Plan & Assign: Part of Internal Investigations for Control and Compliance Violations (3 of 5)

In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.

This is Part 1 of a 5-Part Series:
1. Capture
2. Filter
3. Plan & Assign Based on the alleged and/or confirmed facts, circumstances, nature and seriousness of the issue, the team should assign the issue to the appropriate investigations “work stream” or “tier” as some organizations call it. Using a tiered system ensures that issues of similar nature and seriousness are handled in a similar way. In addition, it allows the organization to allocate scarce capital – both human and financial capital – to investigations.

When assigning issues to a tier and team, an organization should consider:

• Nature and seriousness of the issue;
• Skills and experience required to obtain and analyze facts (legal, accounting, technology, forensic and other industry expertise);
• Independence from the issue at hand (e.g., to not assign a financial investigation to a team that includes staff from the office of the CFO); and
• Availability of resources.

I know this last item sounds obvious, but a timely follow-up and investigation is important especially for serious issues that may involve the government.

While an organization may choose to have fewer or additional tier, at least four will be helpful:

Tier 1: Critical Issues. This tier is reserved for “sink the company” issues that are material to either the financial or reputational health of the organization – or issues that involve senior executives. These investigations are directed by the board and involve significant outside assistance to ensure objectivity. Privilege is a must at this level. For public companies, the involvement of the external auditor may be required or at least advised.

Tier 2: Significant Issues. These issues are serious and material to the organization but do not involve allegations of wrongdoing by senior management. As such, senior management directs these investigations with special care and under privilege.

Tier 3: Serious Issues. Most organizations have issues that they, to a certain degree, expect and prepare for, such as a significant theft. Systems have been designed and special investigative staffs have been trained to address these issues.

Tier 4: Operational Issues. These issues, often HR related, warrant the attention of management, but may not require privilege or professional investigators. They are often delegated to management, but could escalate at any phase. Some of these issues are resolved without the need for investigative resources.

While each of these tiers it is important to define who does what. Critical roles include:

• Leadership for day-to-day management of the investigation;
• An individual charged with communication about the status of the investigation with stakeholders such as the source of the allegation, the media, and most importantly the government; and
• Staff and outside consultants who will obtain and analyze the facts.

As a final note, it is wise to limit knowledge that a particular investigation is being conducted. The risk of evidence tampering and destruction increases when it is broadly known that an issue is under investigation.

Filtering Issues: Part of Internal Investigations for Control and Compliance Violations (2 of 5)

In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.

This is Part 1 of a 5-Part Series:

1. Capture
   
2. Filter <- THIS POST
3. Plan & Assign (future post)
4. Investigate (future post)
5. Resolve (future post)

Establishing a clearly defined investigations process helps management quickly respond to allegations of wrongdoing and actual violations in a rational, rather than ad hoc or crisis manner. In other disciplines such as software development, we know that a reactionary response to “bugs” can cost five times more versus a planned response. While a specific internal investigations process may comprise five or fifty steps, the following key phases should be present and clearly defined:

1. Capture
2. Filter
3. Plan & Assign
4. Investigate
5. Resolve

Filter
Once information about potential violations is captured, it must be filtered so that the investigations team can focus on what matters most. The goal of filtering is to discard allegations that are not specific and credible; and appropriately act on those that are. It is critical that the individuals charged with this determination are both competent and independent. Some issues may require a level of technical analysis to make this determination. It is wise to have these individuals available in the early stages of filtering. Key questions to answer include:
• How was the issue discovered?
• By whom?
• Is it specific and credible?

If there is not sufficient information captured about a violation, it will be extremely difficult to determine if it is specific and credible. As such, while it is not absolutely necessary, it is helpful if reporters and sources of allegations are able to be contacted for follow-up and clarification. It is also important to discern whether the source has a motive to lodge a frivolous allegation.

Even at this early stage, the team should attempt to determine if the issue should be handled under privilege. Every step not taken under privilege can introduce more risk to the organization as untrained individuals may capture facts and testimony that have no chance of being privileged later on. On the other hand, every issue cannot and should not be vetted and investigated under privilege. For some issues, privilege is simply overkill and, according to one enforcement official, “The obsessive compulsive assertion of privilege is one of the things I look for when I try to determine if an organization is sincere about its need to maintain privilege. It is statistically impossible that everything should require privilege and, thus, I treat organizations that have an ‘everything is privileged’ culture with increased skepticism.”

Another important consideration here is that, even as early as the filter stage, the clock begins to tick. Simply read the Federal Sentencing Guidelines for Organizations, the McNulty Memo and the often overlooked 21(a) Report of Investigation of Seaboard to understand the importance of a spry internal response to serious allegations. A quick response and, if appropriate, disclosure to the government is the only way that the organization can be spared the damage caused by the blunt tools available to the government should they become involved in a matter.

Capturing Issues: Part of Internal Investigations for Control and Compliance Violations (1 of 5)

In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.

This is Part 1 of a 5-Part Series:

1. Capture <- THIS POST
2. Filter (future post)
3. Plan & Assign (future post)
4. Investigate (future post)
5. Resolve (future post)

Establishing a clearly defined investigations process helps management quickly respond to allegations of wrongdoing and actual violations in a rational, rather than ad hoc or crisis manner. In other disciplines such as software development, we know that a reactionary response to “bugs” can cost five times more versus a planned response. A recent conversation with a chief compliance officer at a large industrial manufacturer suggests that this rule is applicable to internal control and compliance. He noted, “After we organized our approach to investigations, our costs dropped dramatically – unfortunately, it wasn’t for lack of investigations. As investigations volume went up, our annual costs actually went down 15%.” Multinational organizations will find even more efficiencies as cross-border investigations tend to be even more ad hoc and fragmented. The good news is that it takes relatively little time to define a robust internal investigations process. The same executive above noted, “It took about 200 hours of internal staff time and about 100 hours of external help to nail down our process. In the end, we saved at least that much time in our first investigation.” While a specific internal investigations process may comprise five or fifty steps, the following key phases should be present and clearly defined:

1. Capture
2. Filter
3. Plan & Assign
4. Investigate
5. Resolve

Capture
This is the precursor to an internal investigation. It is helpful to have a “big funnel” to channel information to a team charged with filtering and vetting this information. The funnel should comprise a number of “push” and “pull” structures.

Push structures include:

• Hotline/Helpline is one of the obvious mechanisms to allow the workforce and other stakeholders to report (confidentially or anonymously) allegations of misconduct. The helpline can also provide input as high volume of questions about a particular subject may indicate confusion about expected conduct and, in turn, increase the risk of actual misconduct.
• Employee performance assessments provide an opportunity for management to encourage employees to openly discuss any issues that they observe. Of course, it is unlikely that employees will open up about issues related to the manager asking the questions, but this can lend to the discussion about other issues.
• Control violations that are automatically triggered based on threshold conditions can raise “yellow flags” that misconduct may have occurred. Management will most likely have to use human judgment to determine if these violations are actually issue of interest.

Pull structures include:

• Confidential employee surveys provide a literal “ask and answer” mechanism to get responses from the workforce about specific issues.
• Exit interviews provide an opportunity to find out what is really happening in a department. People tend to be extremely honest as they are walking out the door.
• Surveillance including video, audio and physical (e.g., RFID tags) monitoring many be necessary for high risk locations and/or transactions.
• Audits and assessments include all of the proactive evaluation of controls and other information on a periodic and ongoing basis.

In addition, management should pay attention to all of the “chatter” in the organization – the formal and informal conversations that take place verbally and via email. Sophisticated email filtering technologies can look for interesting phrases such as, “Do we really want to do this?” or “I don’t feel comfortable putting that in writing.” All of these techniques need to be balanced with the potential of creating a tattletale, gadfly or Big Brother culture which will result in decreased workforce productivity.

In the next few entries, I will delve into each of the other steps.