Navigating the jungle of internal investigations

At Risk Advisory’s most recent Women in Compliance event, we explored recent developments in internal investigations.

It has almost become a standard response to any allegations of wrongdoing for a company spokesperson to announce that a “full investigation is underway”. The scope of these investigations and the subjects they cover have broadened considerably over the years - and so has the law. So it was really helpful therefore for Polly Sprenger, partner at Katten Muchin Rosenman LLP, to take us through the recent developments, and explain what is important.

Who? What? Why? How?

The knee jerk reaction to receiving an allegation for most people involved in internal investigations is to start trying to get to the bottom of it and too little time is spent on assessing the risks and planning the investigation. It sounds mundane but spending some time plotting the potential risks and the likelihood of them happening will give you some focus.

Polly produced this short checklist of the key elements that you might want to consider.

Common pitfalls

In the same vein, setting out the scope of the investigation at the outset can help you to avoid myriad pitfalls. One obvious pitfall is failing to structure the investigation in such a way as to ensure that privilege applies. With the ENRC case making its way through the Court of Appeal, the law is in a state of flux in this area. But there are other areas which need proper consideration when conducting an internal investigation, including:

• Establishing a proper reporting system
• Minimising the delay in starting work
• Ensuring evidence is properly collected and analysed
• That the right people are involved in the investigation
• Protecting the whistleblower or complainant from retaliation

What about GDPR?

We have all heard more about GDPR than we would like over the past six months. But what has not had much airtime is the impact that this new legislation has on internal investigations and due diligence. Here, Polly told us, acronyms are your friend - and in particular the DPIA - Data Privacy Impact Assessment. The flowchart below sets out the areas you should consider before starting an internal investigation.

Provided that companies properly assess, and document their objectives and methodology, GDPR should not be an obstacle to a thorough and carefully scoped investigation.

To find out more about best practice in internal investigations, contact Polly Sprenger on [email protected].

If you would like to join Women in Compliance networking group to discuss this or other integrity issues, contact Risk Advisory here.