The Evolution of Risk Management in Global Investigations - Risk Management Association of India

2.1 Introduction

This chapter addresses the myriad potential avenues for a control environment to be compromised and for an area of risk or investigation to be identified, either proactively or reactively, by a corporation. It also highlights key developments and changes we have observed in the past year regarding risk management and global investigations.

First, the chapter provides a close look at some of the primary triggers or sources of investigations for corporations from both an internal and external perspective. Second, we discuss developing environmental, social and governance (ESG) issues – an increasing focus for law enforcement and regulatory authorities, as well as the rise of artificial intelligence (AI) and its impact on the investigation landscape. The chapter concludes with a brief discussion of a question commonly asked by many corporations today: which corporate function (e.g., legal, compliance, or both) should be responsible for overseeing and conducting which types of investigations?

2.2 Sources and triggers of corporate investigations

Corporate investigations can be triggered by internal and external sources. From an internal perspective, corporations often conduct their own investigations in response to whistleblower reports concerning suspected violations of law or company policy, or as a means to assess the scope of potential problems and risks identified in routine due diligence, compliance reviews and financial audits. Increasingly, corporations may also initiate investigations relating to potential reputational damage or stakeholder concerns outside the traditional violations of law or company policy. Corporations may also find themselves the targets of investigations commenced by external law enforcement and regulatory authorities, such as the US Department of Justice (DOJ) and the UK Serious Fraud Office (SFO). We describe these and other common triggers and sources of investigations below.

2.2.1 Internal investigations

2.2.1.1 Internal whistleblowers

Most corporations today have a reporting mechanism through which employees, customers and members of the public can report (sometimes anonymously) actual or suspected problems that pose risk to the company. The number of whistleblower complaints a company receives within a given period of time does not necessarily reflect the health of a company or its ability to detect risk. For example, a small number of complaints may reflect a company’s strong compliance culture or, conversely, a culture in which employees hesitate to make complaints out of fear of losing their jobs or other forms of discipline. On the other hand, a significant flow of concerns may reflect a more risk-aware body of employees who feel free to raise issues without fear of retaliation, or a body of employees who do not take compliance seriously and face no consequences for escalating frivolous complaints.^[2]

Greater protection for whistleblowers is being built into corporate reporting lines in the wake of key legislative changes, which may increase the number of concerns and complaints raised by employees or members of the public.^[3] For example, the EU Whistleblowing Directive (the Directive) provides protection to any person working in the private or public sector who makes a report regarding an alleged breach of EU law in a work-related context. The Directive has now been implemented by nearly all EU Member States. UK and US companies with a footprint in the European Union will need to consider whether their whistleblower policies and procedures are sufficient to meet these new standards.

In the United States, whistleblower reporting continued to play a critical role in enforcement actions brought by the Securities and Exchange Commission (SEC). In fiscal year 2022 alone, the SEC received over 12,000 whistleblower tips – the largest number of tips received in a fiscal year.^[4] In remarking on this high reporting period, the Chief of the SEC Whistleblower Program stated: ‘The significant increase in the number of whistleblower tips and awards since the [Whistleblower Program’s] inception shows that the program, with its enhanced confidentiality protections, is effectively incentivizing whistleblowers to make the often difficult decision to come forward with information about potential securities-law violations’.^[5]

Regardless of whether the potential violation of law relates to securities fraud or other forms of misconduct, the lesson for corporations is that the effectiveness of an internal reporting hotline will in large part depend on the confidentiality protections offered to reporters. The more guarantees a corporation offers in protecting the confidential nature of a report (and, where necessary and permissible, the anonymity of the reporter), the more likely employees and third parties will feel comfortable submitting reports that help corporations identify actual or potential legal and compliance violations.

2.2.1.2 Workplace allegations

Corporations also conduct internal investigations into allegations arising from issues related to workplace culture, such as bullying, harassment and #MeToo claims. These investigations can be highly sensitive and resource-intensive, and any information leaks pertaining to those investigations can cause great reputational harm.

While the approach and processes applied in conducting workplace investigations vary depending on the size of the organisation and the severity of an allegation, preparation is key to an efficient, transparent and, above all, lawful investigation. To help manage these investigations, corporations may consider implementing an internal governance framework that delineates the responsibilities of the core teams typically involved in workplace investigations (e.g., human resources (HR), legal and compliance) and maps out a step-by-step plan for those teams to follow when responding to an allegation. The plan will vary depending on the nature and seriousness of the allegations at issue but, as a general matter, corporations find it helpful to know which allegations should be handled by which teams and in accordance with any applicable timing expectations or requirements. In setting out the framework, it is important to avoid the trap of a particular function investigating a member of that function (e.g., HR investigating HR).

Workplace investigations inevitably involve the processing of personal data, much of which is often highly sensitive. Corporations should therefore consider the data protection laws in its jurisdiction and liaise with its legal team to understand the scope and rules of these laws. Regardless of the jurisdiction and applicable laws at play, companies should, as a matter of best practice and to the greatest extent possible, keep the information gathered in connection with a workplace investigation confidential and limit the sharing of information to a need-to-know basis with a small group of interested parties.

2.2.1.3 Audits and reviews

Internal investigations may also be triggered by periodic audits and reviews. Many companies must by law conduct some form of internal audit or review concerning the truth and accuracy of their financial books and accounts. These audits are typically conducted annually by an independent audit firm, and the results are usually recorded in a written report. If any errors, gaps or other potential risks are identified, a company may decide to investigate and remediate any problems before the next report.

Corporations also often conduct internal reviews or risk assessments to assess whether and to what extent their policies and procedures are adequately designed and implemented to detect and remediate risk. These reviews can be performed by a law firm or by a company’s internal legal or compliance function (albeit with some privilege concerns for assessments conducted without counsel). Like financial audits, corporations may choose to investigate problems identified in these internal reviews, especially those that pose the greatest legal, financial or reputational risk to corporations and their business.

2.2.1.4 Transactional due diligence

Corporate transactions, such as mergers, acquisitions and joint ventures are another common trigger for internal investigations. Corporations customarily conduct due diligence to identify risks presented by a target company or counterparty. When conducting such pre-transaction due diligence, particular attention should be given to areas that can give rise to successor liability (i.e., liability for the company acquiring the entity with the potential legal or compliance risk).

While a corporation should consider various factors before entering into a transaction, some of the common pre-transaction due diligence considerations include whether the other entity:

is sanctioned or has been subject to economic sanctions within the past five years;
has a robust compliance programme that adequately accounts for relevant risks, such as bribery and corruption-related risk;
is owned or controlled by a government official or a government body;
has significant financial debts or liabilities;
has been the subject of an external investigation brought by a regulator or law enforcement authority within the past five years; and
has been the subject of any litigation involving fraud or other allegations of illegality within the past five years.

Pre-transaction due diligence in the above-listed areas (and others based on a target’s specific risk areas (e.g., environmental and anti-money laundering)) is crucial. Conducting thorough and well-timed due diligence has never been more important to reduce the risk of entering into a transaction that could be financially and reputationally damaging, and to provide leverage to companies that later find themselves in the crosshairs of a government investigation. For example, in its Corporate Enforcement and Voluntary Self-Disclosure Policy (previously known as the FCPA Corporate Enforcement Policy), the DOJ has stated that there will be a presumption of declination where a company undertakes a merger or acquisition and uncovers misconduct through ‘thorough and timely due diligence’ and voluntarily self-discloses the misconduct and otherwise takes action consistent with the policy (e.g., implementing an effective compliance programme at the merged or acquired entity in a timely manner).^[6]

2.2.2 External investigations

2.2.2.1 Contact by regulatory and law enforcement authorities

In the UK regulated sector, where ongoing open and transparent dialogue is expected between corporations and their regulators, it is rare for a business to find out about issues for the first time as a result of unilateral contact from a regulator. Ordinarily, the regulated entity’s report to the regulator leads to further investigation. By contrast, contact from prosecutors, competition authorities and, in certain circumstances, civil litigants, may occur without prior warning. In the United States, corporations frequently learn about an investigation for the first time from prosecutors, and criminal referrals from regulatory agencies to DOJ are common.

But regardless of where they are located, all companies should ask the following initial questions when approached by a regulator or law enforcement authority:

Is the company a target or subject of the inquiry or investigation, or is the authority simply looking for the company to assist in providing helpful information related to another individual or entity’s conduct?
What information is the authority looking for?
In what format is the authority seeking information (e.g., emails, text messages or interviews)?
How much information is the authority seeking (e.g., information from the past five or 10 years)?
Is the authority interested in a specific business line or area of the company?

Another initial question companies should ask is whether the investigation is being carried out by a regulator or a prosecutor. A company may be inclined to treat these two types of organisations synonymously, but they discharge different duties, possess different (although sometimes overlapping) powers and have different expectations regarding cooperation. Accordingly, a company’s approach to dealing with a regulator may need to differ from its response to dealing with a criminal prosecutor’s office.

Companies should also keep in mind that a prosecutor investigating a matter is usually seeking evidence to decide whether a crime has occurred and whether individuals or the company should be criminally charged. If it proceeds with a prosecution, it carries the burden of proof (with certain limited jurisdictional and subject-matter exceptions). In addition, apart from specific mandatory reporting regimes,^[7] there is no obligation to volunteer information about misconduct to a prosecutor in the absence of a subpoena, warrant or other court order. While it is an offence to obstruct an investigation, obstruction does not extend to failure to volunteer evidence in the absence of compulsion. However, the provision of false, misleading or incomplete information to a prosecutor could amount to an offence of obstruction of justice in the United States or perverting the course of public justice in the United Kingdom.

In dealings with UK prosecutors specifically, cooperation is a matter of pragmatic choice rather than legal obligation. The starting point remains unchanged when deciding whether to exercise that choice: under what valid power does the prosecutor seek the evidence; what are the company’s reasonable defences; and how tactically does the company respond? While principles of cooperation with government agencies in the hope of gaining leniency or mitigation are more clearly defined and have a longer tradition in the United States, the general rule of law remains intact, and questions of powers, defences and tactics are no less germane.^[8]

Where a prosecutor, police or an investigative agency, a competition authority or other public body serves a subpoena, order or warrant entitling it to documents and electronic information or to enter, search and seize, monitor or restrain, the challenge for the affected organisation is twofold: (1) limiting the information provided to the information that is specifically sought in the subpoena, order or warrant to prevent a fishing expedition of the company’s books and records; and (2) ensuring the company is not left behind (and preferably remains in front) in its own understanding of the relevant facts.

In the United States, grand jury subpoenas are the most common tool prosecutors use to gather information against a corporation in a criminal investigation. Various civil and regulatory enforcement agencies may also issue subpoenas. General principles to follow when responding to a subpoena include:

issuing legal hold notices to the relevant employees and, if appropriate, third parties, to ensure that all information requested or potentially relevant to the inquiry (e.g., emails, other electronically stored information and hard-copy documents) is retained;
controlling insider lists to identify those aware of facts that may constitute inside information;
preparing witness lists (to ensure they do not receive updates or advice on the matter, which may contaminate their evidence); and
giving consideration to the treatment of witnesses (e.g., whether they require independent legal advice or should be removed from the office environment through suspension or relocation so as not to risk evidence tampering, collusion or undue influence over other witnesses).

A number of important general principles also apply to the execution of search warrants and the conduct of dawn raids, both in the United States and the United Kingdom:

The order or warrant must be reviewed to ensure that the party serving or executing it has the requisite power. (Does it name the correct entity? Is it the correct site or office? Are the search area and the items the authorities are searching for described with the requisite particularity? Are there date or time discrepancies? Is it signed or executed? In the United Kingdom, does it bear the correct court seal? Does the person conducting the inspection have the requisite authority in that jurisdiction?)
All relevant parties need to ensure the full scope and context of the search is understood (and where electronic searches are undertaken, endeavour to agree on relevant keyword searches and the exclusion of out-of-scope material, such as privileged documents or personal data).
As with a subpoena, it will generally be necessary to issue legal hold notices immediately after receipt of the order or warrant with instructions to employees not to destroy or spoil evidence or to give false or misleading information. Along with the obvious practical importance of preserving relevant evidence, there is also significant value in being seen to cooperate as an initial response.
Individuals executing the order should be subject to identity verification to ensure that execution is in accordance with the terms of the order and that their identification is recorded (in the event that the order is breached and an individual’s identity becomes relevant to any proceedings arising as a consequence).
Staff, including reception and a designated dawn raid team, should be trained in advance as to how to conduct any interaction with investigators from the moment of first access to the premises. This includes training and instruction on not answering apparently casual questions on the subject of the search. The informal question to the untrained employee on the walk along the corridor is a well-established source of information for experienced investigators. Any questions asked of staff and their responses should be noted. Employees may be informed of their legal rights not to speak to investigators and their right to counsel. Additionally, if the company is willing, the employees may be told that the company will provide legal counsel to them at no cost if investigators wish to speak to them or if they are later contacted. The company may not, however, instruct employees not to speak to investigators, as that is the employee’s choice.
A separate room should be set aside as a base for investigators and discussions between legal function representatives and the visitors so that debate and investigative activity do not take place within earshot of those under investigation.
Local IT support (technology, plus a nominated IT representative) should be made available in the same room to ensure the IT environment can be explained to investigators and accessed. A log of access and copies of materials reviewed or seized should be made as the matter progresses so that a company’s own investigators and lawyers can subsequently review the same material and evaluate compliance with the order or warrant.
A written log should be kept of all places searched, items seized and staff interviewed. Legal counsel should be present, if possible, to assert objections based on the attorney–client privilege, to identify commercially sensitive information or the sensitive personal information of customers or employees and to object if the search exceeds its authorisation. None of this, however, can be obstructive. The remedy for an improper search or seizure is to be had in court, not while the search is being conducted.
Seek to agree with the investigators in advance on the definition and scope of principles such as legal privilege, commercial confidentiality, relevance, personal data and other material the company would contend falls outside the scope of the order, and to a protocol for handling these materials during and after the search.
Consider whether it is necessary and appropriate to prepare a press release or public disclosure (e.g., stock exchange announcement) confirming the on-site inspection and its scope or purpose. Consider what, if any, communication should be made to employees, noting that in the United Kingdom, this practice is not favoured as it could tip off individuals who do not intend to comply, triggering evidence tampering or impacting the integrity of witness testimony.

2.2.2.2 Media coverage

Unexpected media reports or more aggressive or intrusive media behaviour (e.g., undercover investigative journalism) can trigger an investigation in extremely pressurised circumstances. The media outlet running the story will often have completed its investigation before the company is aware of the matter. In the worst cases, the first a company learns of the facts is in the publication or broadcast, although various broadcasting codes and voluntary editorial principles encourage the opportunity for a right of reply, so most coverage will follow a short period of discussion of content between the media and the subject of the story, yet not enough to accommodate an investigation and a fully informed response.

Even if a company is already aware of an issue and has undertaken some investigation before the issue becomes public, sudden and intense media scrutiny may require a company to adjust its response to protect its legal position and reputation, and to be seen to understand the public demand for resolution. For example, companies that were initially intending to adopt a passive approach to an issue or undertake a low-key investigation may change this response once the media takes up the issue.

Adverse media reports about a corporation’s business operations can result in reputational damage, financial harm and increased scrutiny from regulatory and law enforcement authorities. Companies do not always have time to adequately respond to these reports, especially in an environment where news travels at a fast pace. From a practical point of view, there is an immediate balance that companies must strike between taking the time to conduct a thorough investigation and responding to urgent media and public enquiries.

Companies can minimise the negative consequences that accompany adverse media reports by proactively implementing a crisis management plan. This should not only account for how the company will respond to the media and its customers, but also how the company investigates the allegations in both the short and long term. Setting up an investigations steering group and having effective policies and processes in place that are observed by senior management will ensure emergency investigations are not obstructed by administrative chaos.

2.2.2.3 Investor complaints and shareholder derivative lawsuits

Complaints raised by shareholders can trigger twin legal activities: (1) a defence strategy in cases where issues of liability are plainly articulated and the facts are either already established or may be simply assessed; and (2) separate investigations into wider concerns raised by the complaint, or where the facts are far from clear and the allegations cannot be adequately responded to without an investigation.^[9]

A major sensitivity in matters of this nature relates to the ongoing disclosure and transparency obligations arising from stock exchange listing rules. It is one thing to investigate in order to position a company to defend itself in litigation or to respond to a letter of concern or questions from the floor in an annual general meeting, but another to investigate to a point where a public statement can be made with sufficient accuracy to satisfy the reasonable investor test.^[10]

While a company may wish to respond speedily to concerns raised by an investor, dealing with investor complaints carries a further layer of complexity and a balance needs to be struck between the urgency to make a statement to the market, and the time needed to investigate facts sufficiently to make an adequately precise, accurate and informative one. The publication of false or misleading statements through an inadequate or incomplete investigation simply increases the range of potential legal liabilities and further delays resolution.

2.2.2.4 Customer and competitor complaints

Complaints made by customers and competitors constitute another category of triggers of external investigations. Customers and competitors may refer complaints to law enforcement, regulators, consumer bodies and ombudsmen. Individual incidents may be sufficiently problematic to merit investigation in their own right. However, even with low-value customer complaints, there comes a point where a high volume of similar criticisms and allegations raise concerns regarding the fairness of underlying sales processes and the adequacy of complaints handling systems, or perhaps even broader questions of breaches of systems or controls. Such concerns may catch a regulator’s attention.

A complaint or concern raised by a participant in the same market raises a number of wider risks colouring the subsequent investigation. In certain ways, a competitor complaint has more in common with whistleblowing (and may even be regarded as such by authorities) in that it may create forms of protected disclosure, confidentiality obligations and behavioural expectations from particular authorities. This is certainly the case in competition matters where leniency or immunity is sought following a self-report to an authority or tip-off by a competitor. This immediately limits the scope for communication of issues (including even the existence and subject matter of the investigation) among staff and will have a particular bearing on the management of evidence, including witness handling and interviews. It will also affect the extent to which there may be ongoing communication outside the organisation where, for example, witnesses may exist within the competitor organisation but further dialogue is not possible without the consent of, and careful choreography by, the relevant authority.

2.3 ESG issues

Corporate investigations (whether triggered internally or externally) have traditionally focused on white-collar compliance. The investigations that tend to make headlines and soak up corporate resources are those concerning an entity’s alleged violation of laws related to bribery, corruption, securities fraud, money laundering and similar misconduct that pose significant legal risk. These investigations are often global, involve some of the most active law enforcement and regulatory authorities, and can result in large monetary settlements and criminal penalties.

But the nature and scope of corporate investigations is evolving as companies become subject to ESG-related laws and regulations and face increasing pressure to adopt and report on standards related to ESG issues, such as those concerning human rights, corporate citizenship, diversity and inclusion, and environmental sustainability, among others. These reputational risks are an increasing source of investigations as companies seek to demonstrate to customers, shareholders and employees that they live up to their stated values.

Corporations have historically viewed ESG issues as a set of loose, voluntary standards that pose little to no legal risk. While this might have been true 10 years ago, it is certainly not the case today, with shareholders, employees, consumers and other stakeholders demanding that corporate boards make ESG a priority in corporate operations, and lawmakers and regulatory authorities around the world are increasingly requiring corporations to report on their ESG activity and holding corporations accountable for ESG-related misconduct.

For example, in November 2022, the SEC charged an investment adviser for failing to adhere to its policies and procedures relating to the ESG research its investment teams used to select and monitor securities for customers.^[11] The investment adviser paid a US$4 million penalty to settle charges with the SEC. In announcing the settlement, the Co-Chief of the Enforcement Division’s Asset Management Unit stated that the action ‘reinforces that investment advisers must develop and adhere to their policies and procedures over their investment processes, including ESG research, to ensure investors receive the advisory services they would expect to receive from an ESG investment’.^[12]

Similarly, in a more recent enforcement action, the SEC ordered an investment adviser (and subsidiary of Deutsche Bank) to pay a US$19 million penalty for making materially misleading statements about its controls for incorporating ESG factors into research and investment recommendations for ESG integrated products.^[13]

These and other related ESG enforcement actions brought by the SEC in the past two years^[14] highlight the importance of investment advisers providing accurate information relating to their ESG efforts and initiatives. When marketing their funds and strategies as ESG, advisers must not only ‘establish reasonable policies and procedures governing how the ESG factors will be evaluated as part of the investment process’ but must also ‘avoid providing investors with information about these products that differs from their practices’.^[15]

In the United Kingdom, the Bank of England and the Financial Conduct Authority (FCA) have made ESG a central regulatory and supervisory consideration.^[16] The FCA has announced its intention to introduce a package of measures aimed at clamping down on greenwashing in the regulated sector, including restrictions on the use of sustainability-related terms in product marketing.^[17] In December 2021, it introduced mandatory disclosure requirements for asset managers in line with the Task Force on Climate-Related Financial Disclosures. It also intends to set up an ESG advisory committee with the aim of clamping down on the greenwashing of investments (i.e., false or misleading claims over the environmental credentials of financial products). The FCA is also consulting on proposals to integrate non-financial misconduct considerations (e.g., bullying and harassment) into the ‘fit and proper’ test for individuals falling within the Senior Managers and Certification Regime.^[18]

Meanwhile, the European Union has adopted the EU Corporate Sustainability Reporting Directive, which introduces wide-ranging and mandatory ESG-related reporting requirements for large companies falling within its jurisdictional scope.^[19] The European Union is also expected to adopt the EU Corporate Sustainability Due Diligence Directive, which would require in-scope companies to conduct due diligence across their own operations and in their supply chain to identify adverse human rights and environmental impacts.

These developments have had, and will continue to have, an impact on what companies investigate and how they approach investigations. For example, corporate counsel of companies subject to existing and contemplated ESG disclosure requirements will need to investigate (1) the actions the company has taken in the area of ESG, (2) the ESG-related statements and commitments the company has made to the investing public on its website or in other publicly available materials and (3) whether and to what extent the company’s actions in the area of ESG align with its published statements and commitments.

Some investigations will not be driven by fear of regulatory action but rather by corporations trying to demonstrate to consumers, employees and other stakeholders that they are living up to their ESG claims or stakeholder expectations. In turn, this pressure gives rise to a risk that a corporation will mislead the market by overstating its ESG credentials. Whatever the driver for the investigation, to be effective, ESG investigations will require corporate counsel to remain up to date on growing and fast-changing standards and requirements.

2.4 Artificial intelligence

AI in some form or another has been part of the investigation landscape for several years. Computer-assisted learning (CAL) and other AI and data analytical tools are used in reviewing documents and other data sets to cut down on the number of documents that need to be manually reviewed and to suggest areas of investigation via clustering and making other connections in the data. AI and other analytical tools are also being used by companies to interrogate their own data for compliance purposes.

Regulatory and law enforcement authorities are similarly using AI to cull data and ferret out potential violations. With AI outpacing legal and compliance strictures, we are now beginning to see AI trigger investigations stemming from its use, such as where AI enhanced systems move data around the world without human input, potentially violating sanctions, export control and data privacy laws. AI can also trigger intellectual property issues, and biases in AI-assisted decision-making can lead to legal and reputational risk.

As the use of AI grows, so will the list of potential legal and reputational risks that could lead to investigations.

2.5 Corporate legal and compliance functions: who should investigate?

Corporate investigations often fall within the remit of legal and compliance departments. Some companies keep the functions separate, while others assign similar and overlapping responsibilities to them, making these functions difficult to distinguish. A common question we receive from companies that have both functions is which department should be responsible for conducting which investigations?

There is no single, straightforward answer; it will depend on the type of investigation, the corporation’s resources (including staffing and technology), and the nature and scope of the problem. Generally speaking, the legal department plays a reactive role, spearheading investigations after a potential problem has been identified to mitigate a company’s overall liability. For example, legal departments often lead investigations of suspected violations of anti-bribery and corruption laws, which can lead to significant criminal and civil penalties, and often require coordination and cooperation with authorities. In addition to their skill set, legal departments will also often lead in investigations where it is important to protect the investigation under the attorney–client privilege.

The compliance department often plays a more proactive role, overseeing and managing corporate behaviour to prevent wrongdoing. Compliance departments tend to lead investigations that are focused on detecting risk and ensuring the company’s current compliance framework (e.g., the company’s policies and procedures) is adequately designed to prevent and respond to risk. For example, compliance departments are often asked to conduct periodic reviews and risk assessments, and to recommend general compliance improvements. Even with investigations or compliance efforts of this type, it is prudent for corporations to consider the nature, background and potential implications of the inquiry and whether it is better that they be led by lawyers to be covered by the attorney–client privilege.

Investigations are never straightforward, however, and in practice companies leverage the knowledge and resources of both the compliance and legal functions when conducting investigations. We see this play out in a number of areas – most recently regarding ESG. Companies are being called on by stakeholders and government bodies to assess and report on their compliance with applicable ESG standards (e.g., whether and to what extent a company sources responsible goods and products, abides by human rights laws and takes steps to reduce carbon emissions from its business operations). Ensuring a company’s compliance with these standards is not a purely legal or compliance function: legal should be involved in ESG-related investigations because there are budding laws and regulations in various jurisdictions that allow for the enforcement of these standards, and compliance should be involved to identify and assess ESG risk, carefully track these ever-evolving risks, and assess how the company’s current compliance structure addresses them.

Courtesy : https://globalinvestigationsreview.com/guide/the-practitioners-guide-global-investigations/2024/article/the-evolution-of-risk-management-in-global-investigations