FRA Director Weng Yee Ng and Associate Director Irina Bautina recently attended the Association of Corporate Investigators (ACi) Annual Symposium in London on 14 November 2019. The symposium focused on the developments in the investigations and included a fire side chat with Richard Bistrong.
Below, Weng Yee and Irina share their key insights from the symposium:
Fire Side Chat with Richard Bistrong
Richard Bistrong began by sharing his experience with the authorities and regulators.
Key lessons learned included:
- Compliance efforts vs very aggressive commercial objectives – these are not always compatible and aligned with one another
- Bad behavior can be hidden behind very good commercial performance – it is important to look out for optimism bias
- Organizations have a wealth of data – it is worth making full use of it as it is, as in reality, it is a behavioral database
Key advice to the board of directors/executives included:
- Compliance and operations must communicate openly and frequently, for example, they should discuss the concept of an accountability partner (within the business) with whom Ethics & Compliance connects
- The message that “license to succeed is not license to cheat” must be communicated to all operating levels
- Due diligence is only a snapshot in time and it is dangerous (for compliance) to stay static. Compliance monitoring is crucial
When the Tables are Turned – Corporate investigators under the scrutiny of law and regulator enforcers
A lively exchange between the panel and the audience looked at some of the key learnings from corporate investigators for when the company, and the corporate investigators themselves, are being scrutinized by the law and regulatory enforcers:
- Data preservation – data should be put on ice as soon as possible, even if you do not review everything immediately
- Document the strategy – strategy and decisions must be properly documented right from the start
- Stop the bleeding early on – protocols and controls should be implemented so that payment is not made to the high risk third party and ensure immediate escalation
- Hybrid review between emails and chat apps – today, chat apps such as WhatsApp and WeChat are part of our daily lives, and business is conducted through both emails and chat apps. Although the chat app may be on a personal device, investigators need to demonstrate the effort to obtain the device and data
- Sharing information from the interview – would you let your interviewee (employee) bring in their own counsel to the investigation interview? Would you allow the interviewee to tape record the conversation? Would you share the interview transcript with them? It all boils down to the preservation of legal privilege
Technology and Cross Border Investigations
An update was shared on the different technologies and tools that are available and used during investigations, including concept clusters/conceptualized analysis, technology assisted review (TAR), continuous multi-model learning (“CMML”) etc. For mobile devices, one of the recommendations was to always bring along a good and experienced forensic collector as emerging and evolving technology moves at a very fast pace thus the need to have people who are adequately experienced to deal with it.
Me Too Investigations
Me Too type investigations are now actively pursued by law enforcement agencies and such investigations can be very costly to a company.
Some of the key factors to consider when conducting investigations include:
- Cultural differences
- Who should conduct the investigation, i.e. does the investigator have sufficient relevant experience, required soft skills etc.?
- Potential breach of confidentiality and disclosure requirements
- Potential reputation risks
- Language used
- Victims’ expectations regarding information shared
- Conclusiveness of evidence and individuals’ credibility
- Level of anonymity
- Risk of false allegation and malicious intention (by another employee)
Cyber Threats – Staying One Step Ahead
The number of cyber-attacks is on the rise and the threat is not only to businesses, but to all of us as individuals. It takes as little as 18 minutes for hackers to attack a business, yet it takes an average of 80 days for a company to detect a hacking incident.
What are the attackers after? Processing power, personal data, financial and credit data, trade secrets, intellectual property, supply chains, economic and political influence, critical national infrastructure, government secrets, military plans etc are all aspects that could motivate the cause for a cyber-attack.
Key dos and don’ts:
- Don’t trust anything/anywhere, e.g. hardware, software, etc
- Don’t assume a motive
- Don’t trust attribution
- Do consider a full spectrum of “threat actors”
- Do assess IT systems’ vulnerability as part of an investigation
An inside look: Results of the 2019 Deloitte / ACi Survey of Investigators
Deloitte surveyed 57 key executives of multinational companies across a range of industries and public services in the 1st quarter of 2019. Key insights included:
- Only 51% of respondents are confident that their investigation capabilities match the needs and risks of their organization
- Only 32% feel their investigation capability lacks a clear strategic purpose that is linked to their code of conduct values and supported by senior management
- Only 33% feel the training needs of their investigations are being met
- Only 40% of investigations functions can handle every stage of the data journey
- Only 63% of executives are confident that employees will speak about possible code of conduct violations