Today I want to consider some factors which can lead to employees’ distrust of an internal reporting system. Ryan Hubbs wrote an excellent article entitled “10 Factors Leading to Reporting Mechanism Distrust”. 

The guidance and mandates for companies on reporting mechanism reporting are numerous, overlapping and sometimes very broad. There are the US Sentencing Guidelines; regulations under Sarbanes-Oxley (SOX), the Dodd-Frank Act and the 2012 FCPA Guidance. There are international guidelines from the EU, US and London based stock exchanges and even the United Nations deems reporting mechanism reporting a necessary good business practice. Dodd-Frank attempted to strengthen accountability by specifically providing protections for those who come forward as whistle blowers but also allows regulators to respond to misconduct through finding some legal action. While the goal of whistleblowers and reporting mechanisms might be to identify and correct wrongdoing, they do not guarantee success and they do not even guarantee effective and trusting programs. 

Trust is a primary factor as to whether an employee will come forward with a concern. Management might try a quick-fix reaction to a messy investigation with more reporting mechanisms, posters or asking a CEO to use compliance training to generally get the word out. Nevertheless, employees view it as a trust issue, and you must have that trust. If an employee chooses not to report and an outside source later discovers misconduct, the organization will certainly be subject to potential financial losses and reputational damage that could have been avoided. If the employee does report, but the culture of trust is lacking or they faced retaliation, up to and including termination, then you have a disgruntled employee who is most likely going to go to the Securities and Exchange Commission. 

What are Hubbs’ 10 factors leading to distrust of internal reporting mechanisms? Number one is that employees do not understand the reporting mechanism system. Some the questions include, “who answers the reporting mechanism number? Will they know that I filed a reporting mechanism complaint if I do so anonymously? Will they tell my boss that I've reported a concern? Where does my complaint go and who reviews it?” Employee doubt and uncertainty can impede an employee's decision to report a concern. Transparency is also noted to aid in trust and the more likely an employee is to come forward. 

Number two is inadequate reporting mechanism resources and poor reporting program design. Companies can demonstrate their commitment to a reporting mechanism by spending money on well-designed reporting mechanism programs and professionally trained, efficient responders and investigate, fully integrated case management systems and all necessary supported tools. Anything less, will engender employee mistrust. 

Number three is the lack of personalization of employee concerns. Utilizing an internal reporting mechanism can be a very personal experience for an employee as the whistleblower might be a victim, the employee could well have witnessed significant wrongdoing. He or she may view using the reporting mechanism as simply taking a personal chance by coming forward and doing the right thing. This means that if an employee only hears a recorded message or an automated response; they may view the entire program as machine-like and indifferent. Having qualified and experienced compliance or investigative professionals who should follow a predesigned investigative protocol, should immediately follow up on reported concerns. Moreover, concerned employees need support and reassurance they have done the right thing and the organization will address their concerns and that they will be protected from retaliation. There should also be a strong written statement against retaliation. 

Number four is the improper handling of whistleblower complaints and lack of training of investigators. The mishandling of complaints and poor training of reporting mechanism calls and investigations can cause reporting errors in which the company conducts an inadequate investigation and/or comes to the wrong conclusion. As noted above an investigative protocol coupled with skilled investigators early in the reporting process. Employees who experience mishandled complaints will almost certainly communicate their dissatisfaction with colleagues, and that can certainly destroy reporting mechanism morale. 

Number five is the always dicey question of whether management is involved in the reporting mechanism. If local management gets involved early when they may be the problem, or complicit in allowing concerns to go forward or unaddressed. Local HR professionals might also appear to employees to be closely aligned with management, they also might be inadequately trained and show bias or favoritism. To ensure transparency and objectivity, often when it's effective to use a third-party administrator for your reporting mechanism. At the point when concern becomes part of an investigation, the organization can involve management, including internal audit, compliance, legal and HR, depending on the type of complaint. 

Number six is too many reporting mechanisms. Your corporate reporting mechanism should be the primary entry point for all concerns regardless of who reports or how companies identify them. Unfortunately, companies also have avenues such as emails, web portals, writing and of course, in person. These can require companies to struggle to determine who owns the proactive and reactive assessments of reporting and responses. Many companies offer reporting mechanisms just beyond the centralized reporting mechanism, but you should have a professionalized, centralized, clearly articulated program that help streamline reporting, increase communication and awareness, and decrease confusion to help build trust. 

Number seven is there is too much emphasis placed on reports which must be based solely on “credible complaints. Employees who file fictitious or malicious complaints against companies and colleagues defend pending terminations or to get others into trouble or retaliate for some perceived personal slight.” While some companies attempt to reduce meritless complaints by communicating that employees should only report credible or good-faith complaints, others might go a step further by saying employees could be subject to disciplinary action for filing complaints that are not found to be credible. However, these tactics may well deter employees from reporting any concerns. 

Number eight are the twin obstacles of negative incidences and retaliation. If I have had one key theme throughout this series on reporting, and indeed, throughout this month of investigations, it is an absolute prohibition against retaliation. Companies must prevent retaliation. When an employee is mistreated for following the organization's reporting policy, the reporting mechanism can sustain severe damage to its credibility and viability as a safe and secure mechanism. The damage from mismanagement and reprisals is memorialized on the internet and court records or public documents can create a devastating silent, do-not-report culture. Companies must communicate they have a zero tolerance for retaliation and deal with any retaliation swiftly and publicly. 

Number nine is the problem of inconsistent outcomes. Companies must demonstrate that consistent and fair outcomes are routine, regardless of people, relationships or scenarios. Employees will learn through the grapevine if the organization delivers fair, consistent discipline, regardless of how confidentially an organization hides such outcomes. Of course, if employees view outcomes as fair, they will be more compelled to report concerns. Employees know that inconsistency equals personal risk.

Finally, number 10 is the time worn adage that actions speak louder than words. Employees critique, judge and evaluate what an organization says about its reporting mechanism reporting program by what it does, rather than what it says. Does it follow policies and procedures as assigned? Does it really have a zero-tolerance policy on retaliation? Are outcomes consistent, fair and appropriate? Does it truly allow employees to report concerns anonymously? 

Three Key Takeaways

1. What are today's three key takeaways? Well, number one, you must not retaliate. That is probably the biggest destroyer of credibility and trust in a reporting mechanism reporting.
2. There must be ongoing communications and there must be follow up with the employees who made the anonymous reports.
3. Celebrate your reporting mechanism. Let employees know that it is acceptable to raise your hand because that is all you are doing at the end of the day, raising your hand. It is incredibly important and it is something that will make your reporting mechanism work much better.

In an article entitled “How to Launch and Operate a Legally-Compliant International Workplace Report Channel” or in compliance parlance, a hotline, author Donald Dowling of the law firm of White and Case, provided a useful guide to help navigate the challenges of setting up a multi-national whistleblower’s hotline, such as is required under the FCPA and UK Bribery Act. The majority of his article “analyzes the six categories of laws that can restrict whistleblower hotlines abroad, focusing on compliance.” You should obtain a copy of this article and keep it for reference in regards to your company’s hotlines. It is available on the White and Case website, by clicking here.

1. Laws Mandating Whistleblower Procedures

This group of laws “comprises mandates that require setting up whistleblower hotlines in the first place.” This includes the US Sarbanes-Oxley (SOX) as well as other jurisdiction laws which generally protect whistleblowers from retaliation but do specifically require any hotlines be set up on a company wide basis. Dowling also found a couple of countries, Norway and Liberia, which require general receiving and processing of “public interest disclosures.”

2. Laws Promoting Denunciations to Government Authorities

This category of laws generally related to legal requirements for the reporting of illegal acts to government authorities in two ways. First, these laws encourage whistleblowing to government which then compete with employer hotlines by enticing internal whistleblowers to divert denunciations from company compliance experts and over to outside law enforcers who indict white collar criminals. This first approach is found in Dodd-Frank, which offers bounties. Second, these “laws that require (as opposed merely to encourage) government denunciations rarely except corporate hotline sponsors. These laws therefore force hotline sponsors to divulge hotline allegations over to law enforcement.” This second approach is found in SOX which “requires an employer to offer internal hotline procedures”.

3. Laws Restricting Hotlines Specifically

This category is exemplified by European data protection laws which act to restrict companies’ freedom to launch and operate reporting programs. Dowling believes that these laws are based upon the fact that Europeans “see hotlines as threatening privacy rights of denounced targets and witness”. Also this would seem to be in response to the totalitarian past from the World War II era. The author identifies what he termed “the four biggest hurdles” set up to frustrate hotlines in EU jurisdiction. They are “(1) restrictions against hotlines accepting anonymous denunciations; (2) limits on the universe of proportionate infractions on which a hotline accepts denunciations; (3) limits on who can use a hotline and be denounced by hotline; and (4) hotline registration requirements.

4. Laws Prohibiting Whistleblower Retaliation

This category will be familiar to US compliance practitioners through the applications of US laws such as SOX, Dodd-Frank and numerous state whistleblower statutes. Additionally, the author lists numerous foreign jurisdictions which have such laws. But here he believes that the key is communication because in many countries and foreign jurisdictions, there is no tradition of protection of persons who make reports against superiors so that an “employer needs to overcome worker fear of reprisal for whistleblowing.”

5. Laws Regulating Internal Investigations

Typically laws on internal investigation do not impact hotlines because a hotline is a “pre-investigation tool.” However, the author believes that No. 4 above, communication by the employer is critical to complying with laws that enact procedural safeguards for persons under investigation. Heavy-handed communications about a hotline could blow back against employers in claims by employees that “an employer rigged the investigation process.” So companies should ensure that communications about hotlines do not convey an “overzealous approach to complaint processing and investigations.”

6. Laws Silent on, but Possibly Triggered By, Whistleblower Hotlines

Here the author recognizes that the title of this category “is necessarily vague and determining which laws fall into it is difficult.” Nevertheless, he writes that the most “likely candidates are data protection laws silent on hotlines and labor laws imposing negotiation duties and work rules.” Regarding the former, the author argues that hotlines are not databases but conduits for the transmittal of information. He acknowledges that EU data privacy laws reject this distinction and treat hotlines as if they were databases where information is stored. He does not identify other jurisdictions which yet take this aggressive approach but he believes this may become a trend. The labor law issue is also tricky and may turn on the interpretation of whether the institution of a hotline is viewed as substantive change in working conditions under a union-management labor agreement and therefore subject to collective bargaining.

There are several key inquiries you should make for your hotline. What jurisdiction are you in and what is the binding law or laws which will govern you going forward. Must you confine your hotline reporting to specific topics or is it open to all issues? Can anonymous allegations be brought forward in the jurisdiction in question. Do you have a hotline staffed in-house or do you use an external third party vendor? Finally, must you disclose hotline data to government regulators?

Three Key Takeaways

1. You must understand the jurisdiction you are in and the laws which govern your hotline.
2. Can you use information which is reported anonymously?
3. Must you disclose any data to government regulators?

Is your hotline working for you? In an article entitled, entitled “Promoting Effective Us of the Compliance Hotline” José Tabuena provided an excellent example of the power of a hotline. He provide a case study of a company which had not integrated its IT function into its regular compliance and ethics training programs. As such there were zero calls into the hotline by employees from the IT department. This dynamic was changed and IT was integrated into the company’s regular compliance and ethics training. Thereafter, the hotline received several calls from IT department employees indicating where there were two major areas of complaints. The first general area was that there were conflicts of interests between IT department managers, family members who were hired and perceptions of favoritism. The second generally revolved around allegations that certain company managers were manipulating data to maximize their bonuses.

The Favoritism Problem

The Human Resources (HR) department led an investigation that included questioning all IT managers about their direct reports and employees of their unit. The company determined that there was only one instance of a manger hiring a family member (a brother-in-law), but that person did not report to the manager and was in a different section of the IT organization. This finding made clear that there were misperceptions in the IT department, which affected the department morale. To remedy this all IT managers received training on appropriate employment practices, communications were also delivered to all IT employees explaining policies and practices regarding the hiring of family members. Most satisfyingly, during follow-up with callers to the helpline, the callers stated that the work environment in the IT department had noticeably improved. They also expressed gratitude that their questions were answered and that their issues were addressed. The callers felt their concerns were taken seriously when they saw the communications on hiring practices and upon having discussions with managers during staff meetings. Staff retention started improving in the department.

Manipulation of Data for Bonuses

The company used the hotline to obtain more information from the callers on “isolating the metrics and the managers in question. It was determined that the bonuses of a select few IT managers were indeed influenced by a questionable data source, which was controlled by a non-manager with minimal oversight and controls. Following interviews with key individuals and review of the data file (including forensic analysis), it was determined that one IT manager had misrepresented information provided to the staff person maintaining the data. Notably, this staff person also reported to this manager. As a result, the IT manager's bonus compensation was inflated. He was subsequently terminated.

Basic Tenets of an Effective Hotline

This case study provided three key tenets of an effective internal reporting system.

• First, a helpline is of no value if the workforce is not aware of it. Although a helpline was in place, it became apparent that a segment of the company had not been informed. It was hotline data that revealed this gap. By reviewing data segmented by region, department, incident classification, and other criteria, it became obvious in comparison to the rest of the organization that the IT department had not used the helpline.
• Second, the ethics and compliance office obtained support from the Chief Information Officer (CIO) for making IT part of the helpline community and for designating a liaison within the IT function. The support of department leadership likely influenced the success of the training and communications delivered by the ethics and compliance staff.
• Third, the awareness of the helpline is not sufficient to ensure success. The company made sure that issues and allegations were addressed and investigated. Employees who choose not to report wrongdoing indicate a belief that nothing will be done anyway, so why take the risk? Employees also cite fear of retaliation as a reason for not reporting.

This case study demonstrates the power of a hotline. The company’s Compliance Department “established the credibility of the helpline as a resource to raise issues and report misconduct. The concerns regarding nepotism and conflicts of interest were taken seriously, and although the   violations were not as widespread as the calls indicated, the review went a long way to clear the air.” Equally important, the helpline proved to be a successful management tool as well. The company was able to manage potential compliance issues and improve employee morale.

Three Key Takeaways

1. Hotlines can be powerful tools for the compliance professional.
2. Simply because you have no hotline complaints does not mean you do not have any compliance or ethics issues which need review and resolution.
3. Adequate follow up is a key part of overall hotline effectiveness.

In this episode, I visit with Steven Durham, a partner in the law firm of Labaton Sucharow. The firm is one of the leaders in the SEC Whistleblower practice. Durham describes his background and how he got to the firm. He relates the Whistleblower Practice at Labaton, what is your role and how Jordan Thomas worked to create the firm’s whistleblower practice after leaving the SEC. He then  relates what the SEC Whistleblower program is and how has it worked to pay out over $150MM in bounties through this spring. Durham then discusses how the SEC Whistleblower office facilitates the SEC’s mission to protect investors, why whistleblowing benefits society and corporate America and how firms like Labaton assist the SEC in its practice. We conclude with a discussion of where Durham sees SEC Whistleblower program going under the Trump Administration. 

For more information on Steven Durham, the law firm of Labaton Sucharow and its whistleblower practice, check out the firm’s website by clicking here.

Today I would like to review some best practices regarding a compliance hotline.

1.  The hotline should be developed and maintained externally. It seems axiomatic that em­ployees tend to trust hotlines maintained by third parties more than they do internally maintained systems. Through the submitting of reports via an external hotline there is a perceived extra layer of anonymity and impartiality compared to a sys­tem developed in-house. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.
2. The hotline supports the collection of detailed infor­mation. As with most everything else, information is power. If a CCO can gather and re­cord information throughout a complaint life cycle, the company will have greater insight into the situation and a company can protect itself more effectively from accusations of negligence or wrongdoing. A hotline reporting system should provide consolidated, real-time access to data across all departments and locations, plus analytic capabilities that allow you to un­cover trends and hot spots. All reported materials should be consolidated in one comprehensive, chronologi­cally organized file, so a CCO can monitor ongoing progress and make better, more informed decisions.
3. The hotline must meet your company’s data retention poli­cies. Retaining data in a manner consistent with your internal data retention policies is important. A hotline should offer a secure, accessible report retention database, or you may be faced with making your own complicated and costly arrangements for transmitting and storing older reports to a permanent storage location.
4. The hotline should be designed to inspire employee confidence. Retaliation or perceived unfairness to those making hotline complaints will destroy the effectiveness of the internal reporting process and poison the corporate culture. A hot­line must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to some­one outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a re­port from the privacy of an off-site computer or telephone. It may seem like a small convenience, but giving employees the freedom to enter a complaint from a location that is safe can make a huge difference to participation rates.
5. The hotline offers on-demand support from subject matter experts. Opening lines of communication can bring new issues to your compliance group. It is therefore important that once those reports are entered into the system, a person or function has the responsibility to follow up in a timely manner. One of the biggest mistakes you can make is to sit on a hotline complaint and let the employee reporting it fester. Additionally, with the short time frames set out in the Dodd-Frank Whistleblower timelines for resolution before an employee can go the SEC to seek a bounty, the clock is literally clicking.
6. The hotline provides inbuilt litigation support and avoidance tools. A company must make certain that its hotline is preconfigured to meet the legal requirements for document retention, at­torney work product protection procedures, and attorney-client privilege. Developing these tools in-house can add signifi­cantly to your costs, and maintaining a hotline without one exposes your organization to unacceptable risk.
7. The hotline supports direct communication. A hotline should open the lines of communication and give you a di­rect sight-line into the heart of your company. Look for a system that enables you to connect directly, privately, and anonymously with the person filing a complaint. Direct communication also signals to employees that their complaints are being heard at the highest levels.

Like other risk management issues, hotlines must also be managed effectively after implementation and roll-out. Here are some practical tips which will help you make your hotline an effective and useful tool.

Get the word out. If employees do not know about the hotline, they will not use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And do not think of the promotional initiative as a one-time effort. It is important to remind employees regularly, through in-person communications, via e-mail, or through intranets, newsletters, and so on, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available.

Train all your employees. Getting employees to use the system is one half of the challenge; ensuring they use it properly is the other half. This is where training becomes essential. Make sure people understand what types of activities or observations are appropriate for reporting and which are not. HR and compliance staff will need training too, to help them understand how the hotline impacts their day-to-day activities. Company leaders also need to understand the role the hotline plays in the organizational culture, and the importance of their visible support for this compliance initiative.

Take a look at the data. Use the data derived from or through the hotline to identify unexpected trends or issues. Examples might be what percentage of employees use the hotline and what issues are they submitting? A healthy hotline reporting system will yield reports from .5 to 2 percent of your employee base. If your reporting patterns are higher or lower, it may indicate mistrust of the hotline, misuse, or a widespread compliance issue. Isolate the data by location and department to identify micro-trends that could indicate problems within a subset of your corporate culture. Analyzing the data can help you stay a step ahead of emerging issues.

Response is critical to fairness in the system. Seeing a hotline system in action in this way can go a long way toward dispelling employee fears of being ostracized or experiencing retaliation because if they see that their concerns are heard clearly and addressed fairly, they will learn to view the hotline as a valuable conduit. If your compliance group responds promptly and appropriately to hotline complaints, you can ensure robust participation and ongoing success. Even when a complaint proves to be unfounded, it can still provide an opportunity to open a dialogue with employees and clear up any misunderstandings. Responding to reported issues also gives compliance officers a chance to prove that issues can be resolved or addressed while protecting the privacy and anonymity of the whistleblower.

Three Key Takeaways

1. Get the word out to your employees about your company hotline through a variety of mediums and platforms.
2. Train your employees on the use of the hotline.
3. Use data from your hotline to continually update and improve your compliance program.

Who to suspend during any Foreign Corrupt Practices Act (FCPA) investigation is always a delicate question to answer. Unfortunately there is never an easy answer. As the Volkswagen (VW) emission-testing scandal continues to reverberate, it continues to bring up some very knotty questions, which have bedeviled the Chief Compliance Officer (CCO) or compliance practitioner in many areas. Today there is an example around internal investigations.

In an article in the Wall Street Journal (WSJ) entitled “Scope of VW Suspensions Grows”, William Boston reported on the ongoing internal investigation by the company’s outside counsel Jones Day. Boston noted that VW had “suspended a larger number of engineers than previously acknowledged, following a recommendation from the law firm conducting” the investigation. The article went on to state, “Jones Day urged suspension of anyone who could have been involved in the scam - from high level decision makers to ordinary engineers – to prevent possible perpetrators from tampering with the evidence”. 

This final statement emphasizes a key consideration in a FCPA investigation, which is to tie down the evidence. Former Arnold & White partner Mara Senn has said that “probably from the government's perspective, the most important aspect of setting up an investigation in a way that makes them feel comfortable, is ensuring that all data is locked down.” However, if you are worried about evidence tampering you may have a bigger problem on your hands. 

Pointing up the difficulties in making such a blanket sweep an un-named source, who provided this information to Boston, was quoted in the WSJ piece as saying “We had to suspend everyone in this area to get them out of the way of this process. This is necessary for the investigation, but it’s really hard for us because we are now missing their professional knowledge and experience.” 

This issue brings up another point that Senn has discussed, around when to suspend or discipline an employee during an internal investigation. Senn related, “That is a very case-by-case difficult question to answer, but in general, I think it’s better to keep them around for as long as you may need them. Once they’ve been fired or otherwise disciplined, really, even if you keep them around, they’re going to be less cooperative with you and possibly, if you fire them, not cooperative at all. You can require them to be cooperative in the termination agreement, but obviously in practice, cooperation can mean a lot of different things.” 

In view of the Schrems decision by the European Court of Justice (ECJ), I also wonder how the investigation will fair with the German based employees? Obviously there will be data that in the US would be deemed company-owned but in Europe it may well be private to the employee being investigated. This problem became even greater with the recent decision by Privacy Regulators from 28 EU nations that backed the ECJ’s Schrems decision that invalidated the Safe Harbor regime. As reported by Jo Sherman in the FCPA Blog, “that closed the legal pipeline by which data has flowed freely from the EU to the U.S. for the last 15 years. The rationale for the court decision and the subsequent backing of the EU Data Protection Authorities is that the surveillance powers of the U.S. government are considered to be too excessive and disproportionate, and can override the data protections for EU citizens under the Safe Harbor framework.” 

Lanny Breuer, the former number two at the Department of Justice (DOJ) and now a partner at Covington and Burling LLP, raised an interesting concern in the context of the Justice Department’s FCPA Pilot Program. It is around what Breuer terms “de-confliction”. This involves the government asking a company to halt its own investigation for the government to be the first to interview witnesses. At the FCPA Blog Conference, Breuer said that if “de-confliction” is required as cooperation to gain the benefits of the pilot program, such a request from the DOJ would be “an extraordinary request, in my view” because it “could lead companies to be unable to disclose to other agencies or to shareholders, and it could keep a board in the dark about the alleged wrongdoing.” Breuer added, “In general, publicly traded companies can’t just stand down from doing an investigation when such an allegation comes in.” He also commented that “he’d been asked to do so a couple of times.”

Breuer raised four questions during his presentation which every investigator must consider in the area of de-confliction. (1) Would complying with the request be consistent with directors’ and corporate officers’ fiduciary duty of oversight?; (2) How can a company make decisions without speaking with its employees?; (3) How will a delay affect the company’s other regulatory obligations?; and (4) How can external counsel advise a company without knowing the facts? Companies hire external counsel to conduct thorough investigations, evaluate their clients’ conduct, and provide informed legal advice. These tasks can be difficult if not impossible to accomplish where external counsel have their hands tied behind their backs. 

Clearly the DOJ could have a broader remit or be involved with other ongoing investigations where they might make such requests. However, such ‘de-confliction’ could stop a company from engaging in a root cause analysis or even robust investigation. At the same conference, an earlier panelist, Gerald Kral, the Chief Ethics and & Compliance Officer (CECO) of Brown-Forman, said on his panel that his company did an extensive root cause analysis of every claim or incident so it can not only understand what happened but put sufficient risk management protections in place to try and make sure it does not happen again. 

Three Key Takeaways

1. The decision on whom to discipline and when are critical decisions during any investigation.
2. You should take a case-by-case approach.
3. The de-confliction question can be quite troubling during an internal investigation.

Prior to the Schrems decision by the European Court of Justice, US based law firms could rely on Safe Harbor to use and analyze information from investigations conducted in Europe. However the Schrems decision and subsequent EU privacy rulings and regulations have brought the entire issue around internal investigations into question.

In a podcast interview with UK solicitor and data privacy expert Jonathan Armstrong about the decision, Armstrong noted that the decision puts real roadblocks in the path of a US company that could be investigating potential anti-corruption allegations in the UK or EU member country. The biggest issue would be around personal privacy and information. Unlike the US, work emails are covered by the privacy rights afforded to individuals and are not the property of the company. The same is true of other information. Under the Schrems decision, the ability of a US corporation to access that information and then take it back to the US under the safe harbor provision is no longer available. 

I asked Armstrong how a company might be able to move forward and internally investigate potential FCPA violations. Armstrong suggested that that the only way at this point was to obtain the consent of the person being investigated. However the obtaining of such consent raises a host of other problems. He said, “Can I really get consent in an internal investigation? Can I go along, speak to my Austrian agent and say, “Peter, I just need you to sign this form to transfer your data to the US”? Now, for consent to be valid the European legislation it has to be fully explained, it has to be honest, it can't be deceptive. I’ve got to say to him, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation; you’re the prime suspect. I want to take a look at your emails and I have to inform you that by the way, you have the right not to consent and if you don’t consent there’s no way I can investigate you. Could you sign the form, please?”” As Armstrong went on to note, “What answer is he likely to give in an internal investigation and how would the US authorities feel if I go and tip off the main suspect that he’s under investigation?” 

With these two key components of any best practices compliance program, hotlines and internal investigations, seemingly now unavailable to CCOs or compliance practitioners for EU sourced information; I believe there will be additional pressure put on the compliance function. Obviously any US company with EU based operations will have to take steps immediately to ring fence such data originating in Europe. It may also mean that any inquiries will need to be headed by locally based compliance practitioners.

Moreover, if you couple this ruling in the Schrems decision with the Yates Memo, you immediately see the issue involved for any company which is seeking cooperation credit because such company is required to turn over any and all information to the Department of Justice (DOJ) as soon as possible. But now, even if companies can still develop facts and data through internal investigations, in the manner suggested by Pirrotta in using local law firms, you might not be able to get the information back to the US to use.

Worse yet, is the option laid out by Armstrong to obtain consent from an investigation target? Not only do I find it very improbable that anyone, European or otherwise, would give such a consent but in the unlikely event such consent is given, you have told the target, they are the target and other data sources might well begin to disappear. Armstrong put it starkly when he said, “you’re going to get no sympathy from the bribery prosecutors, bribery regulators if you mess this up. The SFO [Serious Fraud Office] have already lost the case, allegedly, on the way in which the US firm involved conducted the investigation. They will have, rightly I think, no sympathy at all for people whose investigations are themselves conducted unlawfully. It’s going to need a lot of careful thought to structure data transfers, even to structure interviews. How do you move those interview notes about, how do you look at emails, all of this stuff is going to be absolutely critical not only so that you don’t break data privacy data protection laws, but also tipping off witness, you know, interfering with the scene of an investigation, et cetera, et cetera. All of these things are critical.” 

How does the Schrems decision contribute to compliance at the tipping point? If you can use two of the key components in a best practices compliance program; based upon the DOJ/Securities and Exchange Commission (SEC) Ten Hallmarks of an Effective Compliance Program or another standard; it will put significant pressure on other parts of the program. A compliance program will have to be structured more rigorously to prevent FCPA violations through the use of internal controls and transaction monitoring tools. CCOs and compliance practitioners will also have to be more involved and have more visibility into the entire lifecycle of transactions so they can determine how to begin to move from even prevention to proscription of any FCPA violations. 

Just as the compliance world changed with the announcement of the Yates Memo, the DOJ Compliance Counsel and the VW emissions-testing scandal; the Schrems decision will change the need for a more robust compliance program going forward to help protect a company. 

Three Key Takeaways

1. The Schrems decision significantly impacted US based internal investigations.
2. Study the privacy laws of the country where you are performing your investigation.
3. Informed consent is difficult to obtain but it may be critical for your investigation.

 The concept of privilege in an internal investigation is critical. Two important privileges are the attorney/client privilege and the work product privilege. Unfortunately both are often miss-understood, miss-applied and consequently lost. 

One such recent example of the miss-application of the attorney/client privilege was in the trial of former PetroTiger co-Chief Executive Officer (co-CEO) Joel Sigelman has brought the issue of the parameters of the attorney/client privilege yet again. As part of its undercover operation the FBI wired up the then PetroTiger General Counsel (GC), Gregory Weisman, and instructed him to go meet with Sigelman to discuss the payments by the company to the wife of an official of the Columbian state owned energy company Ecopetrol. 

Sigelman’s counsel sought to have the video and audio recordings of this meeting suppressed based upon the attorney-client privilege that generally protects open communications between lawyer’s and their clients, where legal advice is sought by the client. To determine whether Sigelman has a valid claim, it is encumbent to understand the parameters of the attorney/client privilege. In an article, entitled “The Evolving Attorney-Client Privilege: Business Entities”, David E. Keltner wrote that under US federal law, the attorney/client applies when the following are present: 

1. A client is seeking legal advice or a lawyer’s services;
2. The person to whom the communication is made is a lawyer or his or her representative;
3. The communication relates to a fact disclosed from a client (a representative) to a lawyer (a representative);
4. Strangers are not present;
5. A client requires confidentiality. 

The significance of meeting each of these five prongs is critical. If they are met, “Absent privilege, once the attorney-client privilege is properly invoked – the privilege is absolute.” However the failure to meet Prong 1 is what doomed former co-CEO Sigelman’s efforts; as he was not seeking legal advice. It was former GC Weisman who flew to Sigelman’s home to confront him over the fact that the FBI had come to his house asking questions about the payments made in Columbia. Finally, it is important to note that the attorney/client privilege belongs to the corporation and not to any one individual. 

The attorney/client privilege can be waived. While there is a general recognition that “only an authorized agent of a corporation may waive the privilege of the corporation” Keltner advises that the “most frequently encountered instances of losing the privilege through selective disclosure” are in responding to a government investigation; supplying information to a government agency; information disclosed in certain Securities and Exchange Commission (SEC) filings or other required financial disclosures; in certain circumstances disclosures to external corporate auditors or accounting responses; any disclosure made to a third party not affiliated with a lawyer; and insurance disclosures. 

How should we apply the above to the situation faced by former co-CEO Sigelman? Was he simply meeting with his lawyer or was he seeking legal advice? As reported by Joel Schectman in the Wall Street Journal (WSJ), in an article entitled “Secret Informant Recordings to be Allowed in PetroTiger Case”, the trial court distinguished between having an attorney/client relationship from the attorney/client privilege. Schectman reported, “a judge in U.S. District Court in Camden said last week that merely having an attorney-client relationship isn’t enough to make all conversations privileged–a client needs to be actively seeking legal advice. “I cannot find a shred of indication that Weisman is there with the intention of giving legal advice to Sigelman,” Judge Joseph Irenas said, “or the converse, that Sigelman was seeking legal advice from Weisman.”” 

Interestingly the trial court did not opine on the question on who was the client in this situation. My experience is that most CEO-types think of a GC as their personal lawyer. That view is also misplaced as a GC works for a company and the client is the corporation. While he did not have to reach the question of who was the client in the Sigelman/Weisman meeting, the trial court might well have allowed the current corporate owners of PetroTiger to waive any privilege asserted by a former co-CEO. Schectman quoted G. Derek Andreson, a lawyer specializing in the Foreign Corrupt Practices Act, that “Attorney client privilege is often misinterpreted as broader than it is.” 

Did the FBI take advantage of some special type of relationship between Sigelman and Weisman? As reported in the article, in his brief attempting to suppress the evidence, Sigelman’s counsel said, ““Messrs. Sigelman and Weisman had a “long standing attorney-client relationship, one that fostered candor and trust between them–as any good attorney-client relationship should. The government took advantage of this trust.”” Such would seem to be the nature of wiring up cooperating witnesses; if they cannot engender trust with those they are speaking to and surreptitiously taping; it would seem they are of little use to authorities. 

For the attorney/client privilege to be of use to you, certain hard work must be done to establish the attorney/client privilege in the corporate context. The five prongs listed by Keltner must be fulfilled for the privilege to apply. Simply having a chat with your lawyer or even the company’s lawyer will not invoke the privilege or protect you. 

In addition to the attorney/client privilege there is another privilege which can come into play around internal investigations. It is the attorney/work product privilege. Keltner noted, “The attorney-client privilege and the attorney work-product doctrine are often asserted interchangeably. While there is some overlap between the two, the attorney-client privilege is significantly different than the attorney work-product doctrine.” Moreover as “codified in Fed R.Civ. P. 26(b)(3), [the attorney/work product] provides a qualified protection to materials prepared by party’s counsel or other representative in the anticipation of litigation.” The doctrine exists “because it permits lawyers to “work with a certain degree of privacy, free from unnecessary intrusion by opposing parties . . .”

The key is that it be prepared in anticipation of litigation Unlike the attorney-client privilege which belongs to a client, work-product immunity may be asserted either by the lawyer or the client. While the attorney-client privilege is included in the Rules of Evidence, the work-product doctrine is included in the Rules of Civil Procedure in the series relating to discovery. This makes it problematic to assert in the context of a criminal investigation. 

For in-house lawyers in the UK or EU countries however, there is no such work product privilege. Two recent examples brought up this key difference in US and UK and EU legal systems. First was the raid by German prosecutors of Volkswagen’s outside counsel, Jones Day’s offices for information surrounding the law firm’s investigation relating to the company’s emissions-testing scandal. The raid was based on a court issued subpoena. 

The second is the recent judicial decision out of the UK, involving Eurasian Natural Resources Corp. (ENRC). The UK’s highest court held the company must produce to the UK's Serious Fraud Office (SFO) documents the company claimed were privileged, including attorneys' notes of employee interviews conducted during the company's internal investigation. The SFO sought the documents as part of its criminal investigation into allegations of fraud, bribery, and corruption. The court largely rejected ENRC's claims of the work product privilege, holding that it does not apply when a document is not prepared for the sole or dominant purpose of conducting adversarial litigation. ENRC was required to produce the bulk of the contested documents because the investigation was a fact-finding exercise. 

Three Key Takeaways

1. Note the differences in the attorney/client and work product privileges.
2. Both privileges can be waived intentionally or through inadvertent conduct.
3. Take care on attorney work product outside the US, where there may be no privilege at all.

Day 14-Miranda and Internal Investigations: What Rights Does an 

Must an investigator warn an employee that concealing information from company lawyers conducting an internal FCPA investigation could be a federal crime? Even if the company attorneys handling the investigation provided the now standard corporate attorney Upjohn warnings, does a company attorney asking questions morph into a de facto federal agent during an internal company investigation regarding alleged FCPA violations and is the attorney thereby required to provide a Miranda warning to employees during a FCPA investigation? 

In a recently released paper entitled “Navigating Potential Pitfalls in Conducting Internal Investigations: Upjohn Warnings, “Corporate Miranda,” and Beyond”[1] Craig Margolis and Lindsey Vaala, of the law firm Vinson & Elkins, explored the pitfalls faced by counsel, both in-house and outside investigative, and corporations when an employee admits to wrong doing during an internal investigation, where such conduct is reported to the US Government and the employee is thereafter prosecuted criminally under a law such as the FCPA. Margolis and Vaala also reviewed the case law regarding the Upjohn warnings which should be given to employees during an internal FCPA investigation.

Employees who are subject to being interviewed or otherwise required to cooperate in an internal investigation may find themselves on the sharp horns of a dilemma requiring either (1) cooperating with the internal investigation or (2) losing their jobs for failure to cooperate by providing documents, testimony or other evidence. Many US businesses mandate full employee cooperation with internal investigations or those handled by outside counsel on behalf of a corporation. These requirements can exert a coercive force, “often inducing employees to act contrary to their personal legal interests in favor of candidly disclosing wrongdoing to corporate counsel.”  Moreover, such a corporate policy may permit a company to claim to the US government a spirit of cooperation in the hopes of avoiding prosecution in “addition to increasing the chances of earning meaningful credit under the US Sentencing Guidelines or the FCPA Pilot Program. 

Where the US Government compels such testimony, through the mechanism of inducing a corporation to coerce its employees into cooperating with an internal investigation, by threatening job loss or other economic penalty, the in-house counsel’s actions may raise Fifth Amendment due process and voluntariness concerns because the underlying compulsion was brought on by a state actor, namely the US Government. Margolis and Vaala note that by utilizing corporate counsel and pressuring corporations to cooperate, the US Government is sometimes able to achieve indirectly what it would not be able to achieve on its own – inducing employees to waive their Fifth Amendment right against self-incrimination and minimizing the effectiveness of defense counsel’s assistance.

So what are the pitfalls if private counsel compels such testimony and it is used against an employee in a criminal proceeding under the FCPA? Margolis and Vaala point out that the investigative counsel, whether corporate or outside counsel, could face state bar disciplinary proceedings. A corporation could face disqualification of its counsel and the disqualified counsel’s investigative results. For all of these reasons, we feel that the FCPA Blog summed it up best when it noted, “the moment a company launches an internal investigation, its key employees -- whether they're scheduled for an interview or not -- should be warned about the "federal" consequences of destroying or hiding evidence. With up to 20 years in jail at stake, that seems like a small thing to do for the people in the company.” 

Let’s keep on skipping down the lane and see where we go. What if the company gets its investigation wrong and wrongfully identifies an employee? At least in a few states, a wronged employee can sue for defamation. Yet not in Texas and a recent Texas civil case demonstrates why companies and internal investigators need to be aware of local laws, regulations and requirements. 

The Texas Supreme Court in Shell Oil Co. v. Writt, held that an internal investigation report Shell provided to the U.S. Department of Justice about potential FCPA violations is “absolutely privileged” in a defamation proceeding and cannot be used to form the basis of a defamation claim. 

Writt had alleged that Shell defamed his character when the company "voluntarily” reported to the DOJ on the findings of an internal investigation the company conducted into its relationship with Panalpina -- an investigation that culminated in the company’s 2010 FCPA settlement with U.S. enforcement authorities. Writt claimed that Shell’s internal investigation report falsely implicated him in the payment of bribes and accused him of providing inconsistent statements during multiple interviews conducted in the course of the investigation. 

The trial court initially granted summary judgment in favor of Shell, dismissing Writt’s suit on the basis that Shell enjoyed an "absolute privilege" to make statements to the DOJ regarding its internal investigation. The Texas Court of Appeals overturned this decision, refusing to characterize a “voluntary” pre-prosecution internal FCPA investigation as a judicial proceeding. Instead, the Court of Appeals held that Shell was only entitled to qualified privilege, under which a speaker can still be liable for defamation if the speaker "knows the matter to be false or does not act for the purpose of protecting the interest for which the privilege exists." 

The Texas Supreme Court held “at all relevant times” Shell had been the target of a DOJ FCPA investigation and asserted that this investigation, which eventually resulted in a criminal settlement with Shell, satisfied the standard that “the possibility of a proceeding must have been a serious consideration at the time the communication was made.” 

The Supreme Court also highlighted “the DOJ’s leverage over Shell vis-à-vis the FCPA and its somewhat draconian penalties…,” which “compelled [Shell] to undertake its internal investigation and report its findings to the DOJ.” The court specifically pointed to the dramatic increase of FCPA enforcement actions before mid-2007 when the DOJ notified Shell of its investigation, noting that “businesses that chose not to cooperate were subject to substantially greater punishments….” 

At a time when the DOJ and SEC have become increasingly vocal in calling for companies under investigation to secure and provide evidence of individual culpability, a decision that did not provide Shell with absolute privilege could have had a far-reaching impact on how companies conduct internal investigations and cooperate with enforcement authorities. 

As it stands, the Texas Supreme Court’s decision in Shell Oil Co. v. Writt may incentivize cooperation by companies in the early stages of the enforcement process by providing certainty to potential corporate defendants, particularly those located in Texas, that good faith efforts to disclose the results of internal investigations and expose individual culpability will not leave them open to defamation claims. 

Three Key Takeaways

1. Make sure you provide an Upjohn warning.
2. If an employee demands counsel to represent them during an internal investigation, who bears the cost?
3. Always check state law requirements around internal investigations. 

When then Assistant Attorney General Sally Yates, announced the Memo that bears her name, she said the following, “we have revised our policy guidance to require that if a company wants any credit for cooperation, any credit at all, it must identify all individuals involved in the wrongdoing, regardless of their position, status or seniority in the company and provide all relevant facts about their misconduct. It’s all or nothing. No more picking and choosing what gets disclosed. No more partial credit for cooperation that doesn’t include information about individuals.” This statement ties directly into the first point of the Yates Memo, which stated, “To be eligible for any cooperation credit, corporations must provide to the Department all relevant facts about the individuals involved in corporate misconduct.” 

The Yates Memo and Yates’ remarks indicated a transition to a new era of FCPA enforcement. The Yates Memo required that the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) to investigate individuals immediately at the start of investigations. She stated, “the department instructed its attorneys that, going forward, they are to focus on individuals from the start of an investigation, regardless of whether the investigation begins civilly or criminally. Moreover, once a case is underway, the inquiry into individual misconduct can and should proceed in tandem with the broader corporate investigation. Delays in the corporate case will no longer suffice as a reason to delay pursuit of the individuals involved.” Even though these remarks were directed at government lawyers, corporations are now required to initially change the focus of their investigations from attempting to perform any type of root cause analysis to obtaining evidence against individuals and turning it over to the government as soon as possible. 

For the Chief Compliance Officer (CCO) or compliance practitioner, this means the entire focus of your investigative protocol has changed. Previously an investigation was to determine how conduct that might have violated the FCPA had occurred, then focus on how to remedy it. The first step a CCO or compliance practitioner would take when sufficient evidence was developed was to fix the problem so that it did not re-occur going forward. If there were compliance program or internal control weaknesses, they would be immediately fixed so that neither the original perpetrators could continue the conduct but also so others could not take advantage of any such structural weakness. 

After the Yates Memo, that is no longer the case. The DOJ now expects you to bring them information about potentially culpable individuals who can be prosecuted going forward. This means employees are going to immediately stop talking to you if they were inclined to do so in the first place. It will require performing an essential root cause analysis more difficult and the attendant remedy that is a part of any best practices compliance program. 

But Yates went further than simply saying the DOJ expects you to turn over your own employees. She made clear that both she and the DOJ want companies to give up senior executives involved in illegal conduct. She said “We’re not going to be accepting a company’s cooperation when they just offer up the vice president in charge of going to jail.” Here the difficulty is around the FCPA requirement for a criminal prosecution or intent. How do you determine intent in a manner where senior executives may never have been involved directly in a transaction? Does this mean insufficient tone at the top will somehow morph into intent for a FCPA prosecution? Whatever it may mean going forward, at the very least I think it means that high heads in an organization could very well start to roll. 

The Yates Memo, when read in conjunction with the Frederic Bourke conviction, make clear that senior management, as well as other individuals, are now directly in the DOJ’s sights to prosecute for FCPA violations. This means that even if lower level employees are engaging in conduct which senior management did not know about or even told them not to engage in; senior management may be deemed by the DOJ to have engaged in conscious indifference by not engaging in ongoing monitoring as a part of an overall best practices compliance program. Simply expecting that employees will not violate the FCPA is no longer enough. Companies must monitor transaction to detect and prevent violations. With the Yates Memo now the effective policy of the DOJ, senior management who do not actively monitor their organizations may subject themselves to personal FCPA criminal liability.

Given the scrutiny of the Standard Bank Deferred Prosecution Agreement (DPA) in the UK, I think it may well be the time where enforcement authorities begin to look at those responsible for an activity where a violation of anti-bribery/anti-corruption laws take place in addition to those committing the legal violation. Bourke was found guilty for conscious avoidance. How much of a stretch will it be for those senior managers who allow such behavior to be seen as either the norm or indeed expected? John Kay, writing in the Financial Times (FT) in an article entitled “Ignorance is no defence for financial misconduct”, wrote in the context of financial institution misconduct “If it is a criminal offence to be in charge of a den of thieves, the prosecution need only establish that you were in charge of it, not that you were yourself a thief. It is no defence that you thought the organisation was a monastery, which is broadly the argument employed by those made ‘physically ill’ by the discovery of what their subordinates had been doing.” After the Yates Memo, the same may hold true for senior management in companies which violate the FCPA.

The impact of the Yates Memo was magnified by Attorney General Jeff Sessions through his remarks at the Ethics and Compliance Initiative (ECI) in April 2017. He reiterated that the DOJ would focus on individual criminal misconduct in the context of enforcing the FCPA. This continued emphasis will mean that there is even more pressure on corporate compliance programs to get it right and get it right sooner rather than later. 

Three Key Takeaways

1. If companies want any credit, they must investigate potentially culpable individuals first and turn over the results to the DOJ.
2. This may require companies to more thoroughly investigate conscious indifference.
3. Never forget conscious avoidance is specifically prohibited under the FCPA.

In this episode, Mike Volkov and I discuss how blockchain has the potential to transformation compliance and may facilitate some truly revolutionary modifications in key businesses processes. I see some great value propositions for the compliance function. 

For further reading, see:

Blockchain and the Future of Compliance, by Mike Volkov. 

Will Blockchain Transform Compliance? by Tom Fox

How Blockchain Will Change Organizations, by Don Tapscott and Alex Tapscott in MIT Sloan Business Review. 

Blockchain Explained, by Zach Church in MIT Sloan Management Review. 

What are the characteristics of a good interview in the context of an internal investigation? Is there one technique you can use which will provide you the results you want to achieve? How should you think through your questions and document review prior to the investigation? In this episode, I explore these and other questions, in an interview with noted internal investigation expert Jonathan Marks, a partner at Marcum LLP for this piece. 

Marks began by making it clear there is no one right way to prepare for and conduct an interview. What is important is that you have a plan and execute on that plan. He said he begins by obtaining an understanding of what the various stakeholders want answers to. This could include the Board of Directors, C-Suite executives, the General Counsel and legal department, the Chief Compliance Officer and compliance function or up to government regulators such as the SEC or Justice Department.

Marks feels it is important to interview witnesses as soon as you can reasonably do so to prevent multiple witnesses from getting together and coordinating their stories. You should recognize you are never going to have perfect information so you should try and tie down the story. If the witness is not an English speaker, you should have a translator present. Marks suggests having a second person with you to take notes so you can watch the witness’s facial expressions and body language, noting, “There have been a lot of situations where I have found that being an effective listener is much more critical than being an effective note taker. Listening to what the interviewee is saying when you ask them the question is critical because it sets everything up. Having somebody there to take notes gives me the opportunity to really focus in on a couple of different things. It allows me to focus in on their verbal cues. It allows me to focus in on their body language. It allows me to focus in and listen to what they're saying, or a lot of times what they're not saying.” He cautioned that the note taker should be free from bias and subjectivity, simply taking down a detailed recitation of the witness’ testimony. 

Interestingly Marks does not view his interviews as putting the witness “in the box”. He attempts to establish a rapport with the witness so they will be more forthcoming in their responses. Marks said, “I don't view this as a contentious exercise. I never have and I never will. I view this, like I said before, as building rapport. If somebody feels like you're cross-examining them, or it's a very structured and not free-flowing conversation, allowing them to answer the questions in a comfortable and a secure environment.” It is all an effort to garner an understanding of what facts the witness has, what the witness may not be aware of and determining others, both inside the organization and outside, who might be potentially involved. 

Marks emphasized that an investigation should not be viewed as an interrogation. He avoids what he termed “loaded questions” such as “Why did you bribe the inspector?" Instead, he designs his questions to circle around such a point. He also notes the age old maxim to avoid compound questions. He concluded by noting you should try and develop facts during the interview, get to exactly what occurred, when did it happen, where did it happen, who, if anyone else, was present with you. He also added you can use other lines of inquiry such as “Who else may know well of an information? How did this happen, or do you know how it happened? Why did happen? Are there notes, documents, phone messages, emails or other evidence that you could provide to me that support what you're saying? A lot of times in an interview if somebody is willing to talk they usually have something that they could provide.” He concluded by intoning, “A lot of times if you don't ask you don't get.” 

Marks believes it is a best practice is you get everything down immediately so “as soon as the interview is over I spend time with my partner in the interview with me going over all our notes, making sure that we both understood exactly what was said and how it was said. If there's any observations they I had during a question that may have not been in the write-up, we add those things.” He believes this is important because “the longer you wait, the more inaccurate your account of what happened becomes. I've always made it a practice that after the interview we get right to it, we write up our notes. We agree what was said, how it was said and add any other observations that we had during the interview process.” 

Marks concluded by recalling another analogy he consistently refers to in any discussion of internal investigations, that it is a “chess match”. An interview is also a chess match as “When you're playing chess you have to think a couple of moves ahead if not three, four or five. We talked about in and out, out and in methods of conducting interviews when there's more than one individual or several people that might have information related to the allegations.” 

Marks also discussed some strategies around the interview process. The first is what he termed the “inside-out” strategy which he would advocated using if allegations extend beyond the enterprise. In this technique, you interview people inside the organization first, and then maybe go out to third parties. The converse is an “outside-in” strategy and you can do a combination of both. He also noted one other technique which is conducting concurrent interviews. Marks advocates using this strategy “If you think people are going to talk or you think there's potential collusion. Conducting simultaneous interviews sometimes prevents those individuals from coordinating and collaborating on their story and what they're going to tell you.”

Three Key Takeaways

1. There is no one right way to prepare and do an interview.
2. The interview should not be confrontational.
3. The interview, like the entire investigation process, is a chess match.

Today, I want to consider some of the challenges you may well face during an investigation.  Beyond the basics, a company must consider the intake process as a starting point, however Marks noted one of the biggest challenges is in the intake process. Rather surprisingly, he noted there are still companies without a hotline or anonymous reporting system, stating “we still see organizations whereby there is no formal ethics hotline except for the fact that they might send an email to some member of management or some member of the board.” 

The lack of an intake process immediately presents a challenge in beginning to work through an allegation of wrongdoing due to the inability to track when the allegation or information was received, who sent it, who received it, what did the company do when they received it? If a company has a formal ethics reporting system, with recordation of information “there’s some workflow, it’s a lot easier to kind of work through some of those things”, so there is an appropriate level of documentation to follow. 

Yet Marks has seen failures in even these basic steps “many times people do not read their emails on a timely basis, and getting to the root of the issue quickly could be the difference between somebody allowing the company to investigate this the right way, or incentivizing an individual to go outside the organization such as to SEC whistleblower program.” This makes the intake process critical because it assures that things are not only received, “but they’re looked at on a regular and timely basis and there is a process.” 

One area that still causes challenges is retaliation against whistleblowers. You might think that corporate America got the message that not only is retaliation incredibly idiotic and divisive but also illegal under both Sarbanes-Oxley (SOX) and Dodd-Frank but sadly that is not the case. Marks believes that avoiding retaliation is critical not only for an organization but also to foment a successful investigation. He stated, “Avoiding retaliation is very critical. I think there’s a real opportunity where human resources, if properly trained, can work with the rest of the team members and advise them on things that they should not be doing and things that they should be doing in order to avoid either the appearance of retaliation or the actual retaliation against the individual or individuals who reported or brought forth the potential of the alleged misconduct.” 

Equally important is that a company wants to encourage a stand-up culture. When individuals are trying to do the right thing, you certainly want to inspire other to do so as well. Marks related, “When somebody reports an ethical lapse, it generally means to me that they’re doing their job. And so, the indirect impact, or sometimes the direct impact of that is sometimes people are looked at as snitches or not towing the company line or they’re just generally out of bounds can negatively impact the organization.” 

An area where Marks has seen companies have difficulties in is what he termed threatened or pending litigation. Any investigation can morph into a much more serious situation and you must be ready to answer such questions as “(1) Does this gravitate itself into a class action lawsuit? Or (2) Does this gravitate to a regulatory review and subject to some punishment there?” The key is that as the investigation begins to uncover things and certain facts come to light, pending or threatened litigation is something that should always be discussed, but discussed very carefully and it should be discussed once those facts come to play. Sometimes you don’t have all those facts but sometimes it does make sense to kind of prognosticate and consider situations such as “This is what could happen. These are the issues that potentially could be uncovered.” Marks concluded, “I really do think that it’s important to think a couple of steps ahead and look at this as a chess match and never underestimate the fact that there could be pending or threatened litigation.” 

Not surprisingly, another area of challenge is when the regulators will not accept the investigation or are not satisfied with the results. While I would submit that if you follow the strictures laid out by Marks, that will satisfy regulators, he noted that there must be an appropriate level of skepticism brought by the investigation. He said there can be regulator issues when “there was not proper skepticism, there was not proper independence or simply things were not looked at under the right lens.” But once again the answer is to go through the steps that Marks laid out, or any other well defined protocol and have an independent team handling the investigation.

Interestingly,a similar situation can arise if a company’s own auditors refuse to accept the results of an investigation. Marks said this is usually related to some type of unexpected development arises in an investigation. Marks noted, “when auditors are involved the element of surprise is never good.” He believes it is important to keep internal audit aware of developments as “they might want to do a shadow investigation, they might want to understand the scope of your expanded investigation and most certainly they want to understand the financial impact.” The reason is that if the company auditors do not accept your investigative results, “they may send you back to the drawing board. When that happens, all types of problems could manifest themselves or come out.”           

Marks noted that at times the most difficult challenge is when the company itself is reluctant to accept the results of the investigation. This comes when a company is in denial, believing it has a robust compliance program and internal controls or, worse yet, it simply believes that it is an ethical company. One or more of these indicia usually manifest themselves as a company with paper compliance program, a Chief Compliance Officer (CCO) with a title but no authority and a weak compliance culture. Marks said, “When I say the company does not respect the investigation, it’s almost like they’re fighting with you because they believe that nothing could ever go wrong. That really does send a very, very clear message, not only internally, but should it get out externally as well. It’s an indication to us that there’s a problem with the culture, there’s a problem with the compliance program, there’s generally a problem with governance overall. There are probably bigger issues there other than the matter that’s generally on the table.” 

Planning your investigation, having the right team members involved and meeting the challenges which inevitably arise during an investigation can be difficult. However, beginning with the Department of Justice’s (DOJ’s) Yates Memo and the Foreign Corrupt Practices Act (FCPA) Pilot Program and the release of the DOJ’s Evaluation of Corporate Compliance Programs (Evaluation), the pressure on every CCO and company to get an investigation done quickly, efficiently and, most importantly, done right is even greater now. Jonathan Marks has laid out a concrete way for you to think through how to plan an investigation, staff it properly and meet the inevitable challenges.

Three Key Takeaway

1. The intake process may seem the most straight-forward but many companies drop the ball at this initial step.
2. You must never retaliate against employees who come foreward in good faith.
3. Always think several steps ahead.

Mara Senn and a colleague, Michelle Albert, published in the FCPA Report, Volume 3, Number 1, entitled “Internal Investigations, How to Conduct an Anti-Corruption Investigation: Developing and Implementing the Investigation Plan”. I interviewed Senn on her thoughts about handling a cross-border investigation. 

1. Offer Interview Translations           

While many people outside the US have various levels of capabilities in a non-native language, when you get into the very detailed questions in an interview, they may have enough English skills that you assume they understand everything, but in fact, they do not. You may ask a key question, for example, about expense reports, maybe they understand conversational English, but there's no reason for them to know expense reports. This makes it important to have someone present in the interview that speaks the witness’s native language, and just assume that there are going to be times where you’re going to need to call on that person. 

2. Avoid Cultural Pitfalls

Cultural pitfalls are really truly pitfalls and, unfortunately, they can be big deep holes that you do not know anything about, but you can fall into pretty easily. She provided the issue of personal privacy as an example, where most countries have a different concept of privacy, particularly about whether your work area is your own versus what really belongs to the company. You should seek local counsel guidance to understand what needs to be done and also explain to you the best way to do it without offending people.       

3. Observe Data Privacy Restrictions 

Most American lawyers are aware of different data privacy restrictions and requirements in countries governed by the European Union (EU) and the US. The point under this best practice is that your analysis and response must go much further to satisfy the US Department of Justice (DOJ) if you want to claim that you cannot get certain information out of a country because of data privacy restrictions. 

4. Comply with Labor Requirements 

Similar to the long-standing Weingarten right of unionized employees in the US to have a representative present for interviews, in many countries outside the US there are Works Council and similar analogs in other countries, where, basically, the Works Council is responsible for the interactions between the employers and the employees. Moreover, employees have certain statutory or labor code based rights as employees, regardless of whether they are members of a labor union or not. These rights can drill down into the types of questions that you can ask or even prevent you from meeting with or interviewing certain employees. 

5. Be Aware of Other Local Requirements 

Points three and four certainly lead into best practice No. 5. It is incumbent that you work with local counsel in the country you are performing the interviews to garner an understanding of the witnesses rights and your obligations during any investigation. She explained that many ways a US lawyer would think about doing an investigation could be problematic in other jurisdictions. She gave the examples of taking pictures or physically removing documents from a location, which could be issues that you might face. You certainly need advice and counsel on what is legal and what might not be going forward.

6. Put Forms in Native Translations           

There are times that the only way an investigation can collect an employee’s personal information is to obtain affirmative assent. Such information might include work documents, work emails, or similar information. However she cautioned that in this situation it is even more important to put the consent form in the native language. You do not want the employee to later claim they did not understand the consent form or thought they were executing something different. It can be critical that you have informed consent, because if you do not have informed consent, that consent could well turn out to be void. 

7. Preserve the Attorney Client Privilege 

The rules outside the US can be quite different and perhaps a little bewildering. In many European countries there is no privilege from an in-house counsel, so if a General Counsel (GC) of a company speaks to the President or Chief Executive Officer (CEO) there is absolutely no privilege under basically any circumstances in Europe. Senn then noted that other jurisdictions have other kinds of laws, each with a slightly different parameter, leading to different attorney-client expectations. 

8. Prepare for Local Enforcement Actions 

Many countries are becoming more aggressive in their enforcement actions for bribery and corruption, sometimes based upon local and domestic anti-bribery laws. This means the information which one government knows, whichever government that is, you should expect and assume that multiple governments are cooperating in some way. This then makes it more likely that there could well be some sort of local enforcement action against your client while you are investigating matters around a FCPA claim or potential FCPA claim.

9. Prepare for Security Risks 

This means personal security, physical and health safety. Simply consider the recent situation when Ebola was going around Western Africa or Central Africa. If you are conducting an investigation in such ravaged areas you should not send your employees to Liberia at that time to interview people. The same can be true in worn-turn areas like Syria or similar locales. 

The better plan would be to remove the people you are interviewing and bring them to you or to a local hub outside of the impacted areas. That avoids a whole host of issues, as you do not want to have to pay for extra security, for example you do not want your employees to have to walk around with loaded machine guns protecting them; you have to make a judgment call as to where and whether these potential threats need to be addressed in some way. 

10. Protect Whistleblowers 

Here Senn had some very practical advice, which while it might seem counter-intuitive on the surface due to certain legal decisions, it might actually provide more protections for companies in the long run. Senn began by noting the 2nd Circuit Court of Appeals ruling in the Liu case, which essentially found that the Dodd-Frank retaliation provisions that protect whistleblowers in the US do not apply abroad, so in other words, a foreign whistleblower brought a case saying, “I was retaliated against and I bring a case under the retaliation provisions of Dodd-Frank,” and they said, “No way, you can't bring it.”           

Senn believes that companies that use the Liu decision as a basis to retaliate against whistleblowers outside the US are wrong for several reasons. First, is that the Securities and Exchange Commission (SEC) has announced they will still pay whistleblower outside the US, who come forward and meet the requirements, the Dodd-Frank bounty of up to 30% of the penalty. This means that even if courts determine that the Dodd-Frank provisions do not apply for retaliation for foreign nationals, the SEC can still honor the communication and compensate the foreign whistleblower. 

The second reason is the US Sentencing Guidelines make clear that part of an effective compliance and ethics program includes having a publicized system for employees or agents to report potential or actual criminal conduct without fear of retaliation. These Sentencing Guidelines apply to all US companies, both domestic and internationally. If your company retaliates against foreign whistleblowers, the US government can take that into account, which could be viewed in a negative way, meaning that you don’t have an effective compliance and ethics program.

Three Key Takeaways

1. Use translators and translations of key documents in witness interviews.
2. Use local counsel to facilitate the investigation and to help navigate any local anti-corruption investigation issues.
3. Never, never, never retaliate. The SEC will pay whistleblower bounties for non-US citizens.

Beginning with the Department of Justice’s (DOJ’s) Yates Memo, its Foreign Corrupt Practices Act (FCPA) Pilot Program and then the release of the Evaluation of Corporate Compliance Programs (Evaluation), I believe the DOJ has put even more pressure on every Chief Compliance Officer (CCO), and indeed every company, to get an investigation done quickly, efficiently and most importantly done right is even greater.   

Jonathan Marks, a partner at Marcum LLP and a well-known internal investigation expert, provides some of his thoughts around what goes into a well-run investigation. His perspective is from someone who performs investigations outside your organization, either because the matter was so serious an outside expert was required; specific subject matter expertise (SME) was not available in your organization or due to the objectivity of the investigation. Today I want to consider who should be on your investigation team. 

As discussed previously data collection, retention and preservation are critical elements of any significant internal investigation so you will need to have the involvement of your IT function. IT can help put a litigation hold on email that can help with the preservation of data in other areas of the organization. Further, they can assist with certain other aspects as more facts and circumstances are known. 

HR is often an underutilized function for an internal investigator. HR can be very useful to provide context about employees’ work history. There may be notes in HR areas as diverse as training and exit interviews. HR can also be useful to give the investigator “some insight regarding the credibility of the individual that might be making the allegation. For example, are they a good and trusted employee? How long have they been there? What’s their general demeanor? What’s been the feedback on that particular individual?” 

Both the Board and senior management can provide different types of support for an investigation. Marks noted the Board has oversight responsibility and senior management is responsible for the day-to-day, tactical operations of the organization, including the internal controls. This means from the Board’s perspective, “we would want to make sure that our governance processes were in place and operating effectively when it comes to an investigation. So, my concern, or concern from a board member’s perspective, from an investigation, early on, is what’s the financial impact; what’s the legal impact, for a publicly traded organization? Are there potential issues here which we as a Board need to be concerned with going forward?” 

From the senior management’s perspective, Marks believes “the key thing there is if there is an issue and there was the ability to either override controls or controls weren’t in place or there was something that basically caused this, what do we need to do to assess that? What do we need to do to fix that? What was the root cause for this potential bad behavior? Like I said, how do we fix that or how do we put a plan together in order to fix that or shore that up?” He emphasized this is not the Board’s responsibility but that of senior management. Marks also pointed out that while an investigator would probably assume that the Board of Directors had been notified at this point about the issues being investigated, the investigators may want to make certain the Board has been made aware of the incident and investigation.           

Marks suggested outside consultants in the form of forensic accountants should be a part of your investigation team. Such a skilled set team member can bring an investigative mind that drives them to answer questions about what occurred, when and how it happened, and who was involved. However, most lawyers do not understand how forensic accounting is performed and how they can assist your compliance investigation going forward. 

Forensic auditing works to collect and analyze accounting and internal-controls evidence. They use this information to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of internal audit’s work can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Inquiries into accounting and internal controls raise a host of technical issues requiring specialized knowledge that forensic accountants are uniquely positioned to provide. This is a qualitative difference from internal audit, which more often looks at process to determine if it has been adhered to in a procedure. 

The objective of a forensic audit investigation team member is to collect, analyze and report on the evidence or facts surrounding an act that often has litigious, fraudulent or criminal implications. Auditors also collect and analyze evidence, but an independent auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. However, a key role of the forensic accountant is to identify a concern and to notify company management about the issue or issues discovered. 

As with a decision on bringing in outside counsel to perform a compliance investigation, you will need to consider whether a forensic accountant should be retained as an outside consultant or hired as an employee. One critical reason to bring in an outside professional is so they will be not be governed by management or influenced by potential biases within a company. Lastly is the issue of privilege. If a forensic accountant is not assigned through your legal department or through outside counsel, you can kiss away even the chance of claiming privilege. 

Obviously, the GC would be involved to help protect the attorney client privilege if for no other reason. Further, an investigation needs to have the corporate compliance function involved, to understand what compliance program was in place at the time of the incident in question, what procedures the compliance function had and understand if this truly was a gap in the compliance function or “maybe there was an area within the compliance function that wasn’t operating as prescribed, or maybe it was a little bit weak.” 

Three Key Takeaways

1. HR plays a key but often underused role in internal investigations.
2. The Board of Directors and senior management have different roles.
3. Use your legal department to protect the privilege.

There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However it may well be the time for a very serious reality check. 

The DOJ Evaluation of Corporate Compliance Programs focuses this question in Prong 7 with the following: Response to Investigations –What has been the process for responding to investigative findings? You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to begin to talk about remediation going forward and begin to explain why money must be budgeted for the remediation process. 

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. Russ Berland, the Chief Compliance Officer at Dematic Inc. has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and then from then on, you’re fighting with everybody else for their attention, just like the normal things in business life. It’s, they’re coming in and saying, “Okay, here’s the situation as we know it now, there is an investigation path, and corresponding to that, here’s what we think is the remediation path and some outlines of what it’s going to take,” often with some dollar signs attached to it.” 

You need to explain the costs to the Board and senior management. As Berland said, you need to be upfront and candid in firmly stating, “For us to get to this place, this is what it’s going to cost.” Moreover, you need to be able to show how some companies paid very large amounts, not just in the eventual fine and penalty but also in other costs. Berland went on to say, “We want to show you how people have lost money by having to write big checks, because they didn’t take this seriously, and saved money, because they didn’t have to write as big a check, because they took this very seriously, and your return on investment here is going to be very high if you do this well.” This is easier with the information that was provided in the 2016 DOJ Pilot Program around FCPA enforcement as it demonstrated how much discount a company can receive below the minimum range of the Sentencing Guidelines for remediation.  

One of the most difficult parts is that the investigation is often done in a way in which the investigators want to maintain as tight a control over the information and privilege as they possibly can. The remediation really requires output from the investigation to understand where the risk points are and where the gaps are, both in the compliance program and the internal controls. There’s a tension there, and it needs to be structured in a way that information can be shared with those who are designing the remediation without fear of compromising the investigation. 

Dan Chapman, CCO at Vimpelcom and formerly CCO at Parker Drilling,  also believes that costs must be adequately discussed to set proper expectations. These include both direct costs and, even more importantly, a discussion of indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “kind of everything stops to focus on the investigation.” This indirect cost comes through largely the time commitment of senior management. He further explained, “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.” 

Yet, how can you communicate that to somebody who has not gone through a full blown internal investigation then coupled with a federal investigation with the DOJ and Federal Bureau of Investigation (FBI) involved? Understanding that the all-encompassing nature of such an event is difficult to articulate, Chapman goes through some of his past experiences as touch points. He said, “I talk about past experiences. One example would be at a past company, my first week on the job, they had a worldwide conference for all the senior managers from around the world. At that meeting, I asked all the senior executives, you know, C-level executives. I said, “Over the last few years, have you spent 5% of your time on the matter? They’d raise their hands. Then I kept escalating it: 10%, 15%. Hands didn’t go down until about 20%. Then I explained to them, to the audience, I said, “So if you got 5%, 10%, 15% more than your senior management, where would this company be?” I think that’s helpful, but there’s not great way to quantify it. It’s kind of like quantifying compliance generally. How do you quantify the absence of non-compliance? How do you quantify what could have been? How do you quantify the opportunity costs of managements time?” 

You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had clear policy.” The same types of arguments come into play in areas generally considered the purview of HR, i.e. recruiting and retention. 

About recruiting Chapman posed the following for consideration, “Think about recruiting. Where do your new hires out of college come from? Where do they get their information about your company? If they Google your company, what’s one of the first things they see if you’ve been in trouble? They Google it, and they’ll get a penalty, or they’ll get some news article about the wrongdoings.” He also points out retention of current employees by asking, “How you would feel if everybody at this company felt good about working here, and no one felt embarrassed by what happened. Would that help retention?” 

Yet even more than these types of points about employees in the organization, Chapman believes it is important to make it personal to the highest level of the organization and try to make it as real and personal to your audience as possible. He says he asks the Board and senior management “What about you? How do you feel about being involved in it? Rather than being something that’s out there, the company, what about you? How do you feel about being here?” 

Obviously, the investigation will be critical for you to help understand what remediation your compliance program will need going forward. As Berland said, “Somebody found a way to get around your system. Maybe they colluded to overcome the internal controls. Maybe there was a group that simply wasn’t well trained, didn’t understand, or there was a group that was extremely well trained, and decided to do it anyway. But somehow, there are issues in your system, and by system, the overall system of the executive tone, the governance, the compliance program, the internal controls, all at a meta level.”           

It is axiomatic that you cannot finds gaps in your compliance system until you stress test it. Viewed in this light, your compliance failures can be viewed as such a stress test. Berland said, “Well, guess what, you just got handed a stress test, and this is where the system broke down. Now you know there’s a gap. Well, absent the investigation, as painful and difficult as that is, that gap would have just been sitting there.” The investigation will raise information to you about the failures of your compliance program that you may not have known existed previously. 

While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, as Berland noted, “you’re just going off suppositions and guesses.” 

He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. 

Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Pilot Program. Moreover, the executive attention will have dissipated, or, as Berland said, “When you’ve got the energy, use it.” 

What about the always-dreaded ‘Where Else’ question in any FCPA investigation? Berland believes the key is “anticipating the question is going to come up, and having an answer ready, which is, “We are going to do a comprehensive risk assessment of the remainder of the company. We are not going to go out and look under every leaf and every, you know, check every tree, but we are going to do a very extensive risk assessment, and we’ll be able to come back and tell you that we don’t think there is a likelihood of other issues in other places.””           

However, the answer could be equally something along the lines that ““we have found a high likelihood and we’re going to continue to take deeper and deeper considers that section until we know if something happened or not.” That was an acceptable answer. It was, you know, “here's the slice of the pie where we know something is happening, and here’s the process to look at the rest, given it really is kind of a risk assessment plus going forward.”” 

Three Key Takeaways

1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
2. Be aware of how your investigation can impact and even inform your remediation efforts.
3. How do you deal with the dreaded ‘where else’ question?

In an article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP posited seven considerations to facilitate a successful board investigation.

1. Consider whether you need independent outside counsel 

The appearance of partiality undermines the objectivity and credibility of an investigation. That means you should not use your regular counsel. The authors cite to the Securities and Exchange Commission (SEC) analysis of how independent board members truly are to explain the need for independent counsel. They state, “the SEC considers the following criteria when determining whether (and how much) to credit self-policing, self-reporting, remediation and cooperation” which will consist of the following factors:

• Did management, the board or committees consisting solely of outside directors oversee the review?
• Did company employees or outside persons perform the review?
• If outside persons, have they done other work for the company?
• If the review was conducted by outside counsel, had management previously engaged such counsel?
• How long ago was the firm’s last representation of the company?
• How often has the law firm represented the company?
• How much in legal fees has the company paid the firm? 

2. Consider hiring an experienced “investigator” to lead the internal investigation 

Jim McGrath has written and spoken about the need to utilize specialized counsel in any serious investigation. If a board is leading an investigation, I would submit by definition it is serious. Your investigation needs to lead by a lawyer with significant experience in conducting internal investigations; a strong background in criminal or SEC enforcement; and has substantive experience in the particular area of law at issue. 

3. Consider the need to retain outside experts 

In any FCPA or other anti-corruption investigation, there will be the need for a wider variety of subject matter experts (SME’s) than a compliance professional. If there are accounting issues, forensic accountants might be needed. In this day and age, an electronic discovery consultant is often required, and can be a cost effective option for gathering and processing electronic data for review. 

4. Analyze potential conflicts of interest at the outset and during the investigation 

There are two types of conflicts of interest that may come to light during an investigation. First is the one which comes up when the law firm or lawyers conducting the inves­tigation are those whose prior legal advice has some bearing on the matters being investigated because a company’s regular outside lawyers represent the company. During an internal investigation, however, the lawyers may be hired by, and represent, the board or its committee. The second occurs when a lawyer or law firm jointly represents the board and employees at the company as regulators have become increasingly concerned with joint representations. The trickier question is what to do when there simply is a risk that representing one client could limit the lawyers’ duties to the other. So in these situations, joint representation may not be appropriate. 

5. Carefully evaluate Whistleblower allegations 

Whistleblowers have become more important and taking their allegations seriously is paramount. This does not mean trying to find out who the whistleblowers might be to punish or stifle them, even if they are located outside the United States and therefore do not have protections under these laws. They can still get hefty bounties. Regulators are very wary of boards that do not satisfactorily evaluate a whistleblower’s complaint based on a perception of the whistleblower himself, as opposed to the substance of the complaint. 

6. Request regular updates from outside counsel, without limiting the investigation 

These types of investigations are long and very costly. They can easily spin out of cost control. But, by trying to manage these costs, a board might be perceived as placing improper limits on the investigation. The “goal is to strike the right balance between the cost of the investigation and its thoroughness and credibility.” To do so, flexibility is an important ingredient. The scope of what to investigate is not a static, one-time decision. It can, and usually does, evolve. 

7. Consider whether an oral report at the conclusion of the investigation is sufficient

While there may be instances in which, due to complexity and the nature of allegations involved, a written report is necessary, there may be times when an oral report delivered to a board is better than a written report for “a written report may be easier to follow and appear to be the logical conclusion to an investigation, it is an expensive and time-consuming endeavor, and it comes with great risk.” The authors indicate three reasons for this position. 

The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.” 

Three Key Takeaways

1. Retain the right counsel. Consider conflicts and appearance.
2. Carefully evaluate all whistleblower allegations and reject retaliation.
3. Consider receiving oral reports on an ongoing basis and one lengthy oral report at the end of the investigation.

Many companies have an investigation protocol in place when a potential Foreign Corruption Practices Act (FCPA) or other legal issue arises? However, many Boards of Directors do not have the same rigor when it comes to an investigation, which should be conducted or led by the Board itself. The consequences of this lack of foresight can be problematic, because if a Board of Directors does not get an investigation which it handles right, the consequences to the company, its reputation and value can all be quite severe. The SEC considers a variety of factors around corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company?

There is also role of the Sarbanes-Oxley Act (SOX) in internal investigations, most particularly for audit committees. Section 301 establishes certain requirements for Audit Committees, including: (1) Procedures for receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; (2) Procedures regarding the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters; (3) Authority to engage independent counsel and other advisers, as it determines necessary to carry out its duties; and (4) Funding to engage advisors as it deems appropriate. 

In an article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP write about five key goals that any investigation led by a Board of Directors must meet. They are: 

• Thoroughness - The authors believe that one of the key, and most critical, questions that any regulator might pose is just how thorough is an investigation; to test whether they can rely on the facts discovered without hav­ing to repeat the investigation themselves. Regulators tend to be skeptical of investigations where limits are placed (expressly or otherwise) on the investigators, in terms of what is investigated, or how the investigation is conducted. This question can be an initial deal-killer particularly if the regulator involved views an investigation insuf­ficiently thorough, its credibility is undermined. And, of course, it can lead to the dreaded ‘Where else’ question.
• Objectivity - Here the authors write that any “investigation must follow the facts wherever they lead, regardless of the conse­quences. This includes how the findings may impact senior management or other company employees. An investigation seen as lacking objectivity will be viewed by outsiders as inadequate or deficient.” I would add that in addition to the objectivity requirement in the investigation, the same must be had with the investigators themselves. If a company uses its regular outside counsel, it may be viewed with some askance, particularly if the client is a high volume client of the law firm involved, either in dollar amounts or in number of matters handled by the firm.
• Accuracy - As in any part of a best practices anti-corruption compliance program, the three most important things are Document, Document and Document. This means that the factual findings of an investiga­tion must be well supported. For if the developed facts are not well supported, the authors believe that the investigation is “open to collateral attack by skeptical prosecutors and regulators. If that happens, the time and money spent on the internal investigation will have been wasted, because the government will end up conducting its own investigation of the same issues.” This is never good and your company may well lose what little credibility and good will that it may have engendered by self-reporting or self-investigating.
• Timeliness - Certainly in the world of FCPA enforcement, an internal investigation should be done quickly. This has become even more necessary with the tight deadlines set under the Dodd-Frank Act Whistleblower provisions. But there are other considerations for a public company such as an impending Securities and Exchange Commission (SEC) quarterly or annual report that may need to be deferred absent as a timely resolution of the matter. Lastly, the Department of Justice (DOJ) or SEC may view delaying an investigation as simply a part of document spoliation. So timeliness is crucial.
• Credibility - One of the realities of any FCPA investigation is that a Board of Directors led investigation is reviewed after the fact by not only skeptical third parties but also sometimes years after the initial events and investigation. So not only is there the opportunity for Monday-Morning Quarterbacking but quite a bit of post event analysis. So the authors believe that any Board of Directors led investigation “must be (and must be perceived as) credible as to what was done, how it was done, and who did it. Otherwise, the board’s work will have been for naught.” 

Dan Chapman, Chief Compliance Officer at Vimpelcom, has said this is the time for a very frank conversation with your Board about what such an investigation will entail. Costs must be adequately discussed to set proper expectations. These include both direct costs and, what Chapman believes may be even more important, a discussion of indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “kind of everything stops to focus on the investigation.” This indirect cost comes through largely the time commitment of senior management. He further explained, “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.” 

Finally Jonathan Marks, a partner at Marcum LLC has noted after notification of serious allegations, Boards should take the following steps:

• Consider creating a Special Committee to conduct the investigation;
• Establish a committee charter;
• Preserve the electronic and hardcopy documentation environment;
• Communicate with external auditors; and
• Plan potential communication with the SEC, DOJ, and the relevant stock exchange. 

Marks also notes that while a special committee might be necessary in certain rare circumstances, the board should try to avoid forming a special investigative committee to oversee the investigation if its audit committee is composed of independent and disinterested directors that are suited for the task. A special committee must be disbanded at some point (usually once the investigation is completed and before the restatement process begins), and the disbanding could become a complicated news item.  Conversely, if the audit committee oversees the investigation, then, once the investigation is complete, the audit committee can pivot back to its normal role, which would include overseeing the actual restatement process. Investigations overseen by the audit committee also benefit from the positive relationship that the audit committee chair usually has with the audit partner of the company’s external auditor.  

Three Key Takeaways

1. The Board should have a written protocol for investigations prepared in advance.
2. Any Board led investigation must be both credible and objective.
3. The investigation must be thorough but the Board can be cost effective.

One of the things that I learned from the television series M*A*S*H was the need for triage. In the hospital setting, triage is the process of determining the priority of patients’ treatments based on the severity of their condition. This is considered in different language in the Justice Department’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation), which under Prong 7 reads, in part, Properly Scoped Investigation by Qualified Personnel – How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? Tying all of together is short but succinct statement found in the 2012 FCPA Guidance, “once an allegation is made, companies should have in place an efficient, reliable,  and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” 

Given the number of ways that information about violations or potential violations can be communicated to the government regulators,  having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make the decision going forward. You can do this through a robust triage process. 

Jonathan Marks, a partner at Marcum LLP has suggested a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, what will be the types of evidence you will need to consider going forward. Finally, before selecting a triage solution you should understand what tools are available, including both forensic and human, to complete the investigation. Marks’ five-stage process includes the following: 

Stage 1.  These consist of allegations have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact. 

Stage 2. These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports. 

Stage 3. These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management. 

Stage 4. These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team. 

Stage 5. These are serious allegations that involve one or more members of the senior management team, or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually place the company into crisis management mode, and could result in the restatement of audited financial statements or added regulatory scrutiny. 

By using such an approach, you will be able to respond more quickly and efficiently to any allegations which arise. Of course, as more information is developed during the course of an investigation, the matter can be moved up or down this scale. Such an approach is also important for a company’s outside investigative counsel to partner more with the entity as a way to help hold down costs. Outside counsel can work to build confidence that the company’s investigators could handle a large or wide-ranging investigation. This confidence would help outside counsel in any discussions they might have with the DOJ during the pendency of a FCPA investigation.

Such an approach also has the effective of keeping your investigative costs below the ridiculous level. This is because beyond the tactical need to initially scope any FCPA allegation which may arise through a company’s internal reporting mechanism, it allows you to move to the next step of developing a reasonable investigation plan. This can be particularly important if you self-disclose to the DOJ. You will need to go into the DOJ and present your investigation plan so an early discussion with the government on the scope of the investigation is critical. 

You should engage the DOJ to show not only the scope of your investigation but that it can be limited so that you do not face the dreaded ‘where else’ question. You should develop a logical plan with the nexus to the facts. But it is critical that you and your investigation plan must have credibility with the government that not only will your investigation will be robust but that facts you have determined in your initial triage are a reasonable interpretation. 

Appropriate triage of allegations has several different impacts for any matter which comes to the attention of the compliance function. Obviously, it will help you to initially determine the seriousness of the matter. From there you can allocate an appropriate level of resources. It will also aid in your discussion with the DOJ if you have to go that route. Finally, in the situation where facts come in, it gives you evidence a documented process was followed with which you can show the government that a claim was properly scope as required under the Evaluation. But the key is to be prepared, not only in terms of having your investigation and notification protocols in place before an allegation comes in but also doing the proper triage so that you have an initial understanding of what you may be facing. 

Three Key Takeaways

1. Compliance can learn from M*A*S*H about the need for triage.
2. Initial triage allows you to separate the wheat of serious allegations from the chaff of more inconsequential allegations.
3. A robust triage process allows for greater credibility with government regulators.

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hot-line, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter. 

Indeed the SEC considers a variety of factors around giving credit to corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm? 

In a presentation by Jay Martin, Vice President, Chief Compliance Officer (CCO) and the Senior Deputy Counsel for Baker Hughes Incorporated and Jacki Trevino, Senior Consultant, Advisory Services at SAI Global entitled, “FCPA Compliance Best Practices: Success Stories of Robust and Effective Anti-Corruption Compliance Programs in High Risk Markets” they presented the specifics of an investigation protocol.

The five steps were: (1) Opening and Categorizing the Case; (2) Planning the Investigation; (3) Executing the Investigation Plan; (4) Determining Appropriate Follow-Up; and (5) Closing the Case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost effective manner. Furthermore you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to document, document, and document, not only the steps you took but why and the outcome obtained. 

Step 1: Opening and Categorizing the Case. This is the triage step and this first step, to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. After notification, you should assemble your investigation team for preliminary meetings and assessments. This Step 1 should be accomplished in one to three days after the allegation comes into compliance, either through your reporting structure or other means.

Given the number of ways that information about violations or potential violations of the Foreign Corrupt Practices Act (FCPA) can be communicated to the Department of Justice (DOJ) having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a FCPA problem. A key consideration is making an initial determination of whether to bring in outside counsel to head up an investigation and a determination of the of the resources that you may want or need to commit to a problem. 

Step 2: Planning the Investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, or relationships need to be analyzed through relationship software programs or key word search programs, this should also be planned out at this time. These tasks should be integrated into a written investigation or work plan so that the entire process going forward is documented. Also, if there is a variation from the written investigation plan, such variation should be documented and an explanation provided as to why there was such a variation. Lastly, if international travel is involved this should also be considered and planned for at this step. Step 2 should be accomplished with another one to three days.

Step 3: Executing the Investigation Plan. Under this step, the investigation should be completed. I would urge that the interviews not be effected until all documents are reviewed and ready for use in any interviews. Care should be taken to ensure that an appropriate Upjohn warning is issued and that the interviewee clearly understands that whoever is performing the interview represents the company and not the person being interviewed, whether they are the target of the investigation or not. The appropriate steps should also be taken to preserve the attorney-client privilege and attorney work product assertions. This Step 3 should be accomplished in one to two weeks.  

Step 4: Determining Appropriate Follow-Up. At this step, the preliminary investigation should be completed and you are ready to move into the final phases. In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete and you are ready to convene the investigation team and the relevant business unit representatives. This group would decide on the appropriate disciplinary steps or other actions to take. This Step 4 should be completed in one day to one week. 

It must be cautioned that at this step, if there are findings of specific or discrete allegations of corruption and bribery, a decision must be made as how to handle such findings going forward. 

Step 5: Closing the Case. Under this final step, communicate the investigation results to the stakeholders and complete the case report. Everything done in the above steps should be documented and stored, either electronically or in hard copy form together. The case report should be completed. This Step 5 should be completed in one day to one week. 

Three Key Takeaways

1. A written protocol, created before an investigation is a key starting point.
2. Create specific steps to follow so there will be full transparency and documentation going forward.
3. Consistency in approach is critical.

In an article in the Compliance and Ethics Professional Magazine, entitled “Foxes and henhouses: The importance of independent counsel”, Dan Dunne discussed what he termed a “critical element” in any investigation, which he denominated as “fair and objective evaluation.” Dunne wrote that a key component of this fair and objective evaluation is the WHO question; that is, who should supervise the investigation and who should handle the investigation? Dunne’s clear conclusion is that independent counsel should handle any serious investigation. 

There are three reasons for a company to retain independent counsel for internal investigations of serious whistleblower complaints. First, André Agassi was right, perception is reality. This means that for any corporate ethics and compliance program to be effective, it must be perceived to be fair. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. 

Secondly, if regular outside counsel investigates their own prior legal work or legal advice, a very large and potentially messy numbe of loyalty and privilege issues can arise in the internal investigation. It is a rare legal investigation, where the lawyer or law firm which provided the legal advice and then investigates anything having to do with said legal advice, finds anything wrong with its legal advice. Dunne also notes that if the law firm which performs the internal investigation has to waive attorney client privilege, it may also have to do the same for all its legal work for the company. 

The third reasons is the relationship of the regular outside counsel or law firm with regulatory authorities. If a company’s regular outside counsel performs the internal investigation and the results turn out favorably for the company, the regulators may ask if the investigation was a whitewash or at the very least, less than robust. If the Securities and Exchange Commission (SEC) or Department of Justice (DOJ) cannot rely on a company’s own internal investigation, it may perform the investigation all over again with its own personnel. Further, these regulators may believe that the company, and its law firm, has engaged in a cover-up. This is certainly not the way to buy credibility. 

Mara Senn has explained that it is the lawyer or law firm representing the company that can go a long way towards establishing credibility, noting, “For those of us who regularly appear before the government, we already have credibility, and they understand that the client may or may not agree with recommendations we make, and they know that we’ll be a straight shooter once we’re in front of them, however we get in front of them.” But is more than the lawyer or law firm that brings credibility; it is actions of the company as well. Of course this means the steps the company has taken and its cooperation with the government during the pendency of any FCPA investigation. 

Despite the fact that using specialized investigation counsel is a best practice that is worth the money, one of the more difficult things is convincing decision-makers of this advantage. This is particularly so when speaking with mid- or small-sized companies that are part of larger supply chains.  While general counsels and compliance officers may be up to speed on outsourcing critical inquiries, managers in business segments often are not and frequently reply that they “got someone” in the company who “takes care of that stuff.” However, it is clear that such an approach will be more costly to a company in the long run. 

Moreover, if there are serious allegations made concerning your company’s employees engaging in criminal conduct, a serious response is required. Your company needs to hire some seriously good lawyers to handle any internal investigation. These lawyers need to have independence from the company so do not call your regular corporate counsel. Hire some seriously good investigative lawyers. This may well mean you need specialized outside counsel. 

James McGrath and David Hildebrandt wrote about the use of specialized outside counsel to lead an independent internal investigation as compliance and ethics best practices in an article entitled, “Risks and Rewards of an Independent Investigation”.  This is based upon the US Sentencing Guidelines, under which a scoring system is utilized to determine what a final sentence should be for a criminal act. Factors taken into account include the type of offense involved and the severity of the offense, as well as the harm produced. Additional points are either added or subtracted for mitigating factors. One of the mitigating factors can be whether an organization had an effective compliance and ethics program. McGrath and Hildebrandt argue that a company must have a robust internal investigation. 

The authors suggest that in such a situation, a company should engage specialized counsel to perform the investigation. There were three reasons for this suggestion of the utilization of specialized counsel. The first is that the Department of Justice would look towards the independence and impartiality of such investigations as one of its factors in favor of declining or deferring enforcement. If in-house counsel were headed up the investigation, the DOJ might well deem the investigative results “less than trustworthy”. 

A second reason came from the company perspective. Many companies have sought protection of investigations behind the shield of the attorney-client privilege and attorney work-product doctrine. If an in-house attorney is utilized, many courts are skeptical of a company asserting the privileges because of the mixed responsibilities of counsel in a corporation; that of legal and business work. Additionally, obstructionist attempts by corporations to improperly assert the privilege have led courts to refuse to allow the privilege to be asserted. However a company will usually not face these arguments if outside counsel is utilized. 

Even if the company is willing to waive its attorney-client privilege, McGrath and Hildebrandt offer a third reason for the use of specialized outside counsel to handle an investigation. If a company’s regular outside counsel were retained to conduct the investigation, the DOJ might feel the results had less than full credibility due to the fact that the law firm knew “who buttered its bread” and that the law firm would not want to bring bad news to client and endanger the ongoing business relationship between the law firm and the client. The authors end by concluding that by employing specialized counsel comports with the expectations under the US Sentencing Guidelines, gives a company the protections of the attorney-client privilege and the work-product doctrine and finally “assures the government of the integrity of the internal investigation.” 

Three Key Takeaways

1. Serious allegations demand a serious response, with seriously good lawyers leading the investigation.
2. The biggest thing that any person or company brings to the table when sitting across from the DOJ or SEC is credibility.
3. Use of regular corporate counsel can negatively impact your investigation because of the issues of loyalty and privilege.

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a Foreign Corrupt Practices Act (FCPA) issue for your company. As the Chief Compliance Officer (CCO), it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. This month’s podcast series will provide to you all the steps you will need to consider going forward.

This scenario was driven home in a FCPA enforcement action brought by the Securities and Exchange Commission (SEC) in July 2015 involving Mead Johnson Nutrition Company (Mead Johnson). In that case, the company performed two internal investigations into allegations that its Chinese business unit was engaged in conduct which violated the FCPA. Unfortunately the first investigation, performed in 2011 did not turn up any evidence of FCPA violations. It was not until 2013, when the SEC made an inquiry to the company that it performed an adequate internal investigation which uncovered FCPA violations. 

Similarly, consider Zimmer Biomet, which (when it was only Biomet) resolved an FCPA violation in 2012 for nearly $23MM and entered into a Deferred Prosecution Agreement (DPA). Within the year, Biomet notified its Monitor that it has found evidence of additional FCPA violations, which in turn violated the terms and conditions of the DPA. However these additional violations by the company (now Zimmer Biomet) turned out to have been actions which occurred in 2010, well before the initial DPA but were not uncovered in the company’s worldwide investigation which led to the first settlement. Zimmer Biomet paid an additional $13MM for this oversight and extended out both the DPA and the Monitorship, all because the company had failed to fully investigate itself thoroughly.

The 2012 FCPA Guidance states the following on investigations, “Moreover, once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” That is simply it. This simple introduction was expanded upon in the Justice Department’s Evaluation of Corporate Compliance Programs (Evaluation) released in February. Prong 7 in the makes the following inquiries:

Effectiveness of the Reporting Mechanism – How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?  

Properly Scoped Investigation by Qualified Personnel – How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?  

Response to Investigations – Has the company’s investigation been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory manager and senior executives? What has been the process for responding to investigative findings? How high up in the company do investigative findings go?  

The Mead Johnson and Zimmer Biomet matters are but two examples which make clear the need to have robust, integrated investigations. Marc Bohn, writing in the FCPA Blog, said about the Mead Johnson matter, “Investigations that lack sufficient depth, resources, or forethought can pose significant risk because they increase the likelihood that something critical will be overlooked, potentially permitting misconduct to continue unabated.” Both Mead Johnson and Zimmer Biomet point to the critical nature of FCPA investigations and why the government takes this requirement so rigorously. But more than protecting a company from liability under the FCPA, in the internationalized world of global compliance investigations are becoming more important. Bio-Rad recently announced that its FCPA settlement was a “risk-factor” which required public disclosure under US securities law. 

In the domestic arena, internal investigations can go a long way towards helping a company move past a public relations debacle or perhaps abate negative publicity. One need only consider the recently released internal investigation report commissioned by the Wells Fargo Board of Directors around the bank’s fraudulent accounts scandal. The report was merciless in its criticism of certain structural and cultural failures at the bank. It named names of culpable former senior executives at the company. However one thing it did not address were allegations from multiple whistleblowers who claimed to have reported the fraudulent conduct and were ignored or actively retaliated against. If the internal investigation turns out to have white washed these whistleblowers, the financial penalty and negative public reaction could be both swift and severe.

Corrupt investigations are never a good thing for a company as they can disrupt business relationships and future opportunities. Yet today they are even more important. In the month of June I will be exploring how you can create, design and implement a robust investigation protocol for an internal investigation and when you should bring in outside counsel for an independent investigation. I will consider the Board of Director’s role in investigations and other corporate functions such as internal audit, IT and legal in any investigation. I will review special issues such as privilege, Upjohn and Miranda warnings and data privacy.

 As Hallmark Seven of the Ten Elements of an Effective Compliance program states, in part, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation” and Prong 7 of the Evaluation also deals with reporting; I will consider hotlines. Both their implementation and use in a best practices compliance program. I will feature several compliance practitioners, both lawyers and non-lawyers, who will relate how they developed their investigative strategies and navigated various stakeholders to obtain positive results for their clients. 

Three Key Takeaways

1. Failure to thoroughly and properly investigations allegations of corruption can be costly.
2. The internationalization of global anti-corruption enforcement makes performing robust investigations even more important.
3. Use the month of June to learn about key aspects of investigations and internal reporting mechanisms.

Day 22-10 Questions to Better Operationalized Compliance

I conclude this month’s series inspired by an article in the Harvard Business Review, entitled “Does Management Really Work?” by Nicholas Brown, Raffaella Sadun and John Van Reenen. I found the article very useful because it gave succinct advice about what a business can do to improve its management practices and determined that this advice can be applicable to a compliance program. Based upon this article I have developed 10 questions which you might want to put use as a starting point for operationalizing your compliance initiatives going forward. I would challenge you to think about some of the answers to these questions in the context of your compliance program.

1. Interconnectedness of Targets - How are compliance goals cascaded down to individual workers? Everyone recognizes the importance of ‘tone-at-the-top’ as it is enshrined in every description of a best practices compliance program. However, operationalizing compliance means moving towards an appropriate tone in the middle and at the bottom. As stated in the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs (Evaluation), under Prong 1, “How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates?”
2. Clarity and Comparability of Goals - Does anyone complain that your compliance targets are too complex? Certainly the initial role out of a compliance program can be quite a large undertaking. Perhaps another approach might be to focus on high risk areas and remediate them by rolling out initiatives to manage those risks first and then move to other areas. Many companies have reviewed and remedied the third party sales side of their business but are only now looking at the Supply Chain or Procurement side of the equation. If you work on one such problem at a time, it can help move the overall process forward in a more orderly fashion.
3. Consequence Management - How do you deal with repeated compliance failures in a specific business segment or compliance program area? This is certainly one question that you would want to consider carefully. Do you have problems with one business unit or one geographic area from the compliance perspective? Are gifts in China, for example, an ongoing issue for your company? What about travel and entertainment? Consider this carefully as the DOJ asks the following about accountability in the Evaluation, “What disciplinary actions did the company take in response to the misconduct and when did they occur? Were managers held accountable for misconduct that occurred under their supervision? Did the company’s response consider disciplinary actions for supervisors’ failure in oversight? What is the company’s record (e.g., number and types of disciplinary actions) on employee discipline relating to the type(s) of conduct at issue?”
4. Instilling a Mind-Set - How does your company show that attracting and developing talent who will engage in ethical business conduct is a top priority? This is a key part of operationalizing your compliance program and one where your Human Resources (HR) Department should take the lead. If top management will make a commitment to this, you should work to create the appropriate mind-set of doing business the right way throughout your organization.
5. Removing Poor Performers - How long is compliance underperforming tolerated? The DOJ asks in the Evaluation, “Has the company ever terminated or otherwise disciplined anyone (reduced or eliminated bonuses, issued a warning letter, etc.) for the type of misconduct at issue?” I think that many companies would clearly say that they will discipline, up to and including discharge, any employee who engages in practices that violate the Foreign Corrupt Practices Act (FCPA). But this question drills deeper and forces a more rigorous analysis on not just FCPA failures by employees but poor ethical choices which may be less than full FCPA violations.
6. Unique Employee Value Proposition - What makes it distinctive to work at your company? What is the culture of your organization? Is it to do business ethically or simply make your numbers no matter how unrealistic they are aka Wells Fargo? More pointedly, how can your compliance challenges be turned into business leadership opportunities? Ethisphere annually shows that its top list of the Most Ethical Companies out performs the Standard & Poor (S&P) 500. If you more fully operationalize your compliance program into your company, it could well make your business not only more efficient but at the end of the day, more profitable.
7. Continuous Improvement - How do compliance programs that are not working typically get exposed and remediated? There is a difference between auditing and monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. A robust program should include separate functions for auditing and monitoring. While unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For example, if you notice a trend of suspicious payments in recent monitoring reports from a country in the Far East, it may be time to conduct an audit of those operations to further investigate the issue.
8. Performance Tracking - What key compliance indicators do you use for compliance tracking? What metrics have you developed around the operationalization of compliance. A good starting point can be with your hotline or helpline. What can you determine from the calls or reports submitted through these systems? What if you have not had any reports for several years, what should that be telling you about your communication to your employee base? Or does it mean that people have not been properly and effectively trained that a hotline or helpline exists and is available for their use or, more ominously, are afraid to make any reports for fear of retaliation or even losing their jobs? This is certainly something you should consider, whichever way the metrics are going for your company.
9. Root Cause - For a given compliance problem, how do you identify the root cause? The DOJ asked in Root Cause Analysis – “What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?”Clearly the reason is that if you do not know what the cause of a problem is, you cannot successfully work towards remedying that problem. This does not simply mean firing any persons involved in a potential FCPA violation. You need to dig down and found out what allowed this issue to arise. I once heard that the difference between Japanese and American post-incident investigations is that in the US there is an attempt to assess blame, conversely in Japan there is an attempt to find a solution to the problem. This is the approach that I believe compliance practitioners should take, to try and find a solution by determining the root cause of a compliance failure.
10. Retaining - What are you doing to retain your top employees from the compliance perspective? This is not a question that is typically asked in the compliance department, however it fully encapsulates the entire concept of operationalization. Have you considered what your company is doing to retain, promote and take to senior management those employees who do business in an ethical manner and in compliance with your company Code of Conduct?

I found the article to be very useful when applied to the compliance practitioner by not only using the triumvirate of targets, incentives and monitoring as a management practices but also the questions that the authors posed in the context of your company’s own compliance program. Compliance practitioners continually face the challenge of keeping up with the ever-evolving compliance best practices with little or no budget increase. By asking yourself and of your compliance program these questions you may create a road map to more fully operationalize your compliance regime.

Three Key Takeaways

1. What are the unique compliance targets you have set and how interconnected are they to your business unit goals?
2. Use a root cause analysis to determine why compliance initiatives are not successful.
3. Retraining employees in compliance is an under-utilized tool.

This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox.

How can you determine if Human Resources (HR) can meet the needs of a best practices compliance program? One place to start is with a gap analysis to determine what HR has in place that can facilitate your company’s compliance program. According to Bright Hub Project Management, a gap analysis “compares actual performance (or status) with the desired performance (or status). A gap analysis takes into account where the company is and where it wants to be. Any review of a company and its goals should include a thorough gap analysis - especially when wanting to improve productivity, processes and products.”

From the HR and compliance perspective the four steps to undertaking a gap analysis are: (1) understanding the compliance and HR environment in your organization; (2) taking a holistic approach to understanding the compliance and HR environment; (3) determining a framework for analysis, and (4) compiling supportive data to test the program. Yet before beginning this exercise it is incumbent to understand that the first element of an effective compliance program under the U.S. Sentencing Guidelines is to have Established Policies and Procedures to protect and detect non-compliance with regulations. While the US Sentencing Guidelines specifically target “criminal conduct”, companies would be wise not to limit their “risk assessment” or “gap analysis” to only criminal conduct.

Most, if not all, companies possess several corporate policies that govern employee behaviors.  The person in charge of corporate compliance function should first identify the policies in place by utilizing a gap analysis to catalog the existence of corporate policies across the company, noting policy gaps and inconsistent application of policies across various locations. The business units and functional disciplines should be tasked with filling the gaps and standardizing conflicting polices.

This exercise allows you to move forward to what is required to operationalize compliance as you have to know what you must be compliant with going forward. So how does one work with the business units and the functional disciplines to structure the identification of legal and compliance risks in a way that can be managed and utilized with some degree of ease? Here are a few questions that a compliance practitioner may pose to the HR department to perform a gap analysis regarding policies and procedures:

• Does the HR department have an inventory of policies, procedures, laws and regulations covering employees and employment related matters applicable to the company’s business?
• If yes, do you have a specified person who is in charge of updating the inventory?
• If no, what system does the HR department utilize to ensure that it is aware of the various compliance laws and regulations and has a process to comply with them?
• What evidence would the HR department be able to produce to the government to support a finding that the company has a solid compliance program for applicable labor and employment laws and regulations?
• What types of compliance training are mandatory for all employees, which are optional and how does HR track and document completion? How is the training performed? Is it provided in the native language of the employee or only in English?
• What types of enforcement actions predominate in the compliance arena for your industry or where your organization does business? How is such data tracked in your company?
• Are employees within the HR department specifically trained to understand compliance requirements applicable to your organization?
• Does the HR department provide senior management with periodic updates on the monitoring of results, key risks, and compliance violations within HR?
• Has the HR department established some type of escalation criteria to ensure that high-risk compliance issues are reviewed at the corporate level?
• Does the HR department have compliance monitoring standards in place?
• Does the HR department perform periodic audits to ensure that the policies and procedures are being complied with?

These are only a few of the questions that you may want to ask to begin the process of assessing how compliance and the role of HR apply to your company. 

My final suggestion is to work with HR to create a consolidated Human Resources Compliance Audit Checklist that can be used to audit (and document) the company’s HR Compliance Program. The key to compliance, in my opinion, is having the proper structure to identify the issues, implement policies and procedures to address the issues, audit for compliance and document, document, and document.

Three Key Takeaways

1. A gap analysis is a key component in the risk assessment process.
2. The ultimate responsibility should lie with the business units and functional discipline to fully operationalize compliance.
3. The role of the compliance department is to oversee, provide subject matter expertise and coordinate.

This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox.

The key concept from the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Program (Evaluation) is operationalization. For instance, under the query Shared Commitment is the following question - “How is information shared among different components of the company?” Under the Prong relating to Policies and Procedures the Designing Compliance Policies and Procedures asks, “What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out?” Lastly, under the same Prong is Responsibility for Integration, with the following question “Who has been responsible for integrating policies and procedures?”

These questions point to a Chief Compliance Officer (CCO) or compliance practitioner demonstrating how compliance is being burned into the fabric of an organization. While leadership at and from the top has long been considered by both the DOJ and compliance professionals as a key element to move compliance forward, the Evaluation has also crystalized thinking around compliance leadership from the middle and the bottom. I thought about these concepts when reading a recent Financial Times (FT) article by Andrew Hill, entitled “Leadership from the bottom up”. I was particularly struck by a quote from Shlomo Ben-Hur, a professor at IMD business school, who said, “We teach the top 5 per cent — but the majority of this work is carried out by the other 95 per cent.” 

In Ben-Hur’s work he found that many executives came from the middle management ranks. They tended to be persons “with a determination to “take what I have responsibility for and make it truly great.”” Anecdotally, he related “They typically said, ‘I’ve responsibility for the minibus,’ and people then asked them to drive bigger and bigger buses until one day they drove the whole business.”” Think of the military and the responsibility given to front line commanders and how that “is increasingly reflected at large companies.” 

The key for companies is that senior management must “find ways to transmit leadership skills to people who do not have ‘leader’ in their job description and will probably never attend a top-level leadership program.” Hill noted, “Ben-Hur’s work has focused on ensuring that managers understand how to assign the right jobs to their team members and motivate them to perform well, using theories of behavioural change that senior executives have typically never learnt on their way to the top. Dedicated managers well below the executive board need to know how to use these tools.” 

For the CCO or compliance practitioner, this provides a clear path to help in the operationalizing of compliance by providing the tools to persons far down the organization to put compliance into the operations of a business. One thing Hill writes about is a company should nuture such learning because by doing so, it will both teach practical skills around compliance but also foster a strong internal network of compliance advocates who can move initiatives up and down and organization. Moreover, as these individuals progress through the company ranks, they can take their compliance message with them at each new level. 

Building on the writings of Hill and the work of Professor Ben-Hur, my suggestion is to build a Compliance Excellence Center in your company. Bring in middle-managers to focus on understanding not only their roles in compliance but also how to assign the right team members to a compliance initiative and motivate employees going forward. Hill wrote that Airbus has recently established a corporate ‘university’ to spread leadership ideas through the company. Airbus’ theory behind this push is “being a leader isn’t just about being a vice-president; it’s about being able to push the company towards new ways of doing things and executing the things we have to execute. That could [apply to] a blue-collar worker on the shop floor or a VP.” 

A key is not simply to train such middle and front line managers on compliance but getting them to consider rollout, effectiveness, testing and improvement. In other words, as Jay Martin would say, it is all about execution. One way to help facilitate this is through exercises using incentives to “make leadership insights stick and change workplace behavior.” Hill also writes that concepts from entrepreneurship can assist in such learning by encouraging managers to “think and act independently” to operationalize compliance. Finally, never forget mentoring as a manner to spread good compliance practices throughout a company if a more formal approach is not possible. 

Too often, strategies to move a compliance program or even an initiative come from the top of an organization and are pushed down. To fully operationalize compliance, you must have leadership in compliance further down the organization which (hopefully) has been a part of the design process and can lead the implementation throughout an organization. 

Three Key Takeaways

1. While tone at the top is critical, the tone at the bottom can actually work to more fully operationalize compliance.
2. 95% of the work is done at this bottom level.
3. Use HR to come up with a strategy to move compliance into the bottom for more complete operationalization. 

This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox.