Do Internal Investigations Even Matter? Oh Yes, They do!
With the endless chain of corporate scandals and heightened scrutiny of individual, often leadership misconduct, internal investigations have recently garnered significant attention from the general public and within the corporate world.
Let’s talk about what internal investigations are and aren’t and how they can be done better.
Is it a “whitewash”?
In one of the recent scandals here in the UK (some might be familiar with the Coutts’s Nigel Farage de-banking story), the internal investigation was simply labelled as a “whitewash.” The claim is a bit harsh but not without merit, and those who disagree can just remind themselves about the Post Office saga.
This begs the question – what is the purpose of internal probes? Is it simply a “whitewash” (as Mr Farage suggested) or a genuine attempt to identify and address misconduct and, importantly, take action to prevent it from happening again?
Fundamentally, it’s a matter of expectations—what the general public expects from such inquiries vs. what internal investigation should actually deliver.
Indeed, we have seen time and time again that when businesses or even the government face scrutiny for their (or their leaders') actions, they tend to call in external lawyers, barristers, and sometimes former judges to conduct an inquiry. There are legitimate reasons for doing this: independence, expected level of expertise, and, not the least, the reputation of the person called in to lead an inquiry.
Here comes the expectation bit. In high-profile cases, like the Coutts or Post Office scandals mentioned above, the public expects a trial—and a public one, with televised hearings. Boards understand this very well and want to protect their organisations against reputational storms, too. This is where the disconnect occurs.
But as a matter of fact, that’s not what an internal investigation should be for. (Furthermore, these “public” probes usually end with nothing. Remember the Downing Street COVID-19 parties investigations?)
Let’s talk business, then.
A properly scoped and planned investigation aims to understand what has happened, why it happened, and what needs to be done to prevent it from happening again. Its ultimate aim is not only to sanction wrongdoers but to identify systematic weaknesses and control failures that allowed the incident to occur in the first place and fix those. It’s an improvement mechanism.
Let’s walk through a typical internal investigation process and see where the blind spots might be. NB: I am not talking about immediately reportable matters here or regulatory prescribed processes, as the case might be. The timelines are slightly different, and you might need to structure/prioritise actions differently.
I broadly split the investigation process into four stages:
Allegation intake and triage:
This is where a Speak-up or allegation is received, reviewed (validated), and severity assessed. Then, a decision is made on whether the issue warrants an in-depth review or can be dealt with in another way, e.g., through management action, if necessary. This is followed by the assignment of matter for the investigation (led by a qualified, independent, non-conflicted senior leader or dedicated compliance or, often, legal professional). Should be straightforward.
Planning and immediate steps:
Once the “what” and the “who” of the matter are identified, it's time to start scoping the investigation and planning the first steps (Scope and Work Plan): Determining the list of involved individuals or persons with knowledge, where and from whom evidence can be collected, do you need forensics, legal “hold”, and, importantly, whether it is one of those matters requiring protection of attorney-client privilege (hello, external counsel). The important bit here is to understand if there is a need for immediate actions to stop the conduct in question (if it is still ongoing) and/or to take immediate corrective actions. Putting confidentiality safeguards in place is an essential element here.
Investigation phase:
This is where we are trying to understand what and how things happened, who was involved, and what their role was (think of progressive accountability, too). A “field work” stage, as my internal audit colleagues would often call it.
Fact-finding and evidence gathering, interviews with the involved persons and persons with knowledge, and everything else that can help put the puzzle together.
Of course, there is more to it. Often, I see internal investigations stop there—the review team identifies the culprit(s) and recommends disciplinary or corrective actions or refers involved persons to the HR function or their supervisors. The misconduct is stopped, and responsible persons are sanctioned—the job is done (sounds like a typical “public inquiry,” doesn’t it?). What’s more?
Arguably, the most crucial element - identifying and analysing the root causes. It’s not only the who, the what, and the how but why things happened in the way they happened. And it is also the hardest one.
Root-cause analysis requires the investigation team not only to map the individual actions and circumstances but also to understand the connections and to try inferring causation from there: Is it because the training was inadequate, management pressures, or system /processes induced violation? What was the management/ supervisory role, and were there oversight failures? Were there other external or internal factors that drove individual actions? Policy deficiency? Or simply, was it inevitable to happen, taking into consideration an unmitigated risk?
Do you see why I say it is the hardest bit? This last step requires exercising professional judgment, and it can also change perspective. Experience matters a lot here.
Close-out and lessons learned:
Okay, we've got so far. The issue has been duly investigated, the facts analysed, and the root causes identified. A report with disciplinary and corrective recommendations has been submitted to management for approval and action. Investigation lead circled back to the reporter, if appropriate. Are we done?
Not yet. First, for the corrective actions to stick, clear responsibility, timeframe, and deliverables need to be determined, and timely implementation and completion must be tracked and documented.
Two more things: The root-cause analysis helps to identify systematic weaknesses and deficiencies in prevention and detection controls. Part of the exercise is to learn the lessons and improve internal processes, systems and controls. The objective here is to prevent recurrence.
Another bit is testing the effectiveness of remediation and the intended impact of corrective actions. This can be done through internal audit reviews or simply by re-testing the controls after a certain period of time.
Communicate, Communicate, Communicate.
Okay, now is the last step.
I observed that many organisations somewhat prefer to keep compliance or conduct issues under the tight lead. Understandably so. Confidentiality (a very important consideration) is a part of it, of course. But there is also an issue of excessive secrecy.
The problem with secrecy is that it does not allow organisations to learn the lessons, demonstrate that when something goes wrong, they will take appropriate action, observe due process, and lead by example.
Experience shows that transparency goes a long way in building trust and fostering the “right” culture in organisations. Sharing lessons learned is an important step in that direction, and that does not mean that any confidential details need to be spilt. Nor does it undermine the organisation's reputation or credibility; quite the opposite.
A properly scoped and conducted investigation will bring value beyond sanctioning wrongdoing. It is an essential step on the continuous improvement journey and will help organisations avoid future reputational issues, as we have seen in recent corporate scandals.
See you next Saturday!
If you are embarking on your own compliance transformational journey and need help designing and enhancing your compliance program, get in touch with us. We are here to help!
Comhla Intelligent Compliance
At Comhla, we are driven by a mission to revolutionise the way organisations approach compliance and misconduct prevention. By leveraging our in-depth governance, compliance and internal control expertise, actionable data insights and cutting-edge applied research in organisational science, we help our customers build effective regulatory and compliance management to safeguard their license to operate, protect the bottom line and enhance reputation as responsible businesses.
Follow us on LinkedIn: https://www.linkedin.com/company/comhlaic
Learn More https://comhla.co
We aim to publish weekly. The information provided in this newsletter is not intended to and does not render legal, accounting, tax, or other professional advice or services.