Moving Forward after an Investigation
As anyone who has led a company through an investigation can attest, conducting a thorough investigation can be gruelling, time-consuming, expensive and difficult while maintaining normal business operations. In the worst cases, investigations can be devastating to a company’s morale when finger-pointing and high turnover ensue. No matter how big or small the investigation, after uncovering misconduct, companies are often left wondering why this happened and how it could have been prevented. However, not all that comes out of an investigation is negative. We have seen many instances where companies that focus and manage remediation during and after an investigation can demonstrate resilience and rebuild a stronger organisation, thereby successfully leveraging the ‘lessons learned’ from the investigation and reinforcing the importance of and building a sustainable culture of ethics and compliance – such that it is effectively embedded throughout the business.
Moving forward requires organisations to think strategically and demonstrate thoughtfulness, patience and persistence in properly closing out the investigation and developing clear, pragmatic remediation plans for addressing the factors that allowed the misconduct to occur. When an investigation is concluded, it is important that going forward the internal controls, especially those that related to the historical conduct in question, be judged effective. Management should also have reasonable assurance that they understand the extent to which the entity’s operational objectives are being achieved, published financial statements are being prepared reliably and the organisation is complying with the applicable laws and regulations. Beyond ensuring financial statements properly reflect the results of the investigation, companies are left in a position to ensure their new processes do appropriately address key controls and risks. Forward-thinking companies can also use the investigation as an opportunity to assess broader areas of compliance that impact the organisation by demonstrating a compliance-minded tone at the top and in the middle, and a robust risk assessment process to owners and shareholders.
In this article, we describe factors that companies should consider as an investigation draws to a close and practical suggestions for designing effective remediation plans and a strong control environment. We also suggest best practices that companies should consider to ensure they are well-positioned to detect and investigate future fraudulent or non-compliant behaviour. Finally, we recognise that it is critical that organisations understand and appreciate the control environment and the impact of cultural drivers that require awareness of the need to approach compliance implementations and initiatives differently across locations. Understanding cultural mentalities, attitudes and tendencies underpins the effective implementation of our recommendations.
The processes, best practices and cultural considerations we describe here are applicable to companies located anywhere looking to move forward following a myriad of situations – from employee theft, money laundering and fraud allegations to environmental, regulatory or improper accounting concerns. For the purposes of this article, we provide examples and cultural considerations specific to companies based or operating in the Americas and have chosen to highlight examples primarily focused on bribery and corruption given the current relevance of these issues. Headline-worthy scandals in Brazil and other countries in South America and Latin America continue to sweep newspapers, including the infamous Operation Car Wash scandal – which enveloped Brazil and beyond with dawn raids and investigations into high-ranking politicians  – and a May 2019 FBI raid of multiple medical devices manufacturers in Brazil related to kickbacks.  These scandals demonstrate the need for companies to continue to evaluate the effectiveness of their compliance programmes, especially in the aftermath of an investigation.
Closing an investigation
We have too often seen companies rush to move on from an investigation – whether conducted internally or with external resources – without taking steps to properly close out the investigation. When closing an investigation, it is important that pertinent information be identified, captured and communicated in a form and time frame that enables employees to carry out their responsibilities to establish, enhance and monitor controls and rebuild a more efficient, effective and compliance-minded organisation.
Regulatory compliance considerations
Companies should consult counsel and carefully evaluate and delineate applicable regulatory requirements. Companies are often subject to multiple jurisdictions and regulations and this process can be challenging. For example, jurisdictions and regulatory bodies have varied and nuanced requirements related to self-disclosure of identified misconduct and sometimes self-disclosing to one regulator necessitates further disclosure to additional regulators. While a full analysis of the requirements would necessitate discussion beyond the scope of this chapter, we raise this as an example of a regulatory requirement companies should consider as the investigation progresses.
Enforcing disciplinary actions is often an important consideration when concluding an investigation. Disciplinary actions should be applied consistently across global locations and in accordance with applicable regulations. An established process illustrates to employees that the company takes misconduct seriously and also is relevant to preventing a liability that could result from discriminatory application of penalties. An established process that is applied consistently across global locations serves as a positive reinforcement to the company’s tone at the top, when the policy is applied evenly and fairly regardless of the person’s position in the organisation. It is important that this process, including potential disciplinary measures, be clearly documented, communicated and reviewed by counsel. Recent Department of Justice (DOJ) guidance indicates that disciplinary actions should be ‘commensurate with the violations’ and suggests that ‘swift consequences’ should follow instances of unethical conduct.  When assessing disciplinary action, the company should be prepared to address potential negative publicity and retaliatory counter-claims by the accused.
Documenting the outcome of an investigation, including the nature and type of report, can present another complicated challenge and should be carefully considered. Many factors, such as regulatory or other disclosure obligations, the involvement of multiple regulators, pending or anticipated litigation, potential investigation outcomes, whistleblower involvement, privilege concerns and budgets, will impact the decision on the type of and level of detail in any type of investigation report that is ultimately prepared.
A formal written report has many advantages, such as providing the company a platform for controlling a narrative and documenting the investigation in a manner that satisfies regulators and provides evidence the company took the issue seriously, performed steps to thoroughly investigate allegations and documented remediation. However, it is imperative that counsel is consulted before any report is prepared. In the current enforcement environment, any formal report should be prepared with the assumption that it could end up in the hands of prosecutors and regulators, who may not view the steps taken and results in the same light as the companies do. Additionally, disclosure of a written report might lead to adverse consequences such as waiver of the attorney–client privilege and disclosure of information detailing a ‘road map’ to adversaries in follow-on litigation. It is important to understand the type of reports the investigators intend to issue and whether the report will be available publicly.
The internal or external investigators involved in the investigation have a front-line view of the process failures, misconduct and compliance weaknesses that allowed the alleged misconduct to occur. We strongly encourage companies to ensure that the investigators provide a debrief during the reporting phase – whether through a formal written investigation report, a separate standalone deliverable or an oral readout – that includes the investigators’ assessment of any control deficiencies, gaps in the control environment and opportunities to improve processes in line with best practices that came to light during the course of the investigation. This feedback will be essential in developing a remediation plan to help the company ensure a robust control environment moving forward.
Developing and executing a remediation plan
During and following an investigation, companies should develop a remediation plan that seeks to address the conditions that allowed the misconduct to occur. The remediation plan should, at a minimum, incorporate the investigator’s observations and suggested recommendations regarding specific control deficiencies – such as a lack of segregation of duties in an accounting process or a lack of a consistent process related to vendor due diligence. We strongly encourage companies to take remediation a step further, by using this as an opportunity to conduct a broader assessment of the company’s compliance environment to illuminate other aspects of the corporate culture that may have failed in preventing, detecting and deterring the misconduct.
Creating an effective remediation plan
Many companies struggle with remediating deficient controls due to issues with the remediation plan itself. A well-designed remediation plan should clearly articulate specific actions the company needs to take to address the identified issues. The plan should be pragmatic and risk-based, anticipating the cost benefit of the control and potential resourcing constraints. Remediation plans should identify milestones with due dates and responsible owners for each action item wherever possible to encourage accountability. The plan should consider “check in” points when the process owners and operators can discuss with the compliance function best practices, controls that are working and areas that need adjustment. Controls that are too complicated are often circumvented or ignored.
Companies should also ensure that the steps in a remediation plan actually mitigate the control deficiency. Companies far too often create ‘band-aid’ solutions when developing remediation plans due to a lack of understanding of the root cause of an issue or in an effort to demonstrate that a control has been implemented to address the deficiency. We have also seen companies rush to implement a quick fix for an obvious, or superficial, issue rather than taking the time to consider whether there were deeper control failures across a broader range of processes and locations that also require remediation. Defining effective remediation steps requires thorough analyses of and reflection on the root cause of an issue and consideration of whether failures were pervasive across multiple processes or business units. The DOJ describes the ability ‘to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes’ as a ‘hallmark of a compliance programme that is working effectively in practice.’ 
We will use a brief case study to illustrate how a fictitious company, ZYX Inc, should approach remediation following an investigation into improper payments ZYX Inc made to a certain high-risk vendor. This vendor had been misclassified in the company’s accounting system as low risk. As a result of the misclassification, this vendor was subjected to less stringent due diligence screening during the vendor intake phase and due diligence had not been repeated since the intake nearly three years ago, in line with the company’s due diligence frequency for low risk vendors (diligence would be repeated annually for a high risk vendor). The transactions included a series of three payments in high, round-dollar amounts that were recorded in the ‘miscellaneous fees’ general ledger account. Prior to these payments, this account had been dormant for the past two years.
A band-aid solution in this case might be to conduct a review of the company’s current list of vendors to correct the risk classifications of vendors who may also have been mislabelled in the accounting system. While a necessary step, this alone does not resolve the underlying issue – that vendors were not appropriately handled during the vendor intake and diligence phase, resulting in a risk of mishandling future high risk vendors during intake. This step also isolates the issue to one process.
Though certainly not exhaustive, the remediation steps listed below provide examples of deeper actions the company could take (in addition to the review described above) to effectively remediate across a range of processes and truly address the root causes of the control failure.
- Perform due diligence for the vendors newly identified as high risk that have not undergone diligence within the company’s specified time frame for high risk vendors.
- Assess the vendor intake process to determine how the vendor was misclassified and evaluate what procedures need to be enhanced to prevent future misclassifications.
- Review employee access rights to confirm that only the necessary employees have the access required to update risk classifications in the vendor master file. Confirm procedures require documentation and an appropriate level of approval for any changes.
- Confirm guidelines clearly describe how risk levels should be assigned to vendors. Evaluate whether the determination of risk is performed by an appropriate party (eg, compliance, rather than the business unit, which may be motivated to downgrade a risk classification).
- Revise policies related to dormant accounts to ensure that unneeded accounts do not remain open.
- Evaluate whether additional procedures are required during the invoice and payment processes to ensure that someone is evaluating invoices and supporting documentation for payments recorded to general ledger accounts that present a higher risk for misuse, fraud or corruption (eg, miscellaneous, commissions, certification fees and gifts).
- Determine whether ZYX Inc’s compliance monitoring procedures should be enhanced to detect future payments following a similar fact pattern.
- Assess the need for additional training requirements across all of the impacted processes.
Testing the remediation plan
All internal control systems, including remediation plans, need to be monitored. The monitoring specifications should provide a clear plan to test the control, including the frequency of the testing and identify the person that is responsible for performing the review. Relying on internal audit to perform testing at a later time during a normal course audit is simply not enough, especially for a control that already failed to adequately prevent misconduct. The testing should be performed by a party independent from the control owner and should allow for assessment of ‘normal course’ behaviour wherever possible.
Continuing with the 2 case study above, examples of remediation steps ZYX Inc could perform to confirm effectiveness of controls include:
- analysing changes to the vendor master file in three months to confirm that any changes in risk classification appear reasonable, with approval documented; and
- reviewing the risk classifications of vendors onboarded three months after the roll-out of any enhanced policies, procedures and trainings to ensure classifications are correct.
Tracking remediation plans through resolution
One of the first information requests we typically make when conducting an investigation, due diligence or risk assessment exercise, is for any audit findings and other similar recommendations (eg, stemming from another controls review or risk assessment), as well as the status of remediation of those findings. Often we find that another party, such as internal audit, had already identified a weakness in the same control that had failed (or was missing entirely) in the investigated misconduct. However, we have observed that companies often fail to follow remediation actions through to closure.
It is essential that companies ensure a strong protocol is in place to follow through on the implementation and track monitoring of recommended remedial measures (including those resulting from the investigation, internal audit and compliance reviews). Remedial measures, the status of their implementation and the process to test the effectiveness of implementation should be memorialised and tracked in a central repository, identifying a responsible party to track the status and having a process in place to test the effectiveness of implementations before considering a remediation ‘complete’.
Establishing such a tracking protocol, however, is not enough. If remedial measures have not been implemented within agreed upon time frames, then management should be immediately notified. It may also be necessary to notify the company’s compliance officer, the audit committee of the board of directors and the regulators if remedial measures have not been implemented in a timely manner. There must also be consequences for a responsible party that fails to meet an assigned due date without a reasonable and plausible explanation.
Surging forward and strengthening the organisation
Assessing the compliance programme
A full review of a company’s compliance programme includes an assessment of tone at the top, performing a gap analysis of the policies and procedures in place, and understanding how the company educates employees of key risks and expected behaviours through planned trainings and communications. Organisations need to ensure that all areas of compliance operate in a holistic, integrated manner in order for a compliance programme to be truly effective. Three areas of a compliance programme that are important to assess following an investigation, include assessing the internal audit function, monitoring controls and complaint reporting, and investigation channels. These areas are important because detecting control weaknesses, identifying potential misconduct at the earliest instance and effectively investigating issues that may arise in the future are critical to maintaining adequate controls and an effective compliance programme.
Assessing the internal audit function
Internal audit’s mandate is not necessarily to detect all instances of fraud – intentional subversion of controls can be very difficult, if not impossible, to detect – but following an investigation, it is important to consider whether internal audit should have identified the misconduct. This assessment is especially critical if the misconduct was pervasive throughout the organisation, occurred over a long period of time or the fraudulent behaviour exhibited a number of ‘red flags’ that followed predictable fraud patterns (eg, large round dollar payments with vague descriptions in the consulting fees account).
A well-designed, robust risk assessment should feed into audit planning by highlighting key risk areas (eg, related to geographic area, business unit, industry-specific risks). Internal audit should consider these risks when building the annual audit plan for the company. Internal audit teams often build audit procedures that focus on assessing controls (as expected), but miss the mark in designing procedures to pick up specific risks (eg, related to bribery and corruption, fraud or money laundering). Companies should ensure that internal audit are staffed with team members possessing the requisite experience and skill set to perform assessments related to specific risks, and that all team members receive adequate training. Internal audit also needs to have visible support from the highest levels of leadership to be effective. Limited access to key employees, data and documentation severely restricts internal audit’s ability to conduct meaningful and thorough assessments. Internal audit should have access to all of the information they require to assess control adequacy and remediation efforts, and business units should respond swiftly to requests and directives. When business leaders are dismissive towards internal audit, business units can feel empowered to ignore audit findings and suggested remediation recommendations.
In the 2 example, the company should consider whether internal audit identified any related issues previously (eg, gaps in policies and procedures, lack of controls around dormant accounts) and recommended remedial measures similar to those we outlined above. If so, then ZYX Inc’s leadership may have a problematic attitude toward internal audit or the organisation may be deficient in following through with remediating audit findings. If internal audit had not, however, identified similar issues, ZYX Inc should assess whether the annual audit programme provides adequate geographic, business unit, product and key risk coverage, whether the auditors are adequately skilled and trained to assess risks and whether audit procedures are adequately designed to detect the type of control weaknesses identified.
Data analytics for ongoing monitoring
Monitoring entails testing the effectiveness of key controls, including assessing whether the controls are functioning as intended and employees are adhering to procedural requirements. The ongoing nature of monitoring allows for earlier detection of misconduct (rather than waiting for internal or external auditors to perform testing on a prescribed time frame). In line with the guidelines presented above, organisations should have clear mechanisms in place to ensure identified deficiencies are adequately and promptly remediated. The risk assessment process should focus the compliance department toward the most critical areas to prioritise for monitoring. Monitoring procedures are often identical to common audit procedures and may entail reviewing transaction detail and related documentation for discrepancies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other potential internal control failures.
The best continuous monitoring programmes leverage data analytics and allow the monitoring team to quickly and consistently focus on the highest areas of risk, reducing the noise of volumes of data. Data analytics facilitates the review of broad data sets that may not be feasible through manual review. Metrics stemming from data analytics can flag key risk areas such as high risk payments, fluctuations in payments, suspicious large round dollar payment amounts or payments to unusual accounts. Data analytics facilitate comparative analysis, simple visualisation of key data and can be used to inform risk-based sample selection for transaction-based testing by highlighting transactions that follow certain patterns (eg, high, rounded dollar payment recorded in the ‘consulting fees’ general ledger account). Companies can also develop ways to visualise data through dashboards and sophisticated visualisation tools that will allow the companies’ management to quickly delve into large volumes of data to explore trends more deeply (eg, spikes of activity in a specific region).
Companies can leverage data analytics to monitor transactions real-time and identify transactions with similar fact patterns. Monitoring procedures can include developing advanced queries to generate lists of data (eg, payment activity, list of vendors, etc). These lists can be used to select high risk accounts for testing, payments to entities with similar names and vendor risk ratings. ZYX Inc could leverage bespoke data analytics to identify transactions following a similar pattern that exhibit the following attributes:
- transactions recorded in accounts with a typically low volume of monthly activity;
- transactions recorded to selected ‘high risk’ accounts that display certain characteristics, such as round dollar amounts, above a certain threshold, missing an invoice number, and potentially duplicative;
- payments to entities with a name similar to ZYX Inc;
- entities added to the master vendor file with the same address as ZYX Inc; and
- changes in risk rating of vendors in the master vendor file from prior months.
Complaint reporting and investigation channels
While organisations would, of course, prefer to not have misconduct, it is inevitable that in a large, global organisation an allegation requiring further investigation will arise. What is worse than an investigation initiated by an ethics hotline complaint? An investigation initiated by the government based on whistleblower complaints – because the company did not take a complaint seriously or failed to conduct an effective investigation of an allegation. Recent international public scandals demonstrate the need for companies to continue to evaluate the effectiveness of their reporting and investigations channels, especially in the aftermath of an investigation. Petrobras, the company at the centre of Operation Car Wash, was reportedly revisiting its treatment of whistleblower complaints.  It has been reported that Petrobras had received a whistleblower complaint regarding potential corruption in its oil trading business in 2012, but failed to stop the improper activity. 
Companies should have an ethics hotline in place that allows any employee, vendor or other external party to make an anonymous complaint. The hotline should be available 24/7, reachable by multiple channels that include a local telephone number, online portal and email address, and must allow tipsters to submit a complaint in the local language. Simply setting up the hotline is not enough, however – companies must take appropriate steps to advertise the hotline and ensure that all relevant parties understand how to submit a compliant and feel comfortable submitting a complaint without fear of retaliation. Organisations must also reflect on the impact that culture has on an individuals’ willingness to use the hotline. The level and type of messaging a company creates to advertise the hotline may need to be different to educate employees who may have preconceived notions or cultural expectations about whether it is appropriate to raise an allegation against one’s supervisor, or trusting whether the allegation, if raised, will actually be acted upon.
The company also needs to ensure that it has processes in place to effectively, thoroughly and promptly investigate any allegations submitted to the hotline. We have seen that the lack of a strong investigations process can undermine a company’s efforts to implement and advertise a hotline, as employees can adopt a ‘why bother’ attitude if they feel allegations raised will not be taken seriously, investigated on a timely basis or that the company would not take appropriate disciplinary action when warranted. Investigators should also possess the requisite skillsets to investigate the allegation at hand (eg, forensic accounting skills are ideal for investigations into improper payments, while an allegation regarding sexual harassment will necessitate a human resources-oriented investigator).
A well-designed investigations process should complement other key compliance processes, including, for example, steps to ensure that any remedial actions required as a result of an investigation are carried through to completion and appropriate disciplinary measures result from the investigation when warranted. Companies should also consider the nature, frequency and outcomes of investigations when evaluating the company’s tone at the top, performing risk assessments and preparing annual audit plans.
Layering country dynamics into the evaluation of compliance
In order to build a compliance organisation that is both successful and sustainable, multinational organisations must be able to evaluate and understand how cultural drivers – including mentalities, preferences, tendencies, and preconceived notions – shape attitudes toward compliance across global locations. Understanding these drivers will allow an organisation to develop a nuanced approach toward compliance and can also help the company better anticipate the types of challenges that could arise along with potential ways to remove such roadblocks. For example, employees in one location may appear to be resistant to a new policy; however, further reflection could reveal that these employees are frustrated that their input was not solicited, as employees across the globe may have differing expectations of how the policy would be implemented in practice and, thus, would have appreciated input into drafting a new policy.
While retaliation is very much a cross-cultural phenomenon, it can be more pronounced in certain countries. Historical factors such as the local law enforcement culture, role of the military in law enforcement, confidentiality around investigations and the effect of prior autocratic government structures, may contribute to a heightened culture of retaliation. A whistleblower in such a society may be viewed as a traitor. Given the recent emphasis on corruption in Brazil and prevalence of ongoing investigations, we have used Brazil as an example on cultural considerations. It is well-recognised that the Brazilian culture ‘by and large, is not favourable to whistleblowing behavior’.  Lack of whistleblower protections as well as a hierarchical society where the distribution of power is imbalanced also contribute to a general fear of retaliation.
We describe below two different frameworks that can help organisations better understand cultural drivers that can impact perceptions of compliance across countries. There are certainly limitations to these frameworks, as both emphasise generalities and speak to tendencies of countries as a whole rather than behaviours at the individual level. Despite this caveat, we feel that both frameworks can provide important insights for companies to consider when evaluating how to create and sustain a culture of compliance.
Corruptions Perceptions Index
During investigations related to the Car Wash  scandal, prosecutors uncovered a ‘vast and extraordinarily intricate web of corruption’,  demonstrating how underlying pressures, expectations and norms can create a widespread, entrenched culture of corruption within a country or region. It can be difficult to change individual attitudes toward corruption and this presents significant challenges in implementing a strong compliance programme. Combatting this mentality first requires understanding which countries or regions are subject to corruption in standard business practices.
Transparency International publishes an annual Corruptions Perceptions Index (CPI),  which measures countries’ perceptions toward corruption. In countries that are scored as highly corrupt, the act of paying a bribe to a government official may be frequent and considered a standard, acceptable practice. The CPI can be a useful tool for understanding which of an organisation’s global locations may be more resistant to implementing compliance practices. The CPI score can help an organisation identify where to place a heavier emphasis on educating personnel on what the company constitutes as corrupt, fraudulent or unacceptable behaviour. For example, an employee located in Venezuela, which scored as the 13th most corrupt country in the world in the 2018 CPI index,  may be less likely to submit a complaint about a customs broker requesting a side payment. Since bribes are a common business practice in Venezuela, it may not be intuitive to the employee why the company considers this behaviour unethical.
Training, frequent and visible advertising, and location-specific messaging are essential to ensuring individuals understand what the organisation considers unacceptable and why. Ethics campaigns (including communications, employee town halls and roundtables) targeted at encouraging employees to speak up, publicising the organisation’s reporting channels and anti-retaliation policies can help build awareness, set the tone for the organisation and assuage otherwise preexisting notions including the fear of retaliation.
Hofstede’s Cultural Dimensions Model
Author Geert Hofstede developed a model that describes culture based on a set of ‘cultural dimensions’. These dimensions can be analysed to predict and understand why reactions to the same situation vary across countries. We will evaluate two of these dimensions: power distance and uncertainty avoidance.
Power distance measures the extent to which less powerful members of institutions expect and accept that power is distributed unequally.  In the business context, employees located in countries where power distance is high are generally more comfortable with leadership mandating decisions. ‘According to Hofstede (1991), the Brazilian culture is characterised by a high power distance.’  This further explains the prevalence of retaliation and a fear of it, as discussed above. Where power distance is lower, however, employees have an expectation of being consulted on important decisions. This differentiation is important when considering how to obtain buy-in for new compliance practices and who should be responsible for communicating compliance messages. A country ranking highly on the power distance scale, such as Guatemala, Panama or Mexico, will likely react more favourably to a mandate from senior leadership than a message that comes from a colleague in a lower level. Employees in countries such as the United States, which ranks lower on the power distance scale, may be upset or frustrated if they feel left out of an important decision.
Uncertainty avoidance represents the extent to which a culture is generally tolerant of uncertainty and ambiguity.  In countries scoring high on the uncertainty avoidance scale (eg, Uruguay, Peru), individuals prefer to have strict, structured guidelines in place, have a strong desire for consensus, but can be resistant to change. Cultures that gravitate toward low uncertainty avoidance tend to be more comfortable taking risks or adopting an innovative behaviour, but strict rules may create anxiety (eg, Jamaica). Considering these differences can help with understanding how a location may react to change and whether the implementation of new policies may be viewed unfavourably regardless of the specific requirements.
We recognise that establishing, maintaining (or changing) an overall culture of compliance requires a sustained effort. A one-time focus on the ethics and values will not be enough to achieve a corporate culture that truly embraces ethical behaviour. Organisations failing to align business strategies and operating decisions, including personnel decisions, to desired ethics and values are at potential risk of extraordinary financial and reputational costs. As such, the compliance function must have the stature and authority, support of senior leadership and necessary funding to successfully establish, implement and monitor an effective compliance programme. In conclusion, it is apparent there are several courses of action, factors, nuances and underlying currents that need to be navigated post any investigation. The recommendations in this article are offered as a compass on that journey. It is best to charter one’s course carefully to truly strengthen the organisation and allow it to surge ahead.
The authors would like to acknowledge Jen Baskin, partner at Forensic Risk Alliance, Stacy Fresch (partner), Susan Dillon (senior director), Doel Kar (director), Matt Bedan (associate director), Carmen Leal (manager) and Claudia Espinosa (manager) for their contributions to this article.
 ‘Exclusive: FBI targets Johnson & Johnson, Siemens, GE, Philips in Brazil graft case’, 2, 17 May 2019
 ‘Evaluation of Corporate Compliance Programs’, pg 12. US Department of Justice Criminal Division. Updated April 2019.
 ‘Evaluation of Corporate Compliance Programs’, pg. 16. U.S. Department of Justice Criminal Division. Updated April 2019.
 Sampaio, Diego BD, ‘Speak Now or Forever Hold Your Peace: An Empirical Investigation of Whistleblowing in Brazilian Organizations’ (https://pdfs.semanticscholar.org/492a/47ac593f21b7b20bc1861b50390186bcc8f8.pdf).
 Above No. 6.