Internal investigations and corporate governance: a framework for responding to potential legal and compliance breaches

Importance of internal investigations to corporate governance

Internal investigations can be an important component of good corporate governance. Having strong policies and procedures in place for the reporting and investigation of alleged misconduct allows an organization to, among other things:

• identify and address misconduct at an early stage, mitigating or preventing damage (financial, reputational or otherwise) to the organization;
• improve its corporate culture and reputation, including by maintaining an organization’s accountability, integrity and transparency in the eyes of relevant stakeholders; and
• protect shareholder value by identifying and addressing issues that could negatively impact the organization or its value.

Key considerations for the development of a robust internal investigation framework

In recent years, organizations have been the focus of increasing regulatory inquiries and complaints alleging compliance or legal breaches. These may arise internally or be prompted by external parties, with internal complaints including a broadening scope of the alleged misconduct being reported. These trends are influenced by, among other things: 1) increasing emphasis on “speak up” culture in organizations (and more broadly in society); 2) increasing regulator activism in a variety of areas (including competition, securities, consumer protection, etc.); and 3) increased awareness around diversity and inclusion in the workplace. At the same time, we observe that corporate fraud and other misconduct are becoming increasingly sophisticated, driven in large part by technological advances (including the growing use of artificial intelligence).

In this context, as a matter of good corporate governance, it is advisable for organizations to develop a robust internal investigation framework (or assess the adequacy of any existing framework). To that end, the following are the key issues organizations should consider:

• Ensure policies are in writing. Organizations are encouraged to develop written whistleblower policies, as well as policies for responding to allegations of corporate wrongdoing from other sources. Individuals are more likely to report misconduct when they have a clear understanding of what and how to report, and the implications of doing so. The written policies should, at a minimum, be accessible to employees. However, depending on the nature of the organization’s business, it will also often be prudent to make the policies (or a version of them) available externally to allow external parties to report misconduct.
• Content of policies. Although policies should be tailored to an organization’s needs, at a minimum these policies should:
  • identify the type(s) of misconduct that should be reported and actioned;
  • outline the options for reporting misconduct (including any third-party complaint hotline that may be available);
  • provide some information as to how the complaint will be escalated and investigated (without being overly prescriptive as to investigation procedures, with a view to maintaining the flexibility to adapt investigation procedures that are appropriate for a complaint);
  • address issues such as confidentiality and anonymity; and
  • provide protection against retaliation.
• Consider offering an anonymous complaints hotline. Providing an anonymous, third-party reporting mechanism may increase the likelihood of misconduct being reported to an organization. Complainants are often concerned about retaliation and may be less likely to report misconduct absent accessible reporting mechanism that guarantees anonymity. While anonymous complaints can be more challenging to investigate, it is typically preferable for an organization to be informed of a wider range of potential misconduct (so that any such misconduct can be investigated and addressed) than to take the risk that misconduct will not be reported due to fears of retaliation.
• Appropriate escalation. Not all complaints or allegations are created equal. Some complaints may be easily investigated by an organization’s human resources function or its in-house legal team. However, there are other complaints that should be escalated to the executive team and/or the Board of Directors (the Board) given their potential significance to an organization (whether financial, reputational or otherwise). It is therefore critical to develop internal procedures that clearly outline when and how complaints should be escalated within an organization, and for all those who may be involved in complaint intake to be trained in those procedures.
• Reporting to the Board. While it is important for the Board to be aware of (and lead any investigation into) significant organizational complaints, it is equally important for the Board to understand:
  • the effectiveness of the organization’s framework for whistleblower and other complaints alleging compliance or legal breaches (i.e., whether and how it is being used); and
  • any trends in complaint reporting (i.e., whether there are a significant number of complaints relating to a particular type of misconduct or against a particular department or individual).

It may therefore be advisable for organizations to require reporting to the Board on these matters annually or semi-annually. Where possible, reporting of this nature should typically be done on an anonymous or aggregated basis to maintain the confidentiality of complaints and, where applicable, anonymity of complainants.