Investigations are one of the more difficult and riskier activities of an E&C program. Poorly-conducted investigations can create serious legal risks for an organization. In addition, the mishandling of investigations can damage the way in which employees perceive E&C programs, in particular where the report was initially made to the E&C department, through a hotline or otherwise. The mishandling of E&C investigations can corrode the sense of organizational justice and the culture of ethics and compliance at an organization. In short, E&C-related investigations are a serious business, and assessing them is therefore an important component of assessing an E&C program.
Assessing an investigations process is often complicated by the fact that investigations at many organizations are conducted by a number of functions, and privilege concerns can further complicate any review. In addition, there are a large number of facets of the investigations process that must be reviewed in order comprehensively to assess that process, which further increases the level of complexity. When reviewing investigations procedures, some of the more helpful areas of inquiry include the following:
• Guidelines: Are there written guidelines governing how investigations will be assigned? Are they logical and appropriate? Are they followed in practice?
• Is there a written investigations protocol, and does it include those elements that are necessary to facilitate robust investigations? Some of the elements that are typically included in investigations manuals include:
o Professionalism standards that govern the investigations process, such as a discussion of the importance of impartiality, competency, confidentiality, and non-retaliation.
o Step-by-step guides for each aspect of investigations, including intake procedures, preliminary analysis of the allegation, assigning investigations, opening a case file, creating an investigative plan, reviewing documents, whom to interview and how to do so, preparing interview notes, assessing and determining findings, preparing a final report, responding to the complainant and subject, and closing out the case.
o Samples and outlines of investigation documents, such as reports of interviews, reports of investigation, and sample communications with interviewees, complainants, supervisors, and subjects of investigations.
• Are there protocols that govern how evidence can be collected (e.g., required approvals before electronic data is accessed) and when and how litigation or investigation holds will be issued?
• Are there clear guidelines governing when to get the Legal Department involved and the steps to be taken when conducting an inquiry under the attorney-client privilege?
• Is there adequate oversight of the process? And does E&C have the ability to oversee investigations conducted by other functions, where appropriate?
• What are the protocols and practices for documenting investigations? What type of case management system is used? Is the case management system adequate to permit the E&C team appropriately to document investigations?
• Is the case management system adequate to permit aggregation and assessment of metrics related to reports received and investigations conducted? Are metrics in fact collected and considered? Are metrics reported to executive leadership and the audit committee? Are they reported out to employees?
• Are investigators appropriately qualified and adequately trained? Is ongoing training provided?
• Are investigators asked to consider supervisory fault when investigating allegations of E&C violations?
• Are investigators asked to consider appropriate remedial measures? Are there opportunities to escalate critical remedial measures on a timely basis? (For example, if an investigation reveals a serious gap in a control, can the investigator seek remediation for that quickly?)
• Where an organization has locations outside the United States, do investigations procedures consider local legal requirements and prohibitions governing internal investigations?
• Does the organization track the amount of time required to complete investigations? Are there undue delays in the time period required to complete investigations?
• Is the audit committee able to oversee the most serious investigations when it is appropriate for them to do so? Is there a written escalation protocol that governs when the audit committee should be informed about the most serious allegations/investigations?
The questions above should be asked not only regarding written protocols and processes (e.g., is there a written protocol governing how investigations are assigned?) but also regarding how an organization’s investigations process is implemented in practice (e.g., are investigations in fact assigned in a timely and reasonable manner?). This can require discussions of sensitive information, and the assessor must be cautious regarding privilege issues.
Ultimately, an effective assessment of an investigations process seeks determine whether the process possesses three critical attributes:
1) Independence: Are investigations conducted independently, objectively and impartially?
2) Access and authority: Are investigators permitted access to those people and documents that are necessary in order to conduct the investigation? To travel to those sites necessary? In other words, are there any obstacles or impediments to conducting a thorough investigation?
3) Expertise and professionalism: Is the investigator qualified to conduct the type of investigation? Does he or she have the relevant level and areas of expertise?
While perhaps obvious, we note that the above is merely a sampling of both areas to cover when assessing E&C investigations and questions that can be asked in each of those areas. E&C investigations can be complicated, risky and critically important to an organization’s E&C program, and the assessment process is therefore both challenging and significant.