Internal Investigations And The Data Explosion

You're in your office, talking to a colleague when the phone rings. The caller, a business colleague from Brazil, gives you a heads-up about an article that will be published tomorrow in the local paper alleging a series of bribes paid by your company over the course of several years. You are faced with some immediate issues: what did you know about this issue back when it happened? How did the company respond back then? Were any employees disciplined? Who was involved? Can the company easily lay its hands on the email files and document-storage locations of those employees? Who knew about the case back then? Were the employees involved trained in anti-corruption? How can you prove that the relevant employees were trained?

The situation is often made more complicated because the facts in question will have occurred several years before: employees will have left, data will have been moved to backup storage, and even the format of documents may be so antiquated that they're unreadable by today's technology. How your company reacts in the next 72 hours - and whether it can answer all these questions - will significantly impact the resolution of the case.

The first 72 hours, however, are just that, and the total investigatory process can take much longer. Johnson and Johnson, for example, recently resolved an investigation that was first disclosed several years ago. When you get that call, realize that your company is in for a multi-year venture of regulatory investigations, follow-on shareholder suits, and PR and marketing efforts around the investigation. In addition to the focus you'll have to divert to the investigation, your company is also in for a significant financial cost. For a substantial number of internal investigations today, the investigative costs outweigh - sometimes significantly - the cost of the settlement.

To mitigate the risk and costs of internal investigations, companies should implement proactive policies and controls, should have an investigation plan, and should carefully manage voluntary disclosure issues.

Pro-Active Controls To Implement So This Doesn't Happen To You

The best way to deal with the middle-of-the-day phone call is not to get one. The best way to avoid it is to have a policy in place so that everyone knows what his role is when a bribery event occurs. (Really, the best way to avoid it is for your employees not to bribe, but since the topic of this article is the investigatory process and not the compliance process, we'll assume an event has occurred.) The policy - the best name I've heard for this type of policy is the "dawn raid policy" (DRP), or what to do when the authorities raid your offices first thing in the morning - should cover three major items: defining an "event," defining roles and responsibilities, and assigning clear, time-sensitive tasks.

Defining what constitutes an event is the first requirement of a DRP. In our example, publication in the press of any company actions regarding potential bribery should be an automatic trigger. Other triggers can include allegations involving senior management, allegations that implicate revenue recognition issues or other financial reporting errors, and allegations that involve collusion in wrongful acts with other companies.

Once a triggering event has occurred, the policy must bring together all relevant stakeholders, including Legal, Compliance, Operations, Human Resources, Public Relations, Investor Relations, Security, and Senior Management. Representatives from each of these constituencies should form a crisis management committee with clear responsibilities. These responsibilities include comments to the press and crafting a public message, internal education (after an event, salespeople get questions on the subject from clients and potential clients and need to be given talking points), and the investigation itself.

Recent developments like the Dodd-Frank whistleblower provisions make the adoption of the DRP even more important. The law - giving whistleblowers a large financial incentive to report misconduct to regulators rather than via in-house compliance programs - makes public disclosure of bad acts more likely than before, and companies need to adjust.

Act As If Ye Had Faith

Even if your DRP isn't in place, when you get the phone call from your Brazilian colleague, your company should act as if a policy like that was already in place. Stakeholders should be corralled, tasks assigned, and project management put into place.

This latter idea, that investigations are projects and should be managed accordingly, is your secret weapon. Lawyers are not natural project managers. And even though an attorney will be - and should be - in charge of the investigation, assign a project manager to the team. Investigations have numerous critical paths, and ensuring progress through competent project management is a must.

Managing Your Investigation In The Sea Of Data

If you're lucky, in this unluckiest of situations, the call you get involves recent conduct. More often, however, the conduct in question will have ceased months or years ago. Companies will then be faced with antiquated data sources: potentially relevant documents can be stored on backup tapes and disaster recovery systems in locations known and unknown throughout the world. It is a regular occurrence for companies to tell us "we just found a warehouse of backup tapes," and sometimes in risky countries. Plus, data formats from several years ago might not even be readable by modern programs.

First contact with the regulators in our example should occur almost immediately. As soon as you've confirmed that publication of the article is certain, you must contact the regulators. The only thing you should do before contacting the regulators is to devise a brief investigation plan.

Whether to contact regulators during the course of an investigation or at the end of an investigation is a tremendously contentious issue. In our example, that question is moot because regulators read the paper. As soon as they see the information in the online edition of the publication, they'll be expecting a call. One additional caveat: you'll need to make more than one call. A company facing this type of public investigation needs to contact not just the Department of Justice, but all relevant regulators. This includes the Securities & Exchange Commission as well as the financial regulators in the country in which the alleged bribery occurred.

Normally, regulatory involvement comes toward the end of an investigation, once the facts are already determined. Here, the involvement is much earlier, and the regulators won't expect you to have everything figured out. It is correct to say that disclosure in the face of a newspaper article isn't "voluntary," as the regulators define the term. That said, you can also get credit for cooperation, which you can accurately describe as voluntary disclosure over time. So even if you're alerted to the situation by forthcoming publication, you still gain considerable leverage by calling immediately.

When you call, you need to be prepared. What you'll need to have is an outline of an investigatory plan. The regulators aren't expecting much more right now than to feel that the company understands the magnitude of the issue and that the company both has everything under control and will be forthcoming with its investigation and the results of it.

Mike Tyson once famously said, "Everyone has a plan until I hit them." The hit coming here is the first document request that you get from the Department of Justice. That request will likely impact your plans for the investigation, broadening it considerably. The first document request will include documents relating to the incident - no matter how long ago the events occurred or where they occurred - plus training records for all affected employees, policy documents as they existed at the time and evidence of financial controls as they existed at the time.

In addition to records around the incident itself, the regulators will ask "where else?" That is, where else might the company have the same problems? If the issue is bribery in the business-to-business division, where else does that division do business? Does the company have the same problem there? Plus, where have the personnel whose actions are in question been posted before and since the time in question?

And regulators expect you to provide answers to these questions - quickly. Time frames for responses to regulatory inquiries, especially when those inquiries are based on highly public allegations, are startlingly short. You need early case assessment technology - preferably with powerful analytics that provide the ability to automatically filter large sets of documents by concept groups and by phrase extraction in addition to simple date range filters - if you expect to be able to respond in the right time frame. More and more, regulators themselves are using these sophisticated and automated software applications to understand the data that gets turned over; you never want to know less than the regulators about your own data.

The effect of both of these expectations is that no investigation stays local for long. This aspect of investigations presents its own challenges.

Data Privacy Implications

Investigations that take you into far-flung markets introduce more problems for the company. Data privacy issues in investigations come in two main forms. First, repatriating data from certain countries presents challenges. Second, local data privacy regulations can give the investigation subjects access to, or potentially a level of control over, the data you're trying to export to the U.S. regulators.

Regulators are notoriously unreceptive to the excuse that data resides in a market that doesn't allow repatriation. In essence, the regulators want their data and expect you to get it for them. Ironically, this situation is being partially alleviated by the increasingly widespread adoption of anticorruption legislation. Sharing information transnationally for anticorruption purposes is easier when both countries have anticorruption legislation.

Finally, local legislation sometimes gives the data subject access to data about him. The effect is that the investigation subject can request access to investigatory data, giving the subject of the investigation insight into the evidence against him. Also, since certain data transmissions require the data subject's consent, wrongdoers can actually use the local legislation to obstruct the course of the investigation.

Conclusion

Today, companies will often pay more for the investigation itself than it pays ultimately in fines and penalties for the violation. Investigations require proactive efforts to manage and govern data, and companies need to adjust to this new reality. Using technology that helps companies understand their data on a deeper level gives companies a leg up during investigations: it helps them respond effectively to broad document requests. It also helps companies show the regulators that they're serious about conducting a thorough investigation. That seriousness will give them a level of credibility that they'll need during the course of months or years the investigation progresses.

Published .