The Evolution of Risk Management in Global Investigations - Risk Management Association of India

2.1 Introduction

This chapter addresses the myriad potential avenues for a control environment to be compromised and for an area of risk or investigation to be identified, either proactively or reactively, by a corporate. It also highlights key developments and changes we have observed in the past year regarding risk management and global investigations.

First, the chapter provides a close look at some of the primary triggers or sources of investigations for corporates from both an internal and external perspective. Second, we discuss developing environmental, social and governance (ESG) issues – an increasing focus for law enforcement and regulatory authorities. The chapter concludes with a brief discussion on a question commonly asked by many corporations today: which corporate function (e.g., legal, compliance, or both) should be responsible for overseeing and conducting which types of investigations?

2.2 Sources and triggers of corporate investigations

Corporate investigations can be triggered by internal and external sources. Corporations often spearhead their own investigations in response to whistleblower reports concerning actual or suspected violations of law or company policy, or to assess the scope of potential problems and risks identified in routine due diligence, compliance reviews and financial audits.

However, corporations may also find themselves the targets of investigations commenced by law enforcement and regulatory authorities, such as the US Department of Justice (DOJ) and the UK Serious Fraud Office (SFO). We describe these and other common triggers and sources of investigations below

2.2.1 Internal investigations

2.2.1.1 Internal whistleblowers

A substantial proportion of matters under investigation arise through a company’s own policy and process for whistleblower complaints, such as through employee helplines, staff exit interviews and voluntary communications by current and former employees.

Most corporations today have a reporting mechanism through which employees, customers and members of the public can report (sometimes anonymously) actual or potential problems that pose a risk to the company. The number of whistleblower complaints a company receives does not necessarily reflect the health of a company or its ability to detect risk. For example, a small number of complaints may reflect a company’s strong compliance culture or, conversely, a culture in which employees hesitate to make complaints out of fear of losing their jobs. On the other hand, a significant flow of concerns may reflect a more risk-aware body of employees who feel free to raise issues without jeopardy, or a body of employees who do not take compliance seriously and face no consequences for escalating frivolous complaints.

Greater protection is being built in for whistleblowers by legislative changes, which may further increase the number of concerns we see raised.^[2] For example, the EU Whistleblowing Directive, which provides protection to any person working in the private or public sector who makes a report regarding an alleged breach of EU law in a work-related context, has now been implemented by 10 of the 27 EU Member States, while draft bills seeking to implement the Directive have been introduced in a number of other Member States. UK and US companies with a footprint in the European Union will need to consider whether their whistleblower policies and procedures are sufficient to meet these new standards.

In the United States, the US Securities and Exchange Commission (SEC) amended two rules under its whistleblower programme on 26 August 2022 to further incentivise whistleblowers to come forward. The first rule expands the scope of related actions that are eligible for an award under the programme, and the second rule clarifies the SEC’s authority to consider the size of a potential award in order to increase – but not decrease – the award.^[3]

Specifically, Rule 21F-3 was amended to allow the SEC to pay whistleblowers awards for actions brought by other entities in cases where awards might be paid under the other entity’s whistleblower programme. This is notable because the amendment allows for an award under the SEC’s whistleblower programme if the other entity’s programme is not comparable or if the maximum award under the other programme would not exceed US$5 million. In fiscal year 2021, the SEC awarded over US$500 million to whistleblowers under the programme.^[4]

2.2.1.2 Audits and reviews

Internal investigations may also be triggered by periodic audits and reviews. Many companies must by law conduct some form of internal audit or review concerning the truth and accuracy of their financial books and accounts. These audits are typically conducted annually by an independent audit firm, and the results are usually recorded in a written report. If any errors, gaps or other potential risks are identified, a company may decide to investigate and remediate any problems before the next report.

Corporations also often conduct internal reviews to assess whether and to what extent their policies and procedures are adequately designed to detect and remediate risk. These reviews can be performed by a law firm, or by a company’s internal legal or compliance function (albeit with some privilege concerns for assessments conducted without counsel).

Like financial audits, corporations may choose to investigate problems identified in these reviews, especially those that pose the greatest legal, financial or reputational risk to corporations and their business.

2.2.1.3 Transactional due diligence

Corporate transactions, such as mergers, acquisitions and joint ventures, are another common trigger for internal investigations. Corporations customarily conduct due diligence to identify any hidden risks presented by a target or counterparty. Particular attention should be given to areas that can give rise to successor liability.

While a corporation should consider various factors before entering into a transaction, some of the common due diligence considerations include whether the other entity:

is sanctioned or has been subject to economic sanctions within the past five years;
has a robust compliance programme that adequately accounts for relevant risks;
is owned or controlled by a government official or a government body;
has significant financial debts or liabilities;
has been the subject of an external investigation brought by a regulator or law enforcement authority; and
has been the subject of any litigation involving fraud or other allegations of illegality within the past five years.

Pre-transaction due diligence in the above-listed areas (and others) is crucial. Conducting thorough and well-timed due diligence has never been more important to reduce the risk of entering into a transaction that could be financially and reputationally damaging, and to provide leverage to companies that later find themselves in the crosshairs of a government investigation. For example, in its FCPA Corporate Enforcement Policy, the DOJ has stated that there is a presumption of declination for an acquirer that conducts effective pre-transactional due diligence, remediates, folds the acquired entity into its compliance programme and voluntarily discloses the conduct.

Whatever risk factor is being investigated, not only the primary due diligence activities but also the response to the information delivered by standard or enhanced due diligence may stimulate wider investigation. The initial response separates strong organisations from the weak and moves compliance culture from a tick-box habit to best-in-class governance and control.

2.2.2 External investigations

2.2.2.1 Contact by regulatory and law enforcement authorities

In the UK regulated sector, where ongoing open and transparent dialogue is expected between corporations and their regulators, it is comparatively rare for a business to find out about issues for the first time as a result of unilateral contact from a regulator. Ordinarily, the regulated entity’s report to the regulator leads to further investigation; by contrast, contact from prosecutors, competition authorities and, in certain circumstances, civil litigants, may occur without prior warning.

In the United States, corporations frequently learn about an investigation for the first time from prosecutors, and criminal referrals from regulatory agencies to the DOJ are common.

All companies, regardless of where they are located, should ask the following initial questions when approached by an authority:

Is the company a target or subject of the inquiry, or is the authority simply looking for information from the company related to another’s conduct?
What information is the authority looking for?
In what formats is the authority seeking information (e.g., emails, text messages or interviews)?
How much information is the authority seeking (e.g., from the past 10 years)?
Is the authority interested in a specific business line or area of the company?

Another initial question companies should ask is whether the investigation is being carried out by a regulator or a prosecutor. A company may be inclined to treat these two types of organisations synonymously, but they discharge different duties, possess different (although sometimes overlapping) powers and have different expectations regarding co-operation. Accordingly, a company’s approach to dealing with a regulator may need to differ from its response to dealing with a criminal prosecutor’s office.

A prosecutor investigating a matter is normally seeking evidence to decide whether a crime has occurred and whether individuals or the company should be criminally charged. If it proceeds with a prosecution, it carries the burden of proof (with certain limited jurisdictional and subject-matter exceptions).

Apart from specific mandatory reporting regimes,there is no obligation to volunteer information about misconduct to a prosecutor in the absence of a subpoena, warrant or other court order. It is an offence to obstruct an investigation, but obstruction does not extend to failure to volunteer evidence in the absence of compulsion; however, the provision of false, misleading or incomplete information to a prosecutor could amount to an offence of obstruction of justice in the United States or perverting the course of public justice in the United Kingdom.

In the United States, it is a crime to destroy evidence, even in the absence of compulsion or the initiation of proceedings, when the purpose is to avoid its disclosure in an anticipated criminal or regulatory investigation or proceeding. Further, the Fifth Amendment right against self-incrimination extends only to individuals, not corporations; therefore, ancillary Fifth Amendment protections (e.g., the act of production doctrine, which permits an individual to hold back documents if the mere act of producing them, as opposed to their content, will be incriminating) does not apply to corporates.

In dealings with UK prosecutors, while opportunities for mitigation and leniency exist through demonstrable co-operation (and a company may regret not being able to obtain co-operation credit later on), co-operation is a matter of pragmatic choice rather than legal obligation. The starting point remains unchanged: under what valid power does the prosecutor seek the evidence, what are the company’s reasonable defences, and how tactically does the company respond? While principles of co-operation with government agencies in the hope of gaining leniency or mitigation are more clearly defined and have a longer tradition in the United States, the general rule of law remains intact, and questions of powers, defences and tactics are no less germane.

Where a prosecutor, police or investigative agency, competition authority or other public body serves a subpoena, order or warrant entitling it to documents and electronic information, or to enter, search and seize, monitor or restrain, the challenge for the affected organisation is twofold: (1) to provide information or permit access and activity within the confines of the power granted; and (2) to ensure the company is not left behind (and preferably remains in front) in its own understanding of the relevant facts.

In the United States, grand jury subpoenas are the most common tool prosecutors use to gather information against a corporation in a criminal investigation. Various civil and regulatory enforcement agencies may also issue subpoenas. General principles to follow when responding to a subpoena include:

issuing hold notices to the relevant employees and, if appropriate, third parties, to ensure that all information requested or potentially relevant to the inquiry (emails, other electronically stored information, hard-copy documents, etc.) is retained;
controlling insider lists to identify those now aware of facts that may constitute inside information;
preparing witness lists (to ensure they do not receive updates or advice on the matter, which may contaminate their evidence); and
giving consideration to the treatment of witnesses (whether they require independent legal advice or should be removed from the office environment through suspension or relocation so as not to risk evidence tampering, collusion or undue influence over other witnesses).

In a criminal matter, defence counsel will almost always engage with the prosecutor to determine the company’s status as a witness (potentially having relevant information, but no criminal liability), subject (the largest category, in which the government does not yet have sufficient information to determine criminal liability) or target (the government is gathering evidence to bring criminal charges against the company). Counsel will also almost certainly work to narrow the scope of the information requested.

A number of important general principles apply also to the execution of search warrants and the conduct of dawn raids:

The order or warrant must be reviewed to ensure that the party serving or executing it has the requisite power. (Does it catch the correct entity? Is it the correct site or office? Are the search area and the items the authorities are searching for described with the requisite particularity? Are there date or time discrepancies? Is it signed or executed? In the United Kingdom, does it bear the correct court seal? Does the person conducting the inspection have the requisite authority in that jurisdiction?)
All relevant parties need to ensure the full scope and context of the search is understood (and where electronic searches are undertaken, endeavour to agree on relevant keyword searches and the exclusion of out-of-scope material, such as privileged documents or personal data).
As with a subpoena, it will generally be necessary to issue hold notices immediately after receipt of the order or warrant with instructions not to destroy or spoil evidence or to give false or misleading information. As well as the obvious practical importance of preserving relevant evidence, there is also significant value in being seen to co-operate as an initial response.
Individuals executing the order should be subject to identity verification to ensure that execution is in accordance with the terms of the order and that their identification is recorded (in the event that the order is breached and an individual’s identity becomes relevant to any proceedings arising as a consequence).
Staff, including reception and a designated dawn raid team, should be trained in advance as to how to conduct any interaction with investigators from the moment of first access to the premises. This includes training and instruction on not answering apparently casual questions on the subject of the search. The informal question to the unready on the walk along the corridor is a well-established source of information for experienced investigators. Any questions asked of staff and their responses should be noted. Employees may be informed of their legal rights not to speak to investigators and their right to counsel. Additionally, if the company is willing, the employees may be told that the company will provide legal counsel to them at no cost if investigators wish to speak to them or if they are later contacted. The company may not, however, instruct employees not to speak to investigators; that is the employee’s choice.
A separate room should be set aside as a base for investigators and discussions between legal function representatives and the visitors so that debate and investigative activity does not take place within earshot of those under investigation.
Local IT support (technology, plus a nominated IT representative) should be made available in the same room to ensure the IT environment can be explained to investigators and accessed. A log of access and copies of materials reviewed or seized should be made as the matter progresses so that a company’s own investigators and lawyers can subsequently review the same material and evaluate compliance with the order or warrant.
A written log should be kept of all places searched, items seized and staff interviewed. Legal counsel should be present, if possible, to assert objections based on the attorney–client privilege, to identify commercially sensitive information or the sensitive personal information of customers or employees and to object if the search exceeds its authorisation. None of this, however, can be obstructive. The remedy for an improper search or seizure is to be had in court, not while the search is being conducted.
Seek to agree with the investigators in advance on the definition and scope of principles such as legal privilege, commercial confidentiality, relevance, personal data and other material the company would contend falls outside the terms of the order, and to a protocol for handling these materials during and after the search.
Consider whether it is necessary and appropriate to prepare a press release or public disclosure (e.g., stock exchange announcement) confirming the on-site inspection and its scope or purpose. In the United States, it may be advisable to convene a ‘town hall’ meeting with employees to discuss the search and the looming investigation, but in the United Kingdom, this practice is not favoured as it could tip off individuals who do not intend to comply, triggering evidence tampering or impacting the integrity of witness testimony.

2.2.2.2 Media coverage

Unexpected media reports or more aggressive or intrusive media behaviour (such as undercover investigative journalism) can trigger an investigation in extremely pressurised circumstances. The media outlet running the story will often have completed its investigation before the company is aware of the matter. In the worst cases, the first a company learns of the facts is in the publication or broadcast, although various broadcasting codes and voluntary editorial principles encourage the opportunity for a right of reply, so most coverage will follow a short period of discussion of content between the media and the subject of the story, yet not enough to accommodate an investigation and a fully informed response.

Even if a company is already aware of an issue and has undertaken some investigation before the issue becomes public, sudden and intense media scrutiny may require a company to adjust its response to protect its legal position and reputation, and to be seen to understand the public demand for resolution. For example, companies that were initially intending to adopt a passive approach to an issue or undertake a low-key investigation may change this response once the media takes up the issue.

Adverse media reports about a corporation’s business operations can result in reputational damage, financial harm and increased scrutiny from regulatory and law enforcement authorities. Companies do not always have time to adequately respond to these reports, especially in an environment where news travels at a fast pace. From a practical point of view, there is an immediate balance that companies must strike between taking the time to conduct a thorough investigation, and responding to urgent media and public enquiries.

Companies can minimise the negative consequences that accompany adverse media reports by proactively implementing a crisis management plan. This should not only account for how the company will respond to the media and its customers, but also how the company investigate the allegations, in both the short and long term. Setting up an investigations steering group and having effective policies and processes in place that are observed by senior management will ensure emergency investigations are not obstructed by administrative chaos.

2.2.2.3 Investor complaints and shareholder derivative lawsuits

Complaints raised by shareholders can trigger twin legal activities: a defence strategy in cases where issues of liability are plainly articulated and the facts are either already established or may be simply assessed; and separate investigations into wider concerns raised by the complaint, or where the facts are far from clear and the allegations cannot be adequately responded to without an investigation.

A major sensitivity in matters of this nature, which can be overlooked in pursuit of the defence of the civil action, relates to the ongoing disclosure and transparency obligations arising from stock exchange listing rules. It is one thing to investigate sufficiently to position a company to defend litigation on the balance of probabilities, or to be able to respond to a letter of concern or questions from the floor in an annual general meeting, but another to investigate to a point where a public statement can be made with sufficient accuracy to satisfy the reasonable investor test.

While a company may wish to respond speedily to concerns raised by an investor, dealing with investor complaints carries a further layer of complexity, and a balance needs to be struck between the urgency to make a statement to the market and the time needed to investigate facts sufficiently to make an adequately precise and informative one. The publication of false or misleading statements through inadequate or incomplete investigation simply increases the range of potential legal liabilities and further delays resolution.

2.2.2.4 Customer and competitor complaints

Complaints made by customers and competitors constitute another category of triggers of external investigations. Customers and competitors may refer complaints to law enforcement, regulators, consumer bodies and ombudsmen. Individual incidents may be sufficiently problematic to merit investigation in their own right. However, even with low-value customer complaints, there comes a point where a volume of similar-fact criticisms raise concerns regarding the fairness of underlying sales processes and the adequacy of complaints handling systems, or perhaps even broader questions of breaches of systems or controls, that may combine to catch a regulator’s attention and create reputational risk.

While it might be hoped that a company’s own monitoring of complaints levels and sources should trigger deeper investigation into the underlying issues, it will sometimes take unilateral regulatory enquiry and enforcement processes to bring about a non-voluntary, full evaluation, including thematic reviews, ‘skilled persons appointments’, market studies and industry sweeps. Significantly, the company’s in-house investigators will not set the parameters of the investigation (though they can add significant value in debates with regulators over scope and process and may be heavily involved in the activities that follow, by partnering with the external firm in a skilled person’s review, for example). The in-house function will remain critical in the parallel process of evaluation of evidence so that advice may be taken to respond to regulatory or legal liability.

A complaint or concern raised by a participant in the same market raises a number of wider risks colouring the subsequent investigation. In certain ways, a competitor complaint has more in common with whistleblowing (and may even be regarded as such by authorities) in that it may create forms of protected disclosure, confidentiality obligations and behavioural expectations from particular authorities. This is certainly the case in competition matters where leniency or immunity is sought following a self-report to an authority following a tip-off or complaint by a competitor. This immediately limits the scope for communication of issues (including even the existence and subject matter of the investigation) among staff and will have a particular bearing on the management of evidence, including witness handling and interviews. It will also affect the extent to which there may be ongoing communication outside the organisation where, for example, witnesses may exist within the competitor organisation but further dialogue is not possible without the consent of, and careful choreography by, the relevant authority.

2.3 ESG issues

Corporate investigations (whether triggered internally or externally) have traditionally focused on white-collar compliance. The investigations that tend to make headlines and soak up corporate resources are those concerning an entity’s alleged violation of laws related to bribery, corruption, securities fraud, money laundering and similar misconduct that pose significant legal risk. These investigations are often global, involve some of the most active law enforcement and regulatory authorities, and can result in large monetary settlements and criminal penalties.

But the nature and scope of corporate investigations is evolving as companies become subject to ESG-related laws and regulations and face increasing pressure to adopt and report on standards related to ESG issues, such as those concerning human rights, corporate citizenship, diversity and environmental sustainability.

Corporations have historically viewed ESG issues as a set of loose, voluntary standards that pose little to no legal risk. While this might have been true 10 years ago, it is certainly not the case today, with shareholders, employees, consumers and other stakeholders demanding that corporate boards make ESG a priority in corporate operations, and lawmakers and regulatory authorities around the world increasingly requiring corporations to report on their ESG activity.

For example, the SEC announced that one of its key priorities is implementing new ESG and climate disclosure requirements for registered companies. In discussing their importance, Allison Herren Lee, then acting SEC Chair, stated that it is ‘time for the SEC to lead a discussion – to bring all interested parties to the table and begin to work through how to get investors the standardized, consistent, reliable and comparable ESG disclosures they need to protect their investments and allocate capital towards a sustainable economy’.

In this same vein, current SEC Chair Gary Gensler announced on 25 May 2022 that the SEC was considering a proposal that would require particular types of ESG funds to disclose their ESG strategies and relevant metrics, citing as examples greenhouse gas emissions metrics and annual progress reports towards its ESG goals.

In the United Kingdom, the Bank of England and the FCA have made ESG a central regulatory and supervisory consideration. In December 2021, the FCA introduced mandatory disclosure requirements for asset managers in line with the Task Force on Climate-Related Financial Disclosures. It also intends to set up an ESG advisory committee with the aim of clamping down on the greenwashing of investments (i.e., false or misleading claims over the environmental credentials of financial products).

Meanwhile, in the European Union, the Regulation on sustainability-related disclosures in the financial services sector came into force in March 2021, imposing ESG transparency and disclosure requirements on financial institutions offering financial products in the European market. Furthermore, in March 2022, the European Commission published a draft Directive on mandatory human rights and environmental due diligence, which would require in-scope companies to conduct due diligence across their own operations and in their supply chain to identify adverse human rights and environmental impacts; however, even if approved by the European Council and Parliament, transposition of the Directive into national law would likely not take place until 2025 or 2026 at the earliest.

In the United States, on 21 March 2022, the SEC proposed new climate-related disclosure requirements for public companies to include in their registration statements and periodic reports, including ‘information about climate-related risks that are reasonably likely to have a material impact on their business, results of operations, or financial condition, and certain climate-related financial statement metrics in a note to their audited financial statements’.

These developments have had (and will continue to have) an impact on what companies investigate and how they approach investigations. For example, corporate counsel of companies subject to existing and contemplated ESG disclosure requirements will need to investigate (1) the actions the company has taken in the area of ESG, (2) the ESG-related statements and commitments the company has made to the investing public on its website or in other publicly available materials and (3) whether and to what extent the company’s actions in the area of ESG align with its published statements and commitments.

Some investigations will not be driven by fear of regulatory action at all, but by corporations trying to demonstrate to consumers, employees and other stakeholders that they are living up to their ESG claims or stakeholder expectations. In turn, this pressure gives rise to a risk that a corporation will mislead the market by overstating its green credentials. Whatever the driver for the investigation, to be effective, ESG investigations will require corporate counsel to remain up to date on growing and fast-changing standards and requirements.

2.4 Corporate legal and compliance functions: who should investigate?

Corporate investigations often fall within the remit of legal and compliance departments. Some companies keep the functions separate, while others assign similar and overlapping responsibilities to them, making them difficult to distinguish. A common question we receive from companies that have both functions is which department should be responsible for conducting investigations?

There is no single, straightforward answer; it will depend on the type of investigation, the corporation’s resources (including staffing and technology), and the nature and scope of the problem. Generally speaking, the legal department plays a reactive role, spearheading investigations after a potential problem has been identified to mitigate a company’s overall liability. For example, legal departments often lead investigations concerning actual or suspected violations of anti-bribery and corruption laws, which can lead to significant criminal and civil penalties, and often require coordination and co-operation with the authorities. In addition to their skill set, legal departments will also often lead in these types of investigations, and similar matters, where it is important to protect the investigation under the attorney–client privilege.

The compliance department often plays a more proactive role, overseeing and managing corporate behaviour to prevent wrongdoing. Compliance departments tend to lead investigations that are focused on detecting risk and ensuring the company’s current compliance framework (e.g., the company’s policies and procedures) is adequately designed to prevent and respond to risk. For example, compliance departments are often asked to conduct periodic reviews and risk assessments, and to recommend general compliance improvements. Even with investigations or compliance efforts of this type, it is prudent for corporations to consider the nature, background and potential implications of the enquiry and whether it is better that they be led by lawyers to be covered by the attorney–client privilege.

Investigations are never straightforward, however, and in practice companies leverage the knowledge and resources of both the compliance and legal functions when conducting investigations. We see this play out in a number of areas – most recently regarding ESG. Companies are being called on by stakeholders and government bodies to assess and report on their compliance with applicable ESG standards – for example whether and to what extent a company sources responsible goods and products, abides by human rights laws and takes steps to reduce carbon emissions from its business operations.

Ensuring a company’s compliance with these standards is not a purely legal or compliance function: legal should be involved in ESG-related investigations because there are budding laws and regulations in various jurisdictions that allow for the enforcement of these standards, and compliance should be involved to identify and assess ESG risk and to track carefully these ever-evolving risks and assess how the company’s current compliance structure addresses them.