In today’s complex and rapidly evolving regulatory compliance environment, organizations should have a thorough and effective internal investigations program in place to address any allegations of misconduct.
About the Authors
David Cole is a partner at Hinshaw & Culbertson LLP, where he advises clients on complex litigation, regulatory matters, and compliance. A former Assistant Attorney General in Illinois, he has held senior in-house roles and led high-stakes investigations across the pharmaceutical, finance, and education sectors.
Michael Mayes is the General Counsel & Chief Compliance Officer at PHI Health LLC. He has more than two decades of experience advising multinational and high-growth companies on complex legal, regulatory, and operational matters.
A well-designed investigation program is crucial for maintaining integrity and ensuring compliance. In-house counsel play a critical role in both building and implementing such a program, and in continuously evaluating and strengthening its effectiveness. An efficient, reliable, and properly funded investigations program is key to an organization’s ability to detect and address potential misconduct and maintain organizational integrity.
To build a strong investigations program, organizations should focus on these core pillars.
1. Policies and Procedures
Your organization should develop comprehensive, written policies and procedures that outline every aspect of the investigation process in detail. These should include:
- the criteria for initiating an investigation (and its timely completion);
- the complaint intake process;
- who should conduct the investigation;
- how the investigation should be conducted; and
- the process for closing the investigation, which should include the process for reporting findings and implementing corrective actions.
Practice Tip: Not all complaints warrant the same level of inquiry. A documented risk-based triage process can help allocate investigative resources efficiently based on severity, legal exposure, and potential impact on internal controls.
2. Confidential Reporting
Next, your organization should implement a mechanism by which employees can anonymously or confidentially report allegations of a breach of the organization’s code of conduct, policies, or suspected or actual misconduct. The ability to report anonymously or confidentially will encourage employees to report actual or suspected misconduct.
Practice Tip: Anti-retaliation protocols must be in place, and investigators must be trained to protect whistleblower confidentiality and trust to avoid liability and encourage self-reporting. This can also be essential for global programs navigating varied cultural and legal landscapes.
3. Adequate Resources
One way to ensure that your investigations program is effective is to ensure it is properly funded. A lack of funding can affect an organization’s ability to investigate potential misconduct.
For example, under-resourcing could limit the human resources needed to conduct an investigation in a timely and adequate manner and could affect the organization’s ability to invest in tools that allow employees to report potential misconduct confidentially or anonymously.
In sum, a lack of funding could result in your organization’s failure to properly follow up on allegations of misconduct, keep track of them, or conduct adequate investigations.
Practice Tip: Effective investigations often require coordination across Legal, Compliance, HR, IT, and Internal Audit to ensure comprehensive fact-finding and appropriate follow-up. Ensure your program includes adequate resources from each contributing department and clear roles/responsibilities (e.g., RACI models) to prevent duplication or gaps.
4. Proper Training
Another way to ensure that your investigations program is effective is to properly train the staff who conduct investigations. Training should include, among other things, proper investigation techniques, when to conduct investigations under the attorney-client privilege, best practices in areas such as witness interviews, evidence gathering, document collection, and any applicable legal requirements. This includes ensuring investigators understand the Upjohn Warning, which makes clear that they represent the organization rather than the individual employee and that any attorney-client privilege belongs to, and is controlled by, the organization.
5. Documentation, Reporting, and Lessons Learned
When receiving a report, your organization should document its investigative decision-making, particularly the scoping rationale and resource allocation. The DOJ’s September 2024 update emphasizes the importance of documenting rationales for investigative scoping decisions — an often-overlooked area that organizations should formalize.
Your organization should maintain thorough records of the investigation at its conclusion, including interview notes, evidence collected, findings, and recommendations. As mentioned earlier, an effective investigations program should include the process of closing investigations, which includes documenting remedial actions and reporting the findings to company management.
Additionally, your organization should track and review investigations to determine whether any misconduct patterns have emerged or issues with its internal controls. Finally, your organization should regularly review its program based on lessons learned from past investigations and evolving best practices.
Practice Tip: Periodically evaluating the effectiveness of your investigations program by tracking key metrics, such as investigation cycle times, repeat issue trends, and remedial action outcomes, can help demonstrate and improve the effectiveness of your program and your organization’s internal controls. Documenting why you did not investigate or limited the scope of an investigation can be just as important as documenting the investigation itself.
By implementing these recommendations, your organization can create a well-designed investigations program that effectively addresses internal issues, maintains integrity, and preserves stakeholder trust.
No comments yet