Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

How to Avoid ‘Internal Investigation Risk’

Lopez, <i>Compliance Week Guest Columnist</i> Frank | February 23, 2010

Internal investigations are an indispensable part of a robust compliance program. When faced with potential misconduct, a company must have the right processes to manage an investigation to resolution.

Moreover, the investigation must facilitate a resolution without compounding risk to the company. The company (or its agents) cannot cross any applicable ethical or legal boundaries. In other words, the cure (the investigation) must not be worse than the disease (the alleged misconduct). Set forth below are suggestions to help ensure an investigation “stays inbounds.”

Plan Ahead

A company should carefully develop, document, and follow its investigations protocol. That’s not to say that every investigation must follow the precise course of action found in the protocol. Rather, the protocol should serve as a guideline to ensure the appropriate investigative response. Among other things, the protocol should address:

  • The events that trigger an inquiry, such as a hotline complaint;

  • Required internal notifications (to the chief compliance officer, general counsel, the audit committee, and so forth);

  • Required actions when an investigation relates to a regulatory probe;

  • Privilege considerations;

  • Selection of the investigator(s);

  • Data preservation;

  • Guidance for establishing the appropriate scope for the inquiry;

  • Privacy implications of the investigation;

  • When to engage outside help to support the inquiry;

  • The interview process;

  • When to create a written report, and what to include;

  • Required disclosures, based upon the investigation outcome; and

  • Implementation of remedial measures, if appropriate.

Tread Carefully

The typical workplace investigation isn’t launched to save lives. Harsh interrogation tactics aren’t appropriate or effective. Such tactics can impede efforts to arrive at the truth and can expose the company to legal claims, including outrageous conduct.

To mitigate this risk, investigators must be properly trained and supervised. Periodic training should help develop investigative skills (say, interviewing skills or report writing). Proper training includes creating awareness regarding differences in culture, gender, and other witness characteristics. Training also should broaden the investigators’ understanding of the law implicated by every workplace probe (employment discrimination or privacy, for example). Such training also should remind investigators of their role in the risk-management process and the perils that can arise if they cross legal boundaries.

When faced with potential misconduct, a company must have the right processes to manage an investigation to resolution.

Generally, two company representatives should be present during interviews, especially for the accused employee’s interview. Or, with the express consent of all interview participants, consider tape recording interviews. This will help deter false accusations of misconduct against the company’s agents.

The interview location should be carefully selected to preserve confidentiality and protect witness sensibilities. Conduct interviews in a comfortable, private environment, such as a conference room where there can be plenty of physical space between the witness and the interviewers. Also, at the outset of the interview, in addition to any admonitions regarding confidentiality and privilege (if applicable), remind the witness of the company’s anti-retaliation policy and the opportunity to take breaks during the interview.

In short, take reasonable steps to ensure that the process is respectful and conducive to determining the facts.

Access Information With Authorization

State and federal laws create risk for employers who monitor workplace communications without authorization. One source of risk is the federal wiretap law that prohibits the unauthorized acquisition of the content of an oral or electronic communication, and use or disclosure of an unlawfully intercepted communication. An extensive review of this law is beyond the scope of this article; suffice to say that the potential sanctions for violations of the law are severe. Liability (including criminal consequences) can extend to the company, the employees who facilitated the unlawful interception, and even the lawyer who used the fruits of the unlawful interception to defend a termination decision. Therefore, before accessing any information during an investigation, first make sure you understand and abide by legal controls applicable to access to the information in question.

Generally, employee consent can help eliminate the risk of a privacy breach claim. The federal wiretap law contains an express consent exception. Thus, employers are well advised to implement a workplace policy that limits employee workplace privacy expectations and dispels any expectation of privacy while communicating on company-provided resources. Also, be sure to widely disseminate the policy, enforce it consistently, and require employees to acknowledge it whenever they log on to a company-provided computer.

Even with such consent, investigators should limit access to employee e-mail and similar communications only to that information necessary to be reviewed for a thorough inquiry. Moreover, where a communication is between the employee and a person with whom a privilege claim may apply (attorney, doctor, clergy or spouse), the investigator should consult counsel before reading it.

Provide Due Process

Due process, simply described as an opportunity to be heard, is not a legal duty imposed on private-sector employers. But, generally terminated employees are less likely to sue if they are provided an opportunity to review and respond to the information gathered in the investigation and provide their own account of what happened. Sharing the relevant information with the accused before taking an employment action can also help reveal flaws in the information. This approach will help you get the investigation right and reduce the risk of a wrongful termination claim. Consider that if the employee sues you, factual information gathered from the investigation will likely be required to be produced during the discovery process, even if you conducted the investigation under privilege. In short, due process can save time and money.

If It’s Broke, Fix It!

After finishing the investigation, review the information derived to assess whether broad remedial action, such as a process change, is necessary. To root out systemic problems, the compliance team should routinely partner with the internal audit team to explore whether an act of misconduct is the by-product of a broader deficiency in process or corporate controls.

As a “gut check,” consider the guidance provided by the SEC’s Seaboard Report, which can be found on the SEC’s Website at Exchange Act Release No. 44969. This report suggests how the SEC will evaluate the sufficiency of a company’s probe of matters within SEC purview. The factors cited in this report include:

  • How long after discovery of the misconduct did it take to implement an effective response?

  • Did the company commit to learn the truth, fully and expeditiously? Did it do a thorough review of the nature, extent, origins, and consequences of the conduct and related behavior?

  • Did the company adopt and ensure enforcement of new and more effective internal controls and procedures designed to prevent a recurrence of the misconduct?

Implementing an investigative process that fulfills these requirements will help ensure that the investigation is deemed credible by regulators.

Establish Adequate Oversight

If the investigation function is centralized in one group, there is a risk that it will become detached from the rest of the business. Such isolation may deprive the investigation team of the benefit of information and other resources that can ensure a consistent and robust process. To avoid this result, the investigation function should routinely calibrate with legal, HR and business units to assure that investigative processes remain appropriate and that any corrective action, including discipline, is consistent.