The Evolution of Risk Management in Global Investigations

2.1 Introduction

This chapter addresses the myriad potential avenues for a control environment to be compromised and for an area of risk or investigation to be identified, either proactively or reactively, by a corporate. It also highlights key developments and changes we have observed in the past year regarding risk management and global investigations. First, the chapter provides a close look at some of the primary triggers or sources of investigations for corporates from both an internal and external perspective. Second, it considers some of the challenges in conducting remote investigations in a work-from-home environment. Third, we discuss developing environmental, social and governance (ESG) issues – an increasing focus for law enforcement and regulatory authorities. The chapter concludes with a brief discussion on a question commonly asked by many corporations today: which corporate function (e.g., legal, compliance, or both) should be responsible for overseeing and conducting which types of investigations?

2.2 Sources and triggers of corporate investigations

Corporate investigations can be triggered by internal and external sources. Corporations often spearhead their own investigations in response to whistleblower reports concerning actual or suspected violations of law or company policy, or to assess the scope of potential problems and risks identified in routine due diligence, compliance reviews, and financial audits. However, corporations may also find themselves the targets of investigations commenced by law enforcement and regulatory authorities, such as the US Department of Justice (DOJ) and the UK Serious Fraud Office (SFO). External investigations can also arise from customer or competitor complaints, media reports or even changing political and policy agendas. We describe these and other common triggers or sources of investigations below.

2.2.1 Internal investigations

2.2.1.1 Internal whistleblowers

A substantial proportion of matters under investigation arise through a company’s own policy and process for whistleblower complaints, such as through employee helplines, staff exit interviews and voluntary communications by current and former employees.

Most corporations today have a reporting mechanism through which employees, customers and members of the public can report (sometimes anonymously) actual or potential problems that pose risk to the company. The number of whistleblower complaints a company receives does not necessarily reflect the health of a company or its ability to detect risk. For example, a small number of complaints may reflect a company’s strong compliance culture, or, conversely, a culture in which employees hesitate to make complaints out of fear of losing their jobs. On the other hand, a significant flow of concerns may reflect a more risk-aware body of employees who feel free to raise issues without jeopardy, or a body of employees who do not take compliance seriously and face no consequences for escalating frivolous complaints.

Reports suggest that an increasing number of employees in the United Kingdom have been blowing the whistle as a direct result of the covid-19 pandemic. The issues observed in this increase relate to such topics as abuse of the furlough and business support schemes; unsafe working environments; regulatory breaches caused by reduced supervision as more employees work remotely; and breaches emanating from economic and financial hardship brought on by the pandemic.² We are also seeing an increase in whistleblowing activity in the United States, Europe and the United Kingdom relating to social issues, including (but not limited to) diversity and inclusion, inequality, under-representation and discrimination.

Greater protection is being built in for whistleblowers by legislative changes, which may further increase the number of concerns we see raised.³ For example, the Whistleblower Protection Directive is due to be implemented by EU Member States by 17 December 2021, and this will give protection to any person working in the private or public sector who makes a report regarding an alleged breach of EU law in a work-related context. The protection is wide and includes all current, former and prospective employees as well as contractors, unpaid trainees or volunteers. It applies to all businesses and government bodies with 250 or more employees from 17 December 2021,⁴ and UK and US companies with a footprint in the European Union will need to consider whether their whistleblower policies and procedures are sufficient to meet new standards.

2.2.1.2Audits and reviews

Internal investigations may also be triggered by periodic audits and reviews. Many companies must by law conduct some form of internal audit or review concerning the truth and accuracy of their financial books and accounts. These audits are typically conducted annually by an independent audit firm, and the results are usually recorded in a written report. If any errors, gaps or other potential risks are identified, a company may decide to investigate and remediate any problems before the next report.

Corporations often conduct internal reviews to assess whether and to what extent their policies and procedures are adequately designed to detect and remediate risk. These reviews (risk assessments) can be performed by a law firm, or by a company’s internal legal or compliance function (albeit with some privilege concerns for assessments conducted without counsel). Like financial audits, corporations may choose to investigate problems identified in these reviews, especially those that pose the greatest legal, financial or reputational risk to corporations and their business.

2.2.1.3Transactional due diligence

Corporate transactions, such as mergers, acquisitions and joint ventures, are another common trigger for internal investigations. Corporations customarily conduct due diligence to identify any hidden risks presented by a target or counterparty. Particular attention should be given to areas that can give rise to successor liability.

While a corporation should consider various factors before entering into a transaction, some of the common due diligence considerations include whether the other entity:

• is sanctioned or has been subject to economic sanctions within the past five years;
• has a robust compliance programme that adequately accounts for relevant risks;
• is owned or controlled by a government official or a government body;
• has significant financial debts or liabilities;
• has been the subject of an external investigation brought by a regulator or law enforcement authority; and
• has been the subject of any litigation involving fraud or other allegations of illegality within the past five years.

Pre-transaction due diligence in the above-listed areas (and others) is crucial. This is especially so due to the disruption and rapid change impacting businesses and corporate supply chains due to the covid-19 pandemic. Many industries face new inherent risks in their business (for instance, due to factors such as increased digitisation, reduced time spent vetting new business partners and ventures, or higher costs paired with reduced supply forcing businesses to make fast decisions on key issues). Conducting thorough and well-timed due diligence has never been more important to reduce the risk of entering into a transaction that could be financially and reputationally damaging, and to provide leverage to companies that later find themselves in the crosshairs of a government investigation. For example, in its FCPA Corporate Enforcement Policy, the DOJ has stated that there is a presumption of declination for an acquirer that conducts effective pre-transactional due diligence, remediates, folds the acquired entity into its compliance programme and voluntarily discloses the conduct.⁵

Whatever risk factor is being investigated, not only the primary due diligence activities t, but also the response to the information delivered by standard or enhanced due diligence, may stimulate wider investigation. The initial response separates the strong organisation from the weak and moves compliance culture from a tick-box habit to best-in-class governance and control.⁶

2.2.2 External investigations

2.2.2.1Contact by regulatory and law enforcement authorities

In the UK regulated sector, where ongoing open and transparent dialogue is expected between corporations and their regulators, it is comparatively rare for a business to find out about issues for the first time as a result of unilateral contact from a regulator. Ordinarily, the regulated entity’s report to the regulator leads to further investigation. By contrast, however, contact from prosecutors, competition authorities and, in certain circumstances, civil litigants, may occur without prior warning. In the United States, corporations frequently learn about an investigation for the first time from prosecutors, and criminal referrals from regulatory agencies to the DOJ are common.

But all companies, regardless of where they are located, should ask the following initial questions when approached by an authority:

• Is the company a target or subject of the inquiry, or is the authority simply looking for information from the company related to another’s conduct?
• What information is the authority looking for?
• In what formats is the authority seeking information (e.g., emails, text messages, interviews)?
• How much information is the authority seeking (e.g., from the past 10 years)?
• Is the authority interested in a specific business line or area of the company?

Another initial question companies should ask is whether the investigation is being carried out by a regulator or prosecutor. A company may be inclined to treat these two types of organisations synonymously, but they discharge different duties, possess different (although sometimes overlapping) powers, and have different expectations regarding cooperation. Accordingly, a company’s approach to dealing with a regulator may need to differ from its response to dealing with a criminal prosecutor’s office.

A prosecutor investigating a matter is normally seeking evidence to decide whether a crime has occurred and whether individuals or the company should be criminally charged. If it proceeds with a prosecution, it carries the burden of proof (with certain limited jurisdictional and subject-matter exceptions). Apart from specific mandatory reporting regimes,⁷ there is no obligation to volunteer information about misconduct to a prosecutor in the absence of a subpoena, warrant or other court order. It is an offence to obstruct an investigation, but obstruction does not extend to failure to volunteer evidence in the absence of compulsion; however, the provision of false, misleading or incomplete information to a prosecutor could amount to an offence of obstruction of justice in the United States or perverting the course of public justice in the United Kingdom. In the United States, it is a crime to destroy evidence, even in the absence of compulsion or the initiation of a proceeding, when the purpose is to avoid its disclosure in an anticipated criminal or regulatory investigation or proceeding.⁸ Further, the Fifth Amendment right against self-incrimination extends only to individuals, not corporations. Therefore, ancillary Fifth Amendment protections, such as the act of production doctrine, which permits an individual to hold back documents if the mere act of producing them, as opposed to their content, will be incriminating, does not apply to corporates.¹⁰

In dealings with UK prosecutors, while opportunities for mitigation and leniency exist through demonstrable co-operation¹¹ (and a company may regret not being able to obtain co-operation credit later on), co-operation is a matter of pragmatic choice rather than legal obligation. The starting point remains unchanged: under what valid power does the prosecutor seek the evidence, what are the company’s reasonable defences and how tactically does the company respond? While principles of co-operation with government agencies in the hope of gaining leniency or mitigation are more clearly defined and have a longer tradition in the United States, the general rule of law remains intact and questions of powers, defences and tactics are no less germane.¹²

Where a prosecutor, police or investigative agency, competition authority or other public body serves a subpoena, order or warrant entitling it to documents and electronic information, or to enter, search and seize, monitor or restrain, the challenge for the affected organisation is twofold: (1) to provide information or permit access and activity within the confines of the power granted; and (2) to ensure the company is not left behind (and preferably remains in front) in its own understanding of the relevant facts.

In the United States, grand jury subpoenas are the most common tool prosecutors use to gather information against a corporation in a criminal investigation. Various civil and regulatory enforcement agencies, such as the US Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission, may also issue subpoenas. General principles to follow when responding to a subpoena include issuing hold notices to the relevant employees and, if appropriate, third parties, to ensure that all information requested or potentially relevant to the enquiry (emails, other electronically stored information, hard-copy documents, etc.) is retained; controlling insider lists to identify those now aware of facts that may constitute inside information; preparing witness lists (to ensure they do not receive updates or advice on the matter, which may contaminate their evidence); and giving consideration to the treatment of witnesses (whether they require independent legal advice, or should be removed from the office environment through suspension or relocation so as not to risk evidence tampering, collusion or undue influence over other witnesses). In a criminal matter, defence counsel will almost always engage with the prosecutor to determine the company’s status as a witness (potentially having relevant information, but no criminal liability), subject (the largest category, in which the government does not yet have sufficient information to determine criminal liability) or target (the government is gathering evidence to bring criminal charges against the company).¹³ Counsel will also almost certainly work to narrow the scope of the information requested.

A number of important general principles apply also to the execution of search warrants and the conduct of dawn raids:

• The order or warrant must be reviewed to ensure that the party serving or executing it has the requisite power. (Does it catch the correct entity? Is it the correct site or office? Are the search area and the items the authorities are searching for described with the requisite particularity? Are there date or time discrepancies? Is it signed or executed? In the United Kingdom, does it bear the correct court seal? Does the person conducting the inspection have the requisite authority in that jurisdiction?)
• All relevant parties need to ensure the full scope and context of the search is understood (and where electronic searches are undertaken, endeavour to agree on relevant keyword searches and the exclusion of out-of-scope material, such as privileged documents or personal data).
• As with a subpoena, it will generally be necessary to issue hold notices immediately after receipt of the order or warrant with instructions not to destroy or spoil evidence or to give false or misleading information. As well as the obvious practical importance of preserving relevant evidence, there is also significant value in being seen to co-operate as an initial response.
• Individuals executing the order should be subject to identity verification to ensure that execution is in accordance with the terms of the order and that their identification is recorded (in the event that the order is breached and an individual’s identity becomes relevant to any proceedings arising as a consequence).
• Staff, including reception and a designated dawn raid team, should be trained in advance as to how to conduct any interaction with investigators from the moment of first access to the premises. This includes training and instruction on not answering apparently casual questions on the subject of the search. The informal question to the unready on the walk along the corridor is a well-established source of information for experienced investigators. Any questions asked of staff and their responses should be noted. Employees may be informed of their legal rights not to speak to investigators and their right to counsel. Additionally, if the company is willing, the employees may be told that the company will provide legal counsel to them at no cost if investigators wish to speak to them or if they are later contacted. The company may not, however, instruct employees not to speak to investigators. That is the employee’s choice.
• A separate room should be set aside as a base for investigators and discussions between legal function representatives and the visitors so that debate and investigative activity does not take place within earshot of those under investigation.
• Local IT support (technology, plus a nominated IT representative) should be made available in the same room to ensure the IT environment can be explained to investigators and accessed. A log of access and copies of materials reviewed or seized should be made as the matter progresses so that a company’s own investigators and lawyers can subsequently review the same material and evaluate compliance with the order or warrant.
• A written log should be kept of all places searched, items seized and staff interviewed. Legal counsel should be present, if possible, to assert objections based on the attorney–client privilege, to identify commercially sensitive information or the sensitive personal information of customers or employees and to object if the search exceeds its authorisation. None of this, however, can be obstructive. The remedy for an improper search or seizure is to be had in court, not while the search is being conducted.
• Seek to agree with the investigators in advance on the definition and scope of principles such as legal privilege, commercial confidentiality, relevance, personal data and other material the company would contend falls outside the terms of the order, and to a protocol for handling these materials during and after the search.
• Consider whether it is necessary and appropriate to prepare a press release or public disclosure (e.g., stock exchange announcement) confirming the on-site inspection and its scope or purpose. In the United States, it may be advisable to convene a ‘town hall’ meeting with employees to discuss the search and the looming investigation, but in the United Kingdom, this practice is not favoured as it could tip off individuals who do not intend to comply, triggering evidence tampering or impacting the integrity of witness testimony.

2.2.2.2Media coverage

Unexpected media reports or more aggressive or intrusive media behaviour (such as undercover investigative journalism) can trigger an investigation in extremely pressurised circumstances. The media outlet running the story will often have completed its investigation before the company is aware of the matter. In the worst cases, the first a company learns of the facts is in the publication or broadcast, although various broadcasting codes and voluntary editorial principles encourage the opportunity for a right of reply, so most coverage will follow a short period of discussion of content between the media and the subject of the story, yet not enough to accommodate an investigation and fully informed response.

Even if a company is already aware of an issue and has undertaken some investigation before the issue becomes public, sudden and intense media scrutiny may require a company to adjust its response to protect its legal position and reputation, and to be seen to understand the public demand for resolution. For example, companies that were initially intending to adopt a passive approach to an issue or undertake a low-key investigation may change this response once the media takes up the issue.

In 2020, a UK-based fashion retailer, Boohoo, was the subject of various newspaper articles that alleged the company’s clothes were made in factories that employed workers at below minimum wage. According to these news sources, workers at the Boohoo factories worked under squalid conditions, and those in Pakistan were paid as little as 29 pence per hour. These allegations contradicted both Boohoo’s modern slavery statement (proclaiming the company took a ‘zero-tolerance’ approach), and the company’s expectations that its suppliers adhere to a code of conduct that included a living wage requirement for all workers. Just a few days after the articles were published, it was reported that Boohoo’s shares lost more than a fifth of their value.¹⁴ In addition to this financial hit, the National Crime Agency, HM Revenue and Customs, the Home Office and Health and Safety Executive (all UK public authorities) worked together to investigate the UK factories at issue. Boohoo rapidly appointed experts to consider the allegations against the company and oversee improvements to its supply chain and business practices.

As this case highlights, adverse media reports about a corporation’s business operations can result in reputational damage, financial harm and increased scrutiny from regulatory and law enforcement authorities. Companies do not always have time to adequately respond to these reports, especially in an environment where news travels at a fast pace. From a practical point of view, there is an immediate balance that companies must strike between taking the time to conduct a thorough investigation, and responding to urgent media and public enquiries.

Companies can minimise the negative consequences that accompany adverse media reports by proactively implementing a crisis management plan. This should not only account for how the company will respond to the media and its customers, but also how the company investigate the allegations, in both the short and long term. Setting up an investigations steering group and having effective policies and processes in place that are observed by senior management will ensure emergency investigations are not obstructed by administrative chaos.

2.2.2.3Politics and political agendas

The regulatory agenda is often set, adjusted or inflamed by the political climate, such that external regulatory or criminal investigations would not commence but for political pressure or the sudden availability of funding. The political agenda itself may change overnight in the face of public or media pressure. Two relevant examples of this are Brexit and the election of President Biden.

It remains to be seen how the politics surrounding Brexit will impact the authorities’ investigation activity. Following the end of the transition period,¹⁵ many of the mechanisms needed for close co-operation between UK and EU law enforcement agencies remain in place. At a policy and strategy level, the United Kingdom’s role in EU criminal justice arrangements is much diminished (to the same level of other non-member states, such as Norway), but the United Kingdom still has access to key investigative tools that were available before Brexit, such as the ability to obtain evidence and to secure the surrender of suspects from EU member states, and to access intelligence and information such as criminal records. Turnaround times may become slightly longer, but the impact overall is much reduced compared with what may have been the case in the event of a no-deal Brexit, and are in some respects difficult to separate from the impact of the covid-19 pandemic, which has posed issues for investigation timing and accessibility to data.

The FCA and the SFO are UK-focused agencies and their mandates are broadly unchanged by Brexit, so in that sense we do not expect it to have a direct, immediate impact on UK regulation and enforcement, although the transition out of the European Union and the change in financial services regulation that comes as a result of the United Kingdom’s independence will be a key area to watch. The Financial Services Act of 2021 (FSA) was the first major piece of UK primary legislation addressing the issues relating to financial services and financial regulation arising from Brexit. It makes amendments to rules regarding access to financial services markets for overseas funds and third country investment firms, it amends the EU Benchmark Regulation, and it amends the Market Abuse Regulation to increase the maximum sentence for criminal market abuse. In July 2021, the UK government released ‘The New Chapter for Financial Services’, a paper setting out the United Kingdom’s vision for its financial services sector, with further updates expected in 2022. The paper targets sustainability, green credentials and technology, and the United Kingdom’s post-Brexit planning to date is very much focused on ESG.

In the United States, the Biden administration has made clear its intention to address vulnerabilities in, and strengthen the resistance of, critical US supply chains. In February 2021, President Biden signed Executive Order 14017 (America’s Supply Chains), marking the first comprehensive, government-wide policy specifically focused on supply chains. Pursuant to that order, a series of reviews were conducted to assess risks and vulnerabilities in four sectors: semiconductor manufacturing and advanced packaging; large capacity batteries (e.g., electrical vehicle batteries); critical minerals; and pharmaceutical ingredients.

In June 2021, a set of reports was released that summarised the key findings from these reviews and made policy recommendations to address identified supply chain risks.¹⁶ The reports included various recommendations related to human rights, such as a recommendation for new legislation aimed at reducing the impact of forced labour and other human rights abuses in supply chains that manufacture critical minerals and materials. The reports also make recommendations related to environmental sustainability, specifically noting that the United States ‘must work with allies and partners to diversify supply chains away from adversarial nations and sources with unacceptable environmental and labor standards’, and that US investments abroad ‘must incentivize environmentally and socially responsible production’.¹⁷ These recommendations align with recent global developments in ESG issues.

Corporations with US supply chains should closely monitor the developments of the recommendations made in the reports. Should these become law, companies must develop a process for identifying, evaluating and remediating supply chain risk – which will require a review or investigation by corporate legal and compliance functions.

Additionally, on 3 June 2021, President Biden issued a memorandum stating that the fight against corruption was a ‘core’ United States national security interest and directing an inter-agency review process aimed at increasing the ability to fight corruption within the United States and abroad. It is likely that this review will result in increased resources to fight corruption, greater inter-agency co-operation in the United States (including among intelligence and law enforcement agencies), greater international co-operation, and a heightened emphasis on increased transparency in financial transactions. This memorandum follows the implementation of other recent measures such as the Anti-Money Laundering Act of 2020 (AMLA), enhancing US prosecutors’ ability to seek financial information from non-US banks, the DOJ’s Kleptocracy Asset Recovery Initiative and its China Initiative. Taken together, these would also portend an increase in corporate investigations.

2.2.2.4Investor complaints and shareholder derivative lawsuits

Complaints raised by shareholders can trigger twin legal activities: a defence strategy in cases where issues of liability are plainly articulated and facts are either already established or may be simply assessed; and separate investigations into wider concerns raised by the complaint, or where the facts are far from clear and the allegations cannot be adequately responded to without an investigation.¹⁸

A major sensitivity in matters of this nature, which can be overlooked in pursuit of the defence of the civil action, relates to the ongoing disclosure and transparency obligations arising from stock exchange listing rules. It is one thing to investigate sufficiently to position a company to defend litigation on the balance of probabilities, or to be able to respond to a letter of concern or questions from the floor in an annual general meeting, but another to investigate to a point where a public statement can be made with sufficient accuracy to satisfy the reasonable investor test.¹⁹

While a company may wish to respond speedily to concerns raised by an investor, dealing with investor complaints carries a further layer of complexity and a balance needs to be struck between the urgency to make a statement to the market and the time needed to investigate facts sufficiently to make an adequately precise and informative one. The publication of false or misleading statements through inadequate or incomplete investigation simply increases the range of potential legal liabilities and further delays resolution.

2.2.2.5Customer and competitor complaints

Complaints made by customers and competitors constitute another category of triggers of external investigations. Customers and competitors may refer complaints to law enforcement, regulators, consumer bodies and ombudsmen. Individual incidents may be sufficiently problematic to merit investigation in their own right. However, even with low-value customer complaints, there comes a point where a volume of similar-fact criticisms raise concerns as to the fairness of underlying sales processes and adequacy of complaints handling systems, or perhaps even broader questions of breaches of systems or controls, that may combine to catch a regulator’s attention and create reputational risk.

While it might be hoped that a company’s own monitoring of complaints levels and sources should trigger deeper investigation into the underlying issues, it will sometimes take unilateral regulatory enquiry and enforcement processes to bring about a non-voluntary, full evaluation, including thematic reviews, ‘skilled persons appointments’,²⁰ market studies and industry sweeps. Significantly, the company’s in-house investigators will not set the parameters of the investigation (though they can add significant value in debates with regulators over scope and process and may be heavily involved in the activities that follow, by partnering with the external firm in a skilled person’s review, for example). The in-house function will remain critical in the parallel process of evaluation of evidence so that advice may be taken to respond to regulatory or legal liability.

A complaint or concern raised by a participant in the same market raises a number of wider risks colouring the subsequent investigation. In certain ways, a competitor complaint has more in common with whistle­blowing (and may even be regarded as such by authorities) in that it may create forms of protected disclosure, confidentiality obligations and behavioural expectations from particular authorities. This is certainly the case in competition matters where leniency or immunity is sought following a self-report to an authority following a tip-off or complaint by a competitor. This immediately limits the scope for communication of issues (including even the existence and subject matter of the investigation) among staff and will have a particular bearing on the management of evidence, including witness handling and interviews. It will also affect the extent to which there may be ongoing communication outside the organisation where, for example, witnesses may exist within the competitor organisation but further dialogue is not possible without the consent of, and careful choreography by, the relevant authority.

2.3 The challenges of conducting remote investigations

The covid-19 pandemic has led to a shift towards remote investigations. While they offer certain advantages (e.g., a cost-effectiveness), they pose several challenges and risks for companies. For example, remote investigations create fertile ground for hackers looking to steal company information or disrupt a company’s information systems. Working from unsecured Wi-Fi networks creates the risk of confidential and privileged information being intercepted. Also a witness can surreptitiously record an interview or have others in the room out of sight, jeopardising confidentiality and even the attorney-client privilege. At the same time, company lawyers need to ensure that unauthorised people are not in their rooms during remote interviews. Additionally, the sharing of sensitive documents presents risks and challenges in a remote environment. And witnesses who need to be deposed or interviewed in connection with investigations might not feel comfortable being transparent and sharing necessary information via third-party teleconferencing software services. Conversely, interviewers lose a level of human connection helpful for gaining witnesses’ trust, effectively confronting a witness – particularly a recalcitrant one – and judging credibility. Finally, remote interviews, particularly government interviews, are much more difficult for defence counsel who are not in the same room as their clients.

Corporations will need to account for these and other similar challenges and the risks they pose as remote work becomes the norm. Companies may consider the following:

• offering legal and compliance employees training on how to conduct investigations remotely;
• procuring and investing in secure information software to prevent, minimise and monitor hacking and data leaks;
• establishing a policy and procedure for protecting and transmitting company information both internally and externally; and
• implementing a disciplinary process for employees that violate company policy and procedure related to the handling and transmittal of company information.

2.4 ESG issues

Corporate investigations (whether triggered internally or externally) have traditionally focused on compliance. The investigations that tend to make headlines and soak up corporate resources are those concerning an entity’s alleged violation of laws related to bribery, corruption, securities fraud, money laundering and similar misconduct that pose significant legal risk. These investigations are often global, involve some of the most active law enforcement and regulatory authorities, and can result in large monetary settlements and criminal penalties. But the nature and scope of corporate investigations is slowly evolving as companies face increasing pressure to adopt and report on standards related to ESG issues, such as those concerning human rights, corporate citizenship, diversity and environmental sustainability.

Corporations have historically viewed ESG issues as a set of loose, voluntary standards that pose little to no legal risk. While this might have been true 10 years ago, it is certainly not the case today, with shareholders, employees, consumers and other stakeholders demanding that corporate boards make ESG a priority in corporate operations, and regulatory authorities around the world increasingly requiring corporations to report on their ESG activity. For example, the SEC announced that a key priority is implementing new ESG and climate disclosure requirements for registered companies. In discussing their importance, Allison Herren Lee, then acting SEC Chair, stated that it is ‘time for the SEC to lead a discussion – to bring all interested parties to the table and begin to work through how to get investors the standardized, consistent, reliable and comparable ESG disclosures they need to protect their investments and allocate capital towards a sustainable economy’.²¹

In the United Kingdom, the Bank of England and the FCA are similarly leading the way in making ESG a central regulatory and supervisory consideration.²² The United Kingdom is currently expected to be one of the first countries in the world to make disclosures that are aligned with the Taskforce on Climate-related Financial Disclosures, intending to make it fully mandatory by 2025. Already, the EU’s Regulation on sustainability-related disclosures in the financial services sector (SFDR) came into force in March 2021, imposing ESG transparency and disclosure requirements on financial institutions. The SFDR applies to all businesses offering financial products on the European market so it is a good example of the general direction of international financial standards. Its overarching aim is threefold: (1) to prompt financial services providers that manage client assets or advise clients on investments to integrate ESG into their processes and to inform their clients on ESG matters; (2) to create a harmonised regulatory framework to ensure a level playing field across the financial services sector to enable investors to compare ESG factors; and (3) to require transparency from firms regarding their ESG policies through precontractual disclosure requirements, disclosures on their website and periodic reporting.

These developments have had (and will continue to have) an impact on what companies investigate and how they approach investigations. For example, corporate counsel of companies subject to existing and contemplated ESG disclosure requirements will need to investigate (1) the actions the company has taken in the area of ESG, (2) the ESG-related statements and commitments the company has made to the investing public on its website or in other publicly available materials and (3) whether and to what extent the company’s actions in the area of ESG align with its published statements and commitments. Some investigations will not be driven by fear of regulatory action at all, but by corporations trying to demonstrate to consumers, employees and other stakeholders that they are living-up to their ESG claims or stakeholder expectations. Whatever the driver for the investigation, to be effective, ESG investigations will require corporate counsel to remain up to date on growing and fast-changing standards and requirements.

2.5 Corporate legal and compliance functions: who should investigate?

Corporate investigations often fall within the remit of legal and compliance departments. Some companies keep the functions separate, others assign similar and overlapping responsibilities to them, making them difficult to distinguish. A common question we receive from companies that have both functions is which department should be responsible for conducting investigations?

There is no single, straightforward answer, which will depend on the type of investigation, a corporation’s resources (including staffing and technology), and the nature and scope of the problem. Generally speaking, the legal department plays a reactive role, spearheading investigations after a potential problem has been identified to mitigate a company’s overall liability. For example, legal departments often lead investigations concerning actual or suspected violations of anti-bribery and corruptions laws, which can lead to significant criminal and civil penalties, and often require coordination and co-operation with the authorities. In addition to their skill set, legal departments will also often lead in these types of investigations, and similar matters, where it is important to protect the investigation under the attorney client privilege.

The compliance department often plays a more proactive role, overseeing and managing corporate behaviour to prevent wrongdoing. Compliance departments tend to lead investigations focused on detecting risk and ensuring the company’s current compliance framework (e.g., its company’s policies and procedures) is adequately designed to prevent and respond to risk. For example, compliance departments are often asked to conduct periodic reviews and risk assessments, and to recommend general compliance improvements. Even with investigations or compliance efforts of this type, it is prudent for corporations to consider the nature, background and potential implications of the enquiry and whether it is better that they be led by lawyers to be covered by the attorney–client privilege.

Investigations are never straightforward, however, and in practice companies leverage the knowledge and resources of both the compliance and legal functions when conducting investigations. We see this play out in a number of areas, and most recently regarding ESG. Companies are being called on by stakeholders and government bodies to assess and report on their compliance with applicable ESG standards – for example whether and to what extent a company sources responsible goods and products, abides by human rights laws, and takes steps to reduce carbon emissions from its business operations. Ensuring a company’s compliance with these standards is not a purely legal or compliance function: legal should be involved in ESG-related investigations because as we have highlighted, there are budding laws and regulations in various jurisdictions that allow for the enforcement of these standards; and compliance should be involved to identify and assess ESG risk and to track carefully these ever-evolving risks and to assess how the company’s current compliance structure addresses them.

Footnotes

¹ William H Devaney and Joanna Ludlam are partners, and Mary Jordan and Aleesha Fowler are senior associates, at Baker McKenzie LLP.

² 'Now is the Time to Embrace Whistleblowers', Financial Times (21 Sep. 2020).

³ This legislation applies to internal and external whistleblowers of a corporation.

⁴ It will further extend to businesses and government bodies with 50 or more employees by 17 December 2023.

⁵ Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy, US Department of Justice (DOJ), Justice Manual (JM) § 9-47.120; A Resource Guide to the US Foreign Corrupt Practices Act, Second Edition (2020), 29 (discussing pre-transactional due diligence in context of successor liability). See also DOJ, Opinion Release 14-02 and Opinion Release 08-02.

⁶ For further information on tools and resources available to firms to assess and manage risk during a transaction, see the fifth edition of The Practitioner’s Guide to Global Investigations, p. 31 et seq.

⁷ e.g., the obligation in the United Kingdom to submit suspicious activity reports under s.330, Proceeds of Crime Act 2002.

⁸ See 18 U.S.C. § 1519.

⁹ See United States v. Hubbell, 530 U.S. 27 (2000).

¹⁰ For the UK financial services industry, this is to be contrasted with the duty of open and co-operative dealings with the FCA, whereby evidence of a control breach would be reported without delay and significant regulatory implications could arise from a failure to do so. A US corporate’s duty to disclose is limited. See Chapters 9 and 10 on co-operating with authorities.

¹¹ In the United Kingdom, with the introduction of the Serious Fraud Office’s deferred prosecution agreement power in 2014.

¹² There is no legal obligation to co-operate in an investigation in the United States. Under the Principles of Federal Prosecution of Business Organizations, however, a corporation’s willingness to co-operate is a factor in determining whether to charge the corporation. But, a corporation’s refusal to co-operate alone is not justification for prosecution. See JM § 9-28.700. Formal obligation aside, from a more pragmatic perspective, US and UK entities under a deferred prosecution agreement or non-prosecution agreement, or parties subject to monitorships, may find they have little choice but to disclose, as might a member of the heavily regulated financial services sector, which could face adverse findings in relation to the duty to deal openly and transparently with its regulator. Further, the FCPA Corporate Enforcement Policy, which informally applies to offences outside the FCPA, requires voluntary disclosure for a corporation to receive its full benefit. See JM § 9-47.120.

¹³ See also JM § 9-11.151, defining ‘target’ and ‘subject’.

¹⁴ 'Boohoo shares tumble on concerns over factory conditions', Financial Times (6 Jul. 2020).

¹⁵ The transition period (sometimes called the implementation period) expired on 31 December 2020.

¹⁶ See The White House, 'Building Resilient Supply Chains, Revitalizing American Manufacturing, and Fostering Broad-Based Growth: 100-Day Reviews under Executive Order 14017' (8 Jun. 2021).

¹⁷ White House Briefing Room, Fact Sheet, ‘Biden-Harris Administration Announces Supply Chain Disruptions Task Force to Address Short-Term Supply Chain Discontinuities’ (8 Jun. 2021). Baker McKenzie has been closely following the governance recommendations made in these reports on its Global Supply Chain Compliance Blog, which can be found online at https://supplychaincompliance.bakermckenzie.com/2021/06/16/biden-administration-supply-chain-reports-deeper-dive-1-the-expansion-of-regulatio-over-responsible-sourcing-of-minerals-and-corruption-in-supply-chains-on-the-horizon/.

¹⁸ In the United States, shareholders can generally bring a derivative lawsuit on behalf of a corporation if they have provided notice to the board of directors and the board has determined that the lawsuit is in the best interest of the company.

¹⁹ In the United Kingdom, information a reasonable investor would be likely to use as a basis for his or her investment decisions. See Financial Services and Markets Act 2000 (FSMA) and Market Abuse Regulation, Article 7 relating to inside information. These provisions require a high degree of precision in the accuracy of factual statements.

²⁰ Under FSMA, s.166, the FCA has the power to commission a report from a third party (skilled person) about aspects of a regulated firm, usually focusing on specific issues about which the FCA has concerns or wishes to analyse in greater detail. The skilled person may be appointed by the FCA, or the FCA may ask the regulated firm in question to put forward their preferred choice of candidate for approval by the FCA.

²¹ See Securities and Exchange Commission Public Statement, Regulation S-K and ESG Disclosures: An Unsustainable Silence, available at https://www.sec.gov/news/public-statement/lee-regulation-s-k-2020-08-26.

²² The Bank of England’s Prudential Regulatory Authority Supervisory Statement (SS3/2019) set expectations for financial institutions regarding climate risk across governance arrangements, risk management, stress testing and scenario analysis and disclosure. The FCA’s business plan for 2021–2022 states the FCA’s commitment to assisting the government to find a market-based transition to a low carbon, sustainable future, with a particular focus on the marketing and disclosure around ESG-related products and risks.