Investigation and Response

Creating an Organizational Investigations Program and Conducting Effective Workplace Investigations

By Virginia MacSuibhne,[1] JD, CCEP and Meric Craig Bloch,[2] JD, CCEP-F, CFE

Introduction

The use of investigation as a sword to ferret out and cut down wrongdoing remains far more important (and more common) than the use of an investigation as a shield from liability. A good investigation can act as a shield, bolstering a company’s defense and helping to avoid liability or mitigate damages. However, it is far more common that an investigation is a sword to find and cut out wrongdoing in an organization before an outside party or agency comes in.

Complaint intake and investigation are a company’s first (and possibly only) opportunity to hear about an allegation, check it out, and, as necessary, fix it. No compliance program is foolproof—there is always some person who slips through the cracks and behaves badly (often called the “bad apple”), or some system of controls that breaks down. While much of ethics and compliance is about prevention, detection is its twin, and the best tools of detection are often effective complaint intake and investigation. In hindsight, a government agency, judge, or even jury will ask of your investigation: What did you know?, when did you know it?, how quickly did you undertake an investigation?, was the investigation adequate?, and did you detect and adequately address any wrongdoing in a timely and appropriate manner?

There are certainly many familiar cases in the news about recent organization ethics and compliance failures related to financial misconduct, intentional misleading of investors, and bribery and other unseemly corporate conduct. In our experience, however, the vast majority of workplace investigations are related to employee or external party behavior allegations: harassment, discrimination, retaliation, threats and violence, theft, and the like. Although it is the rarest case that an investigation is ever examined by a government agency, judge, jury, or the public, it is certainly the business ethics and compliance matters in areas such as financial misconduct, investor relations, bribery, corruption, and the like that have the greatest potential for external scrutiny. Thus, having an effective framework for complaint intake and investigations is not as much about the liability shield; rather it helps an organization cut down risks at an early stage, manage employee and external issues, and message the expectations employees and the public can have about how the organization manages such matters and those involved.

The framework and tools for investigations should reflect the values, philosophy, risks, and goals of the organization. In order to make good decisions, you need information. Complaints and investigations provide access to information and can be valuable tools in analyzing data, correcting problems early, and spotting possible trends. The following chapter discusses both how to approach and undertake the creation of an organizational investigations program and how to move from complaint intake through an actual investigation, including interviewing witnesses, analyzing data, writing a report, and monitoring future compliance.

Creating an Organizational Investigations Program

Regardless of the organization’s size, most organizations have investigations occurring—whether as part of a structured and thought-out formal program by trained personnel, or as done on the front line by managers who hear issues of concern. Therefore, it is important to identify the current personnel who undertake organizational investigations and get their input, buy-in, and alignment as you seek to create a formal organizational investigations program. Further, organizations should consider any change management needed to move from the current state to an implemented investigations program with ethics and compliance oversight.

There are several basic steps to undertake as organizations consider and develop an organizational investigations program:

  • Identify the organization’s information points and possible sources of information for issues and complaints of all types;

  • Identify the investigations framework currently in place;

  • Conduct a skills assessment of those who have or could potentially be asked to conduct investigations and develop or identify a training program for internal investigators;

  • Design or evaluate the investigations framework, with an eye to the organization’s risk profile;

  • Consider the organizational philosophy and strategic goals regarding investigations and the rights and expectations of witnesses and investigators;

  • Consider with other key risk-management functions whether any additional policies or procedures are needed and develop accordingly with any necessary training modules or implementation support;

  • Schedule a timeline for the implementation of the investigations framework considering existing investigative activities (and the input and buy in of those stakeholders) and organizational culture with change management in mind; and

  • Implement the designed organization structure, measure and monitor effectiveness, and adapt to changes in organization and environment as needed.

In addition to these steps, there are a few other matters to consider in creating an investigations program including: the need for an investigations case management system, the issues of attorney-client privilege, the possibility of the need to report an issue to a government agency, and global issues. Each of these will be discussed further below.

What Are the Organization’s Information Points?

Employees always have information about where the issues and systems breakdowns are; the real trick is obtaining and effectively harnessing that information. Effective ethics and compliance functions tap into the organization’s many information sources and provide employees and others a safe place to share important information about suspected problems and issues. Then the organization must have a mechanism to sort the chaff from the wheat to determine which information and issues merit investigation and manage those investigations accordingly.

Thus, the first task for organizing an investigation framework is to identify the various information points in an organization (those persons and functions likely to be frontline recipients of complaints and reports). Following, the ethics and compliance function should create or utilize the various paths to reporting and encourage that reporting. Finally, the organization must determine how and where to handle the different types of investigations.

Organizations need to consider, based on their size and organizational structure, where there are information points for employee complaints. Most organizations have a variety of sources of information and information points which will include some or all of the following potential sources:

Possible Issue Information Sources

  • Employee or partner/vendor background checks;

  • Personal reporting by an employee, vendor, consultant, or other party to a manager to or to human resources, security, compliance, management, or other personnel;

  • Compliance helpline reporting (phone/electronic);

  • Workplace rumors;

  • Audit reviews;

  • Expense report incongruities;

  • Calls, emails, or letters from friends/family of employees or vendors, consultants, partners, or competitors;

  • Anonymous calls, emails, texts, or letters;

  • Websites, blogs, apps, and other social media posts/communications;

  • Exit interviews;

  • Information from the Employee Assistance Program;

  • Contact from law enforcement, government investigators, or news personnel;

  • Employee disciplinary actions;

  • Litigation trends;

  • Liability insurance trends;

  • Risk assessment or other employee surveys; and/or

  • Other sources.

Increasingly, because social media channels allow such broad communication by nearly anyone, it is important to consider whether and how to engage in social listening/monitoring about issues which may be published about the organization. The reality is that much information about possible compliance violations or issues is still transmitted directly person to person and the company and ethics and compliance function need to take care to ensure that the information makes its way to the appropriate location for issue management, investigation, and resolution. It is important for the ethics and compliance function to have insight into these reporting avenues and understand who controls the information flow from them. Based on that assessment, the organization needs a mechanism to make decisions about which matters need to be funneled where and create effective processes or procedures to ensure proper handoff.

Once the information sources are determined, and the investigations program is designed, it is important that—at a minimum—those persons in a position to receive information related to complaints or possible ethics and compliance issues be trained on:

  1. Spotting the issues and the significance,

  2. Responding appropriately to the person raising the complaint, including addressing employee concerns about confidentiality,

  3. Getting the issues to the right party to manage and possibly investigate in a timely fashion, and

  4. Preparing for ongoing monitoring to ensure that the issues have been effectively resolved and no retaliation is occurring.

Conducting an Investigation Skills Assessment

In addition to identifying the key organizational information points, it is important to understand the current skill set and experience of those in the organization as to investigations. Those skills may exist within the organization and/or with outside investigators the organization may opt to utilize. Regardless of whether investigations are to be done by internal or external resources, it is important to understand the skills and experience of investigators working on behalf of the organization and develop a training/onboarding program to ensure they are acting in a manner consistent with the organization’s intentions and desires as they are the front line in contact with persons providing potentially critical information and how they manage the person reporting and this issue can have significant consequences for the organization and its reputation.

A checklist for assessing your organization’s investigations capabilities is included at the end of the chapter as Appendix 3-O. It covers the subject matter expertise or function of the person, the level of experience and number of investigations in the past year, and the subject areas of those investigations. In addition to these items, you may want to ask about the outcomes of these matters and how they typically document their findings and conclusions and/or track and compare their investigations in each function. This assessment can be helpful in determining the ultimate structure and personnel for the investigations program, and how to help develop the necessary skills for the future.

Designing or Evaluating an Investigations Program

The ethics and compliance function is rarely resourced enough to conduct every workplace investigation—nor is that a requirement or necessity for an effective program. What is critical is that the ethics and compliance function have insight into the types of investigations being conducted in the organization with some nexus to the compliance function, and that it has the opportunity to provide insight and oversight into the management of such investigations to ensure appropriate management and effective and consistent responses to issues, particularly those of a higher risk profile, such as executive misconduct allegations, financial misconduct, fraud, and bribery claims. At the very least, the ethics and compliance function should be involved in the creation of any investigations policy, standard operating procedure for report intake, and investigator protocol, and in the communication loop as to ongoing investigations and participate in monitoring resolution of the issues.

Ultimately the structure of an investigations program is a question of oversight, roles, and responsibilities. Once the information points are identified, decisions must be made as to which matters will be investigated and which teams will be responsible for each type of investigation. For example, some organizations have determined that investigations about claims of discrimination, harassment, and the like should be managed by the human resources and/or employee relations functions, while issues of fraud, abuse, and corruption likely need someone with more general compliance experience or oversight. Regardless of the division, it is important that the ethics and compliance function have, at least, visibility, communication, and coordination with those conducting all types of investigations as issues often are not clear cut. Nonetheless, each report of actual or suspected misconduct must be resolved appropriately.

Structures to consider for an investigations program include: centralized investigations management; semi-centralized investigations management; decentralized investigations management; and outsourced investigations management. The formats might look something like one of (or some variation of) the following:

What Type of Investigations Program Is It?

Who Performs Investigations and Training on Conducting Investigations?

What Is its Relationship to Ethics and Compliance Function?

Centralized Investigations Program

All investigations are performed by one central investigations group who trains its investigators on conducting investigations.

The investigations group is either part of the ethics and compliance function or reports its investigations findings to the ethics and compliance function.

Semi-Centralized Investigations Program

Investigations are performed by more than one group, depending on the nature of the allegation, and training on conducting investigations is done by each group for their own investigators.

Each investigations group reports in some form to the ethics and compliance function about the investigations they complete.

Decentralized Investigations Program

Individual groups perform investigations and training (if any) on how to conduct investigations.

There is little or no reporting to or oversight from the ethics and compliance function.

Outsourced Investigations Program

Skilled external resources perform investigations.

There is oversight by organizational functions, which may include subject matter experts such as employee relations and/or ethics and compliance.

In all of these structures, there is also the question as to the role of legal. It is best practice to have a trained attorney involved and/or responsible for the oversight of investigations to assist in managing the legal considerations and to help ensure the process of an investigation is thorough, programmatic, and defensible. Again, those matters with a higher risk profile, and the possibility of the requirement for public disclosure, should generally involve in-house and/or outside counsel at some point; these would include matters of financial misconduct, as well as allegations of fraud, bribery, and the like. The attorney involved should also have their own skills and experience conducting investigations, so the oversight and assistance is tailored to the organization’s investigative needs.

Creating an Internal Investigations Philosophy and Policy Reflecting the Investigations Program

At the very least, organizations should develop a philosophy around how internal investigations are to be accomplished and the methods and means which are considered appropriate or not. The philosophy should address some basic questions, such as will a subject always have an opportunity to respond to the accusations, is one “innocent until proven guilty,” and what techniques are acceptable for investigators.

This includes:

  • Investigation processes and standards;

  • Qualifications, expectations, and authority of investigators;

  • Treatment and expectations of witnesses;

  • Issues of cooperation and confidentiality;

  • Communications related to the investigations and to whom;

  • Investigation working papers, draft reports, final documents;

  • Access to investigative information and files; and

  • Appropriate retention and destruction periods for investigative data.

Organizations also should consider implementing a written policy and procedure on internal investigations to address some or all of the following matters:

The investigation process and standard

  • What is an investigation?

    • Who is authorized to conduct investigations? In what areas?

    • What is the investigator’s role (i.e., neutral fact-finder, decision-maker)?

    • What rights do witnesses have (including access to information about the allegation)?

    • What is expected of witnesses (e.g., cooperation, confidentiality, evidence preservation)?

  • Reporting/communicating about investigations to senior management/others

  • Complaint reporting channels (where and how complaints can be made)

  • The policy against retaliation/retribution.

A Sample Internal Investigations Policy is included at Appendix 3-P.

Confidentiality

Organizations have long recognized the critical importance of maintaining confidentiality with respect to internal investigations. Confidentiality is important to protecting the integrity of evidence and the investigation itself. It can help minimize the possibility of retaliation against reporters and witnesses, and of employees’ tampering with evidence or speaking to potential witnesses before the company’s investigators have an opportunity to do so. It also respects the privacy rights of the employees involved in the investigation.

Creating a Case Management System for Investigations

Another important consideration in the creation of an investigations program is whether to implement a case management system for documentation of organization investigations, and, if so, what type of system. These systems can range from a simple Excel spreadsheet, documenting relevant information about such investigations, to home grown databases, or off-the-shelf or customized solutions provided by large vendors for investigation tracking, management, and report generation. While these case management systems can help with tracking metrics and identifying trends, they also are potentially discoverable in the event of litigation. Consider both the value and risk of having such a system and then determine the desired content and access rights.

Issues of Attorney-Client Privilege

Because the vast majority of investigations involve claims of harassment, discrimination, retaliation, threats and violence, theft, and the like, generally an investigator need not be an attorney. However, there may be times when an organization determines that because of the risk profile of the allegation, the use of an attorney (external or in-house) as an investigator or an outside investigator working at the direction of in-house counsel is desired in order to create the attorney-client privilege for the investigation content. Notably, in many cases, the organization may later determine that it wants or needs to waive any privilege (for example, when the organization discloses a compliance issue to a government agency and seeks leniency).

An important point should be stressed here. It is the purpose of the inquiry and not the job function of the investigator that is dispositive. In other words, a lawyer who conducts the investigation is doing so because of their skills and experience, not necessarily their job title.

An organization is entitled to the protections of the attorney-client privilege. The privilege belongs solely to the corporation, not to any specific employee. There are several factors relevant to the availability of the attorney-client privilege in the context of a workplace investigation:

  1. The communications were made by organization employees under instructions from superiors in order for the organization to secure legal advice from counsel;

  2. The information needed by organization counsel in order to formulate legal advice was not otherwise available to executive management;

  3. The information communicated concerned matters within the scope of the employee’s corporate duties;

  4. The employees were aware that the reason for the communication with counsel was to enable the organization to obtain legal advice; and

  5. The communications were ordered to be kept confidential and they remain confidential.

The attorney-client privilege only protects the investigation communications from discovery; the underlying information contained in the communication—witnesses and business documents—is discoverable; the privilege does not extend to the underlying facts.

Communications that merely transmit business-related facts may be discoverable, because the privilege most often applies to requests for legal advice. The transfer of non-privileged documents from the corporation to the attorney similarly does not make the documents privileged. Communications made for purposes other than to obtain counsel’s legal advice, including communications made to third parties, are not privileged. Consequently, simply funneling communications through a lawyer will not shield an investigation from disclosure because communications for business purposes are not privileged.

Attorney involvement in investigations can be tricky. Even if the attorney takes all appropriate precautions to maintain the privilege, a court may later determine that the communications at issue are discoverable (because, for example, the court may determine that the communications relate to business and not legal advice). In addition, government agencies may demand access to privileged reports as a form of cooperation when an organization seeks leniency for a detected ethics and compliance failure.

Attorneys who conduct investigations should be careful to explain their role as attorney for the organization (and not as attorney for the employee) to those employees whom they interview. Attorneys conducting investigations should always consider and determine when and how to provide appropriate warnings to witnesses about their role. While these so-called Upjohn warnings can take many forms, a sample of the suggested content is provided in Appendix 3-Q.

The work product doctrine may also apply to shield materials generated in the context of internal investigations from disclosure. This doctrine protects documents and other tangible items that were generated in anticipation of litigation by or for the company or its representative. Thus, if there is a reasonable prospect of litigation related to the matter under investigation, the work product protection may apply.

Conducting an investigation subject to the attorney-client privilege is done because the purpose of the inquiry is to allow the organization to receive legal advice and not for risk- or personnel-management. It is not just because the investigative issues are sensitive. It’s because the investigation purpose is different that the common compliance matters.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings