of the data. Ransomware attacks create many difficult issues, including potential criminal risk if compliance with the ransom is itself a crime. For example, payment of monies to a hacker may risk breaching anti-money laundering or economic sanctions laws.
Fraud risks
Fraud risks can manifest for global companies in many ways, including a company being targeted by fraudsters or somehow being used by rogue actors internally or externally to perpetrate or facilitate fraud. The risks here can evolve quickly. For example, as countries across the world implemented lockdowns and restrictions during the covid-19 pandemic, reliance on online activity increased, not only for business continuation but also to enable people to buy essential goods online, leading to a spike in online scams and frauds.[4]
Transactional risk
Compliance should always be at the heart of transactional considerations, given the growing risks of transactions involving compliance issues. In an increasing number of jurisdictions, an acquiror can be exposed to successor liability if a company in which it acquires a significant stake has engaged in improper activities and adequate due diligence or remedial measures were not undertaken by the acquiror. If transactional teams are not properly attuned to these compliance issues, sellers can become subject to warranty claims (to the extent that these are available) and buyers will not receive the company they thought they were receiving (and getting what they have paid for it), or, even worse, be subjects themselves of regulatory action. The compliance issues and risk inherent in transactions should be a clear message that traditionally back-office functions should be front of mind for transaction teams.[5]
Preparing for global compliance risks
Here, we discuss the essentials of an effective compliance framework to help companies prepare for and survive global compliance risks. These are key areas to commit appropriate resources to mitigate business risks.
Compliance framework
At a basic level, companies should have robust internal systems, policies, procedures and functions to ensure that a culture of compliance is entrenched in the company structure. At a minimum, companies should adopt a clear code of conduct tailored to the company’s risk profile that is easy to understand and provides examples relevant to the organisation. A company’s code of conduct should be published and openly circulated. The company should require all members of the organisations – including intermediaries, third parties and others acting on its behalf – regardless of seniority, to adhere to the code, rules and regulations for both inside and outside the workplace. New joiners should be required to read and understand the code of conduct. A robust internal audit function that reports to an independent risk and audit committee, or similar, has a key role in checking adherence to the relevant policies and rules. Internal audit functions also need to be properly staffed and resourced by experienced professionals. Audits and risk assessments should be carried out frequently to keep diligence and investigation functions on their toes.
Although these elements of a compliance framework apply to all companies, additional attention is required for the risks specific to a given company’s business. For example, oil and gas, and logistics and distribution companies should ensure that appropriate attention is afforded to anti-bribery and anti-corruption policies, and that diligence of counterparties is appropriately thorough. Pharmaceutical companies would need a similar approach to government tender issues and transparency through procurement, while care must be given in particular by financial institutions to the highly developed anti-money laundering and counter-terrorist financing landscape.
Corporate culture and training
Although difficult to define, all members of an organisation understand its culture as ‘the way we do things around here’. Ensuring that a proper compliance framework is in place is key to a company’s compliance robustness, but the effectiveness of governance still depends on the culture and ethos of the organisation. As one legendary management consultant put it: ‘Culture eats strategy for breakfast.’[6] A culture of integrity and openness will allow employees to raise and deal with compliance issues far better than an institution with well-written procedures but whose policies are not followed in practice. Fostering culture starts with the board and top management expressing and reinforcing the culture of the company. Culture is further reinforced through regular training.
Board engagement and tone from the top – not forgetting the middle!
In any organisation, keeping compliance front of mind and on the agenda for any board and middle management is key. Board and middle management engagement is an essential way of ensuring that any change required in anticipation of (or in the wake of) an emergency can be implemented across the company as thoroughly as possible. Furthermore, training members of the board and middle management on compliance issues is important to ensure that they become models of compliance for the rest of the company. The example set by members of the board or middle management will be key in establishing a rigorous internal compliance framework to ‘walk the talk’ when it comes to internal group policies. It is also important to ensure that attitudes to compliance by board members and senior staff are proactive. Many boards already embrace compliance as a key function to ensure that the organisation and its people are protected. But compliance functions inevitably have to compete with many other issues for a board’s attention – making sure there is a standing or regular item on board agendas to address compliance issues can help keep it front of mind. Boards and middle management should be aware that their actions in the wake of a crisis can be closely scrutinised, from within or outside the company, and ensuring that members are properly aware of, and trained about, relevant issues is the best way of ensuring that boards handle compliance issues properly, as and when they arise.
Speak up and listen
‘Speak up’ or whistleblowing programmes involve an internal or external company hotline that allows employees and directors (and sometimes third parties) to report misconduct anonymously. To be effective, companies need to ensure that reports go to an independent person distinct from management; that person should have a communication channel with the anonymous whistleblower. Companies need to know how to handle whistleblower reports and when to initiate an internal investigation. To be effective, whistleblower programmes should also be publicised to the persons who are to use it – no system, however robust, will be of much use to a company if employees and directors are not aware of it.
As well as fostering a speak-up culture, companies also need to ensure that any whistleblower reports reach trained ears. Recipients should be independent and undertake training on receiving and handling complaints, specifically on how to escalate issues in the correct way, as well as being as open and transparent as possible in dealing with those who are making complaints. In the Middle East and North Africa, for example, where whistleblower laws and programmes are emerging, training compliance professionals on how to manage complaints and when to conduct an internal investigation or escalate issues is key. There can be a perception that there are no issues to address, when in fact there could be a lack of a speak-up culture, or compliance is not aware of how to manage reports.
Employee monitoring
Monitoring is a key aspect of compliance, although monitoring and reviewing employees’ communications and activities must always be done in compliance with applicable employment, data protection and privacy and telecommunications laws, as well as company policy. The legal context may vary considerably across jurisdictions. Global companies will face a whole spectrum from very robust and established data privacy laws to those that are more nascent and untested to countries where no specific data privacy legislation exists (although other legal mechanisms may be relevant, such as any constitutional right to privacy). Compliance teams should consider:
- the legal basis for any monitoring;
- whether consent or advance notice to the employee is required, the form that should take and any restrictions or limitations on the degree of reliance on that consent or notification. For example, consider whether the consent has to be freely given and whether that is possible in the employer/employee context;
- the scope of data collected and how it will be reviewed and stored. For example, Article 5 of the European Union’s General Data Protect Regulation (GDPR) enshrines principles such as data minimisation, storage limitation and purpose limitation. New data protection laws implemented throughout the Arabian Gulf countries in the past few years mirror these principles;
- whether any types of data are considered sensitive or otherwise within a special category that requires extra care or specific procedures;
- whether there are restrictions on exporting the data out of the jurisdiction or transferring data to another entity. For example, China has passed a number of laws in recent years that have gradually tightened the flow of data from China to other jurisdictions – most recently the Data Security Law and Personal Information Protection Law, effective from September 2021 and November 2021, respectively;
- what documentation may be required. For example, under the GDPR, organisations should record the measures they have taken with regard to data and data privacy (for example, during an investigation).[7] This is important because the risk of a potential audit from a supervisory authority is real, especially as data privacy is often used as a weapon by individuals who are the subject of an investigation and who may face disciplinary or other action. Other documentation may be required, including contractual protections in agreements with relevant third parties or intercompany data transfer agreements to ensure that group data transfers are compliant with local data transfer restrictions; and
- any other steps that may be required to ensure fair treatment of employees and compliance with the relevant local laws.
In considering how to apply global standards, particularly if internal investigations may be conducted across borders or even continents, the best practice is to adhere to the highest common denominator of privacy standards in the applicable jurisdictions. Furthermore, companies should consider having appropriate policies in place as regards acceptable use and investigation, and ensure that they update any consent requirements under employment agreements where applicable.
Due diligence and risk assessments
For a compliance framework to be effective, it is crucial to consider conducting regular due diligence of third parties (e.g., vendors and distributors) as well as conducting periodic risk assessments. Due diligence helps to mitigate the risk of a company working with sanctioned persons, related parties, or exposing themselves to corruption or risks relating to environmental, social and governance (ESG) issues. As mentioned, the type and extent of diligence procedures with third parties will vary for each company or transaction, with certain risks posing a greater threat to companies in different sectors. However, putting policies in place and providing the appropriate training to employees for them to know which type or level of due diligence applies in a given situation is key. Additionally, external advisers and lawyers should be instructed where appropriate as early as possible to assist in any such diligence exercise, especially where the due diligence requirements are extensive.
Furthermore, due diligence can vary in scope. Companies may consider screening customers and counterparties to check whether they are sanctioned, and carry out standard anti-money laundering and know-your-customer checks. In addition, there may be higher standards for due diligence in certain areas in light of regulators’ focus on bribery and ESG issues (where a company’s reputation can be as important as its adherence to regulation for a company’s business).
Risks assessments, typically conducted by consultant lawyers and accountants, can also be a useful tool to measure compliance effectiveness in a specific area or function and may provide strategies for enhancement.
What to do when something goes wrong: survival checklist
When misconduct occurs, companies need to respond quickly to contain, manage and remedy the crisis. The first step is to determine the nature of the misconduct, gather preliminary facts about the issue, immediately stop any ongoing violations and, where necessary, assemble an independent team to investigate the alleged misconduct.
Where allegations of behavioural misconduct occur, companies might consider whether to conduct an internal investigation and whether to engage external consultants to assist. Companies might also consider which protocols or policies could apply and ensure that the investigation team is aware of them. To assist in-house counsel and compliance professionals in managing these often time-critical situations, we have set out a checklist of practical considerations and steps a company might consider taking when faced with allegations of misconduct (see appendix at the end of this chapter).
The checklist is not intended to be an exhaustive list of what to do and how to react in the event of a crisis or investigation, but it is a helpful guide to some of the key issues to consider. Depending on the nature of the incident, various items in the checklist may need to be reordered or prioritised. The checklist should also be supplemented with professional advice where necessary, particularly in the event of time-sensitive or cybersecurity incidents.
What to do next and going forward
When the dust from any incident, crisis or investigation has settled, organisations should ensure that they are proactive in implementing any necessary changes and taking the business forward, having learned the lessons of any investigation. This is a key factor in business resilience – the ability to overcome difficult situations.
Remediation
Remedial issues should be a priority coming out of any critical situation, as good organisations will want to ensure that lessons have been learned and the same mistakes are not repeated. Accordingly, it is critical that organisations conduct investigations into exactly what went wrong in a specific situation, where mistakes were made, and what should have been done instead, while taking care to avoid any damaging tendencies, such as scapegoating employees unfairly.
Once an organisation has assessed and identified learning points from a situation, it is important that appropriate changes are implemented, rather than the matter just being filed away in a report. Additionally, training should be delivered to, and conversations may need to be had with, key employees in a constructive way, to avoid any similar mistakes being repeated. The organisation should also use the incident as a case study to teach other and future employees.
Board and middle management engagement
As mentioned previously, organisations should ensure that the members of their boards and middle management engage with compliance issues at all times, but this is particularly relevant in the context of remedial efforts following alleged misconduct or other crisis response. Companies might consider providing board members and middle management with specific training on how to deal with alleged misconduct, and directors should take this into consideration when making decisions about any changes to their business.
Corporate culture and governance
The way in which organisations react and adapt to alleged misconduct contributes to the tone for the culture and governance of those organisations. Implementing and instilling an appropriate corporate culture is not about working to guarantee that no compliance issues arise, but rather, if issues do arise, that they are dealt with transparently and effectively.
Culture, therefore, is key not just to the elements of good practice in the course of normal operations, but also during times of crisis and post-crisis. A culture of integrity will ensure that where mistakes perhaps are made in an organisation, a positive business culture will mean that people avoid pointing fingers or playing the blame game, but instead focus on how to improve and avoid similar mistakes in the future.
Conclusion
Navigating global compliance is a crucial component of modern international business, and companies should be prepared to mitigate global compliance risks to retain their competitive position in a global business environment. This survival guide has provided a number of tools for what legal and compliance professionals need to be thinking about and doing, and how to do them. Companies would do well to treat these issues with due importance. With the proper consideration, preparedness and response of a business’ various compliance risks, particularly by bringing such considerations to front of mind in any operations, companies will be better positioned to mitigate global compliance risks. Furthermore, companies that are most attuned to the risks of compliance pitfalls can ensure their own robustness and resilience in an increasingly competitive business environment.
APPENDIX
Survival checklist for managing legal risks when misconduct occurs
The following tables could be expanded to include additional columns or devices to indicate responsibilities, deadlines by which tasks should be completed, the level of urgency or status of tasks.
| 1 | Preliminary fact gathering | |
|---|---|
| 🗹 | Checklist task |
| ▢ | Preliminary explanation of what occurred and why: who, what, where and why? |
| ▢ | How was it discovered? |
| ▢ | Who has knowledge or would have potentially relevant documents or information? |
| ▢ | What is the value? Currency of transactions? |
| ▢ | Nationality of persons involved or management? |
| ▢ | What initial risks could there be (in country, above country)? Regulatory risk? Immediate reporting obligation? |
| ▢ | Are there immediate risks that need to be contained or risk of ongoing harm or ongoing violations of law that need to be addressed? |
| 2 | Investigation team/External advice Is an internal investigation needed or is internal/external advice sufficient? Key considerations in deciding whether external advice is needed: | |
|---|---|
| 🗹 | Checklist task |
| ▢ | Is there a risk of a government investigation or private litigation? |
| ▢ | Are there reputational risks? |
| ▢ | Do other risks arise due to the use of US dollar or the existence of certain nationals (US, UK) involved? |
| ▢ | Does legal privilege apply and what is required to maintain that privilege? |
| ▢ | How significant is the incident (remembering that significance may not always be measured in direct financial impact)? |
| ▢ | Is data in jeopardy of being tampered with or lost? |
| 3 | Assembling the investigation team Who is best placed to join the investigation team? | |
|---|---|
| 🗹 | Checklist task |
| ▢ | Independent in-house counsel |
| ▢ | External legal counsel |
| ▢ | External forensic consultants |
| Lawyers are usually best placed to manage and advise on a company’s legal risks and managing an internal investigation. The team should be independent and report to appropriately senior levels within the company. Reporting lines should take into account any potential for actual or perceived conflict of interest. The team should act in accordance with the company’s investigation policy (if any). Once the team is assembled, develop an investigation governance plan and delegate tasks in this checklist that may be run concurrently or reprioritised depending on the nature of the investigation. | |
| 4 | Preservation of documents and people | |
|---|---|
| 🗹 | Checklist task |
| ▢ | Who has knowledge of what occurred, where are they based, and are they suspected of any wrongdoing? |
| ▢ | Who would hold potentially relevant documents and where are they based? |
| ▢ | Are any documents in physical form? |
| ▢ | Who would want access to the data? |
| ▢ | Anyone who holds potentially relevant documents or information is a ‘custodian’ for the purpose of an internal investigation. |
| ▢ | Should a preservation notice be sent to custodians to notify them to preserve potentially relevant documents and any legal obligations to which the company may be subject? |
| ▢ | Should data be held electronically or imaged (have appropriate steps been taken to ensure any data collection complies with relevant data privacy laws)? |
| ▢ | Do any actions need to be taken to secure data before any individuals leave employment? |
| 5 | Communications strategy | |
|---|---|
| 🗹 | Checklist task |
| ▢ | If the allegations were true, would reputational risks arise for the company? |
| ▢ | Is there a risk the company’s share price could be affected? |
| ▢ | Is there financing that could be affected by the news of the allegations or is it required to notify financiers? |
| ▢ | Are there other stakeholders, even employees, who will need to understand what is happening and what the company is doing to manage it? |
| ▢ | Could legal privilege be compromised if information is disclosed? |
| ▢ | Could communications result in admissions of liability? |
| 6 | Structuring the investigation and legal privilege Structuring the investigation is an important matter that needs to be considered in the early stages of any investigation and when preparing the investigation plan. It will often shape other considerations such as data preservation, collection and interviews. Legal privilege is of vital importance to any company or business that may be subject to external investigation or litigation. Thus, while taking best practice global approaches in structuring investigations, local privilege laws or related protections must also be properly considered. | |
|---|---|
| 🗹 | Checklist task |
| ▢ | Which jurisdictions are involved in the investigation? To what extent does legal privilege apply in those jurisdictions? |
| ▢ | Where did the alleged misconduct occur? Where do the managers sit? |
| ▢ | Where are the investigators located? |
| ▢ | Are the allegations confidential or public? |
| ▢ | What types of risks does the company or management face? |
| ▢ | Where will interviews be conducted? |
| ▢ | How can business interruption risks be minimised? |
| ▢ | What form will the investigation report take and what risks are associated with the form of reporting? |
| ▢ | How will the company deal with collateral findings? |
| 7 | Consider data protection laws and data subject rights In the context of an internal investigation, data protection and employee monitoring laws can place restrictions on the processing, review, collection, storage and transfer of data. Several factors should be considered. | |
|---|---|
| 🗹 | Checklist task |
| ▢ | Where is the data located? |
| ▢ | Where will data be stored for review? Is the platform secure? |
| ▢ | What are data subject rights around personal data in the applicable jurisdictions? |
| ▢ | Are any data transfers contemplated? What are the relevant laws relating to data transfers? |
| ▢ | Does the company have inter-group transfer agreements in place? |
| ▢ | What is the legal basis for the processing of the data? |
| 8 | Data collection and review | |
|---|---|
| 🗹 | Checklist task |
| ▢ | Does data need to be collected or preserved to fact-find around the allegations? |
| ▢ | How will data collection preserve the integrity of the data (i.e., without changing the metadata and to prove that the data has not be tampered with)? |
| ▢ | Will evidence be required for formal proceedings? |
| ▢ | What do the company’s acceptable use policy, investigations policy and employment policies and agreements say about data collection, processing or review? |
| ▢ | Are there paper documents that need to be digitised? |
| ▢ | Is the company required to conduct an impact assessment before reviewing voluminous data? |
| ▢ | Is a chain of custody form required? |
| ▢ | Is an external consultant required to image data and thereby preserve its integrity? |
| 9 | Conducting interviews There is no one-size-fits-all approach to conducting investigations and the investigation team needs to consider the nuances of the allegations and jurisdictions in which they are working. | |
|---|---|
| 🗹 | Checklist task |
| ▢ | Where are the interviewees based and what rules or rights apply in those jurisdictions? |
| ▢ | What procedural requirements apply for conducting interviews in the applicable jurisdictions? |
| ▢ | Do notices need to be issued before the interviews? What potential consequences may arise from the interviews? |
| ▢ | Which languages do the interviewees speak and understand? |
| ▢ | What is the level of seniority of the interviewees? |
| ▢ | What is the best way to conduct the interviews to put the interviewees at ease, elicit information and limit information leaks? |
| ▢ | Where will the interviews be held? |
| ▢ | If interviews will be held virtually, how will associated risks be minimised? |
| ▢ | How will the interviews be recorded and what legal privilege considerations apply? |
| 10 | Closer assessment of regulatory/reporting risks In many jurisdictions, companies have a responsibility to report certain incidents as and when they arise, such as a data breach. Seeking legal advice is key in making a decision to report and deciding the form and wording of any report. | |
|---|---|
| 🗹 | Checklist task |
| ▢ | Given the alleged misconduct, what reporting requirements could arise? |
| ▢ | What is the timing of such reporting? |
| ▢ | When are such reporting obligations triggered? |
| ▢ | What considerations apply if a potential self-reporting obligation arises? |
| ▢ | Does the company face any reputational risks for reporting or failing to report? |
| 11 | Remedial issues From any investigation, lessons are learned to remedy failures and strengthen business culture and controls. | |
|---|---|
| 🗹 | Checklist task |
| ▢ | What policies, procedures or controls could be improved? |
| ▢ | How can compliance frameworks be enhanced? |
| ▢ | How can business culture be strengthened? |
| ▢ | Was the misconduct reported through a whistleblower line? If so, what was the effect on the whistleblower? What could be improved? If not reported, how could speak-up programmes be improved to detect incidents sooner? |
| ▢ | How can training programmes be improved? |
| ▢ | How can management and the board be more engaged? |
Footnotes
[1] Ali Sallaway, Daniel Travers and Xin Liu are partners and Zara Merali is a counsel at Freshfields Bruckhaus Deringer LLP. The authors would like to thank their colleagues Marco Hughes (trainee solicitor) for his invaluable research assistance and contributions, and Andrew Bulovsky (associate) for his contributions.
[2] See https://www.transparency.org/en/cpi/2021 (last accessed 28 June 2022). The scores are on a scale from 0 (highly corrupt) to 100 (very clean).
[3] For broader discussions and additional information on sanctions, see Global Investigations Review’s Guide to Sanctions.
[4] A good example is the many online scams that have posed as government support measures to take advantage of the fear and uncertainty of many individuals and business owners, such as fraudulent schemes regarding the United States’ Paycheck Protection Program, in which individuals have been charged and convicted for bank fraud, money laundering and submitting false statements to financial institutions.
[5] See also the chapter titled Compliance in Corporate Transactions in this Guide.
[6] This statement is commonly attributed to Peter Drucker (1909–2005), management consultant and writer.
[7] For example, under Article 30 of the General Data Protection Regulation.