Out-Law Analysis | 27 Jun 2019 | 11:02 am | 3 min. read
Internal investigations can trigger, or be triggered by, regulatory investigations. There are a number of steps to take when planning an internal investigation to ensure it meets the standards expected.
Most internal investigations go wrong because the investigation was not planned out from start to finish with sufficient detail at the beginning. Often senior executives are looking for outputs as soon as it is decided to hold an internal investigation but diligently focusing on the basics pays dividends in the end. The reality is that detailed planning helps thwart efforts by some, minded to take the investigation off on a tangent and gives purpose to those involved to finish it in a timely matter.
It is imperative from the outset that everyone involved in the internal investigation is conscious of and applies the principles of fair procedures and natural justice – all members of the investigation team and any Board/Committee overseeing them.
Explaining the fundamental principles around legal professional privilege ... is thirty minutes well spent
The first step is to identify who will conduct the investigation. To ensure that legal professional privilege is preserved it will be important for external lawyers to understand who 'the client' is for the purposes of the internal investigation.
This is vital because legal professional privilege belongs only to "the client" and can be lost or deemed waived if documents which would otherwise be deemed privileged are circulated to persons or third parties not considered to be 'the client'. The client will typically be the main personnel involved in seeking and receiving external legal advice for the company in any internal investigation.
Explaining the fundamental principles around legal professional privilege, the difference between legal advice privilege and litigation privilege, how privilege can be lost and how to ensure that does not happen is thirty minutes well spent, no matter the level of experience of those involved in conducting the investigation.
Typically the lead in any investigation team will be the in-house counsel, the head of compliance or another senior executive. Businesses will normally consider adding representatives from IT, internal audit, HR and the data privacy team on the team too. You need the appropriate decision makers so the correct level of seniority needs to be factored into the choice of individuals.
A senior member of the IT team will help the investigation team fully understand the company IT systems, policies and procedures and how data can be preserved or gathered in a manner that is reasonable, proportionate and effective. If the investigation involves a breach or other interference with the IT system then you may need external IT support to avoid any conflict.
Internal audit can advise on the collation of any financial records, their analysis and any accounting impact.
A senior member of HR will advise on employment issues that may arise in connection with the conduct of the investigation.
A senior member of the data privacy team or the data protection officer will ensure that due consideration is given immediately to any data protection law issues that may arise in cases where personal data is involved, including in particular the desirability for a data protection impact assessment prior to commencing any investigation.
For privilege and for the orderly conduct of the investigation, the investigation team lead must establish at the outset who they are reporting to within the company. This may be the Board, but where members of the Board are potentially implicated or conflicted, the investigation team could instead report into the Audit Committee or a Special Investigation Committee set up specifically to instruct and supervise the investigation.
The Board or Committee will be responsible for giving instructions and liaising with the investigations team. The investigation should be kept confidential, with information restrictions in place to protect its integrity.
Thereafter, to focus minds on the issues, the investigation plan should be committed to writing. The plan should note the factual matrix leading to the investigation, the purpose of the investigation, the identity and role of each of the investigation team, the relevant material, the means for the preservation and collection of that material, the procedure for reviewing it, who will be interviewed, the timetable and the manner in which findings will be presented to the Board/Committee and the timelines involved.
As the investigation progresses it is helpful for the investigation team lead to maintain a log of why important decisions were made e.g. why some people where interviewed and not others or why a time period was chosen. This is particularly so if the internal investigation may be scrutinised subsequently by a regulator. A contemporaneous note explaining the reasoning behind a decision can prove vital in dimming what otherwise might be a spotlight from a regulator at a later point in time.
Ann Henry is a Dublin-based expert in data privacy and intellectual property disputes at Pinsent Masons, the law firm behind Out-Law. She is a Fellow of the International Compliance Association. A version of this article was first published by the Irish Times.
18 May 2018
19 Feb 2018