Internal investigations are a critical component of a robust compliance program; without the ability to investigate allegations of wrongdoing, your company's credibility with regulators is pretty much sunk. At Compliance Week 2011, a trio of compliance professionals shared their approaches.
First, because the circumstances of each case are unique, the compliance officers on the panel recommended against any sort of checklist approach. “Investigations might evolve, so I look at it as ‘things to consider' rather than a checklist,” said Lyn Cameron, one of Cisco Systems' top compliance executives and overseer of its investigations function.
At Cisco, she said, investigations are prioritized. Depending on the type of problem—whether it is a serious allegation or a regulatory matter—the issue is classified to see which ones get priority first.
Q VanBenschoten, regional compliance officer for the Americas at Intertek Corp., a product testing company, said she first gathers as many facts as possible at the start, and proceeds to an investigative plan from there. “An investigative plan is so critically important,” she said. That includes knowing which questions are pressing and need answers first.
Both Cameron and VanBenschoten offered a laundry list of important factors to consider, including:
What's the allegation?
What's the issue at hand?
What policy has been infringed?
Who needs to be part of the communications?
What information do they need? How often?
Are there any document holds that need to be put in place?
“If you have answers to all your questions, you're probably in pretty good shape,” VanBenschoten said. Keep in mind, however, “the questions may change over time, as new facts come in.”
VanBenschoten added that the first 48 hours she spends on an investigation is spent not just looking at interviews with people, but also gathering as much documentation as possible. That reduces the risk of someone changing the data, or having it disappear altogether, she said.
Investigations that are too narrow in scope may draw criticism from the Justice Department. “Generally, the issue of scope is critical,” and should be considered fully at the beginning of the investigation, said Julia Guttman, a partner at the law firm Baker Botts. Indeed, VanBenschoten added, if you decide not to expand the scope of your investigation, document the logic of that decision—because regulators will expect you to explain your reasoning at some point in the future.
In addition, ensuring the investigation is done independently and objectively will help sooth any concerns from regulators. “It's ultimately going to come down to the credibility of the investigation,” Guttman said.
Some questions to ask yourself, to prove independence and objectivity: Did the company thoroughly review the nature, extent, and origins of the misconduct? How long did it take to implement an effective response? Did the company adopt and enforce more effective internal controls and procedures designed to prevent a recurrence of the misconduct? If the wrongful activity involved senior management, convincing the Justice Department that an internal investigation was handled independently gets much harder, Guttman added.
“You want to have a very clear plan for why you're doing [an investigation] the way you're doing it.”
—Julia Guttman,
Partner,
Baker Botts
Companies should also carefully document their investigation protocols. “My direction to my team is to document everything as though it's going to be reviewed by government regulators,” Cameron said. The legal team offers additional support and direction on that strategy, she added.
Guttman agreed: “You want to have a very clear plan for why you're doing [an investigation] the way you're doing it.”
The panel also urged compliance officers to use any and all means to encourage employees to step forward. “We leverage out technology as much as possible,” said Cameron. For example, Cisco Systems—no stranger to new technology—uses an internal case management system that allows employees to report problems to that service.
VanBenschoten said that employment-related complaints have grown particularly common in the last several years, especially retaliation complaints. Intertek has everything from an open-door policy to an anonymous hotline, she said.
Adequate Oversight
The panel also talked about the risk of centralizing the investigation function in one group. Failing to share information and other resources with various departments potentially deprives the investigative team of a consistent and robust process.
“Partnership and collaboration is absolutely essential,” Cameron said. At Cisco Systems, the compliance department regularly cooperates with finance, IT, legal, HR, and other business units.
“Generally, the issue of scope is critical,” said Julia Guttman, a partner at the law firm Baker Botts (left). At right is Q VanBenschoten, regional compliance officer, americas, at Intertek, who advised the audience if you decide not to expand the scope, make sure to document the logic of that decision.
VanBenschoten said she, too, has regular conference calls with HR, finance, and engineering. Collaboration is especially important because a problem that appears in one area of the company often crops up in other areas as well, she said.
“By having a regular meeting of that type, we all begin to develop an informal hot list,” VanBenschoten said. That allows different departments within the company to see whether the warning signs are popping up in other areas of the company and discuss how to respond.
At Intertek, VanBenschoten said coordinating with her extended team also comes in handy in the event that Problem B crops up while she is in the middle of an in-depth investigation into Problem A. In those instances, the general counsel or someone from human resources may step in to handle the newer problem, she said.
If the issue is “really big, ugly and hairy,” outside resources will be brought in as soon as possible, VanBenschoten added. An example might be if internal counsel is hiding information that is backed by privilege.
Lyn Cameron, director, global ethics compliance & investigation governance, risk, and controls at CISCO Systems, listens in as one attendee queries the panel. At right is Carlos Singh, senior manager, fraud investigations & dispute services at Ernst & Young.
Any time you rely on external resources, however, “you really need to have a comfort level with how they perform the investigation,” said VanBenschoten. “I think that's really important.” For example, she added, “I have expectations of what I want in an investigative report.” VanBenschoten says she spells those expectations out for the external investigator to deliver.
Another risk to relying on external resources for help: Those people aren't necessarily as invested in completing the probe quickly, and the investigation process can slow down. The challenge is getting them to make the investigation a priority, Guttman said.
Overall, routinely calibrating with both internal and external sources helps to ensure that all potential wrongful behavior is caught as soon as possible, and investigative processes remain consistent.
No comments yet