Overseeing a global internal investigation can be one of the most difficult and perilous jobs that compliance officers do.

Part of the challenge that comes with that job is setting the scope of the investigation at the outset. Set the scope too narrow and it could damage the company’s credibility with regulators down the road; too broad and it could waste time and money and create fears of a fishing expedition inside the organization.

At the Compliance Week 2014 conference, compliance executives shared their ideas for approaching an internal investigation and managing the risks that go along with them. Frank Lopez, vice president of compliance investigations for WellCare Health Plans, recommended that companies conduct a preliminary risk assessment. Specifically, that assessment should take into consideration the following factors:

Who is the source of the claim? (whistleblower, government agency, a grand jury subpoena)?

What is the nature of the allegation (accounting irregularities, bribery, a Title VII violation)?

Does the complaint involve a potential violation of law, or an internal policy?

Does the misconduct appear to involve senior-level executives?

Is the incident isolated or part of a broader systemic practice?

Once the company has answers to those questions, compliance officers on the panel recommended having some sort of investigation protocol in place. “A 50-page handbook on how to conduct an internal investigation is probably counter-productive, but you need to have something,” said Stephen Donovan, chief ethics and compliance officer at International Paper.

Lopez offered a list of factors to consider, including:

Who is going to lead the inquiry?

Who are the internal subject-matter experts? Are they objective and independent? If not, what external experts do you need to engage? 

What documents, if any, need to be preserved?

What steps need to be taken to mitigate data leakage?

What duty does the company have to disclose?

Part of conducting a thorough internal investigation involves compliance collaborating early on in the investigation with legal, HR, and IT. “Those are the three departments that have got the procedural information that you’re going to need,” said Karen Moore, former vice president of compliance at Phillip Morris International.

At International Paper, for example, Donovan said the IT department is typically notified in the first 24 hours of an internal investigation, “depending on the nature of the allegation.” From there begins a deep dive into the records of the employee allegedly involved in the misconduct.

“We’re going to grab e-mail and whatever other electronic documents we can get our hands on,” said Donovan. “We’re going to start getting plans in place, if we think this is serious enough, to figure out some way to get on that employee’s hard drive. We’re going to start gathering phone records, if the employee has a company-provided cell phone.”

Working with other business units is also important to when it comes to “stopping the bleeding,” Lopez said. “Don’t wait until the end of the process.” Get the right business owners in place to find and fix internal control weaknesses, working with internal audit to ensure those weaknesses have been fixed, he said.Former Feds on Board?

Compliance officers also need to assess what kind of outside resources to bring in. “The absolute best asset you can acquire for yourself is a retired FBI agent,” said Donovan. They’re “worth their weight in gold,” because they’re highly skilled in not only conducting internal investigations and interviews, but also gathering documentation, he said.

Those resources may be invaluable, but companies also need to consider the message they send throughout the organization. Moore offered the example of Altria, the parent company of Philip Morris, which “had a great investigations team,” made up of former FBI agents and former New York City police officers.  “The only caveat is that when they got parachuted into a market to conduct an investigation, it struck fear in the entire organization to the point where they had difficulty getting people to speak honestly,” she said.

Karen Moore, former vice president of compliance at Phillip Morris International, discussed the importance of compliance getting together early on with legal, HR, and IT.





It’s also important to figure out at the outset of an internal investigation whether the incident is isolated or part of a broader systemic practice. “A lot of seemingly innocuous investigations can be the tip of an iceberg,” Moore cautioned. “If you don’t start taking a look at the root causes—how did that problem start and where else in my markets can it be occurring—you’re going to miss the whole rest of the iceberg,” she said.

“A quick judgment can result in error,” Lopez agreed.  So thinking more deliberately and staying aware of any new developments are essential factors to the overall success of an investigation, he said.Cultural Nuances

Where in the world an investigation unfolds also plays a role in scoping it. “Cultural differences cannot be underestimated,” Moore said. “It’s not just the craft of the investigation; it’s the art of getting the most out of the culture you’re operating in.”In most countries outside the United States, for example, the rights of employees often overrule the rights of employers. In many European countries, in particular, “disciplining by means of termination for cause is nearly impossible,” so you need to keep that in mind when deciding what disciplinary actions to take, Moore said.

Russia is an example of another country where the scales tip in favor of employees. If you want to terminate somebody for theft or fraud in that country, “you almost always have to catch the person on camera,” Moore said. 

In those types of cases, the audit committee often will want to know: “What have we done to recover lost proceeds? Have we filed a criminal complaint against the employee?” Moore said. So you’ll need to be prepared to explain to the audit committee the reasons why you haven’t recovered those assets, or taken those steps, she said.

Another area where cultural differences can play a role is in the mindset of the senior leadership, Donovan said. “The last thing they want is a bunch of people from corporate headquarters coming over and kicking tires and looking under rocks and telling them what they’ve done wrong,” he said.

TIPS TO EFFECTIVE INVESTIGATIONSBelow, CW 2014 speaker Frank Lopez of WellCare Health Plans outlines the steps to an effective investigation.

Conduct a preliminary risk assessment which considers, among other things:

Source of allegation (e.g., regulatory inquiry, grand jury subpoena, lawsuit, Section 10A notice from auditor, whistleblower complaint)

Nature of alleged misconduct (e.g., accounting irregularity, bribe, Title VII)

Collateral consequences (e.g., reputational harm)

Company’s history

Hot topics (e.g., data security, FCPA)

Duty to disclose (voluntary disclosure)


Develop a preliminary investigation plan:

Identify who will lead inquiry (e.g., Compliance, outside counsel, audit)

Identify source of authority at Issue (Code of Conduct, GAAP, statutory)

Identify sources of information/evidence

Determine necessary steps to preserve data

Determine chronology of inquiry

Assess need to engage internal or external subject matter experts


Seaboard Report: When finished, can you answer the following questions:

Did misconduct arise due to management pressures or a tone of lawlessness

Were appropriate procedures in place, and if so, why they failed to prevent misconduct

Did senior personnel know of or participate in misconduct

Was misconduct systemic or isolated

Timing and duration of misconduct

Harm inflicted upon others (including consumers, the government, and investors)

How soon after discovery did company implement an effective response

Were wrongdoers adequately disciplined

Whether disclosure of the misconduct is required by contract, law or regulation

 Source: Frank Lopez CW 2014 Presentation.



Language barriers must also be taken into consideration. “In what language are you going to conduct your interview?” Moore said. The same consideration should be given with documentation. Another consideration is how long it’s going to take to translate them so that they are accessible to the investigation team, she said.Law Enforcement Involvement

“Involving local law enforcement I find to be the most tricky, disturbing area to navigate,” Moore said. “In some areas you want to, or feel you must, involve local law enforcement at some point in your investigation. This may be particularly true if you’d like to seek criminal remedies after the conclusion of your investigation.”

In order to decide whether to involve local law enforcement, “you’ve got to judge the market in which you’re operating,” Moore advised. “In Germany, I’d have no hesitation about inviting local enforcement to collaborate.” In a country like Kazakhstan, on the other hand, “you end up with what look like twelve year olds with machine guns rifling through your office,” she said.

Also complicating a global investigation is that certain enforcement agencies don’t like you to share information with enforcement agencies in other jurisdictions. “They don’t trust each other,” said Alexander Juengling, chief compliance officer of Bilfinger. One way around that is to “get one lead agency,” he said.

Another important consideration is the age-old question of whether to self-report potential misconduct. “Very few jurisdictions have a formal obligation to self-report,” Juengling said. Thus, he said, it’s up to the company to look into what kind of leniency program, if any, exists in each jurisdiction.