The recent focus on FCPA enforcement has highlighted the obligation for companies to conduct effective and focused investigations.

Aside from keeping employees and the executive team out of jail, effective workplace investigations can also help a company preserve its reputation, allow for root cause analysis and risk mitigation and enhance its ethics and compliance program.

But many companies don’t have a documented process for conducting investigations, effectively flying by the seat of their pants when allegations of misconduct surface.

It can be a dangerous way to conduct business.

The best way to mitigate this danger is to have an investigation policy that sets out expectations for handling reports of misconduct and provides guidelines for managing the investigations process and reducing the company’s risk of exposure.

Intake Process

A good investigation policy should first outline the process for intake of reports, says Robert Tompkins, a partner in Holland & Knight’s Washington, DC, office and co-chair of the firm’s National Government Contracts practice.

“Those may come from obvious sources like a hotline. They may come through reports from management and supervisors and that dictates that the supervisors need to be trained as to how they react to and document the reports they receive and how they report them. And it may come, increasingly, from non-obvious sources such as social media, press reports or other things that are not presented directly to the company, but that are out there and that the company should be aware of,” says Tompkins.

What Should the Intake Portion Cover?

The policy should clearly assign responsibilities and set out procedures for when an incident is reported.

“You also want to have a gatekeeper, if you will, who sits over top of that incident reporting structure and who is directly responsible for making sure the reports get slotted into the right places,” says Tompkins.

“That gatekeeper may not necessarily be the investigator, but should be the one who makes sure the reports are taken care of in the right way, because the worst thing you can do, in my view, is have a hotline database with a bunch of un-responded-to voicemails. We’ve seen that happen with some companies where they forget to reassign coverage of the hotline when somebody moves from one position to another.”

In addition to reports coming in through a hotline or other traditional reporting mechanism, a company should also be looking at what is being said in other channels.

If it’s a company that’s frequently talked about in social media or in the press, the policy should stipulate that you want to know what people are saying about you in the community, adds Tompkins.

Assigning the Team

An investigation policy should include a process for determining the investigative team.

“Within that, you need to have a broad understanding of the different risk areas that your organization faces - contractual, regulatory, enforcement - those risk areas inform the overall process,” says Tompkins.

The gatekeeper should understand all the different potential exposure areas for the company.

This will influence decisions about the team to be assigned, subject matter experts to be used, whether or not counsel needs to be involved and whether outside forensic analysis or other outside resources will be needed, he says.

“Once you identify the risk areas the company faces you might be able to determine the subject matter experts who have expertise in a particular,” says Tompkins.

“You want to make sure that the portfolio of investigators you have is capable of covering the waterfront of risk areas that you might encounter.”

Preservation, Documentation and Disclosure

Evidence preservation should be included in the policy, as well as retention policies and IT policies.

But most importantly, the documentation guidelines should be clearly outlined. And sometimes that doesn’t mean that every aspect of the issue needs to be documented in detail.

“The degree to which an investigation is documented depends largely on the incident,” says Tompkins.

“You might not want a lot of documentation - especially at the beginning - because you don’t know which way it’s going to go and you don’t want to commit to a particular narrative in writing which could be not the real story and then you have to explain away all the things you wrote.”

Once your report or incident has become a full-fledged investigation, however, your policy should dictate the need for accurate and detailed documentation to ensure you are covered if your process is ever questioned.