January 1, 2025: Regular risk reviews…Initial steps

As I was conducting my annual New Years’ smoke detector inspection at home, it dawned on me that if it wasn’t for the New Year event-marker, I might not check them at all. Similarly, I have come to know that business risks are often left unattended until events strike - and then there is a whole lot of catching up to do on top of the crisis management itself. As such, I thought I’d offer some high-level thoughts, primarily for leaders of small and medium-sized organizations that may not have dedicated in-house compliance and investigative units. Some benefits may also apply for small investigative units and those that support them. 

It's one thing to be a start-up; it's another to keep thinking like a start-up when you no longer are one. Same logic applies for small NGOs, values and religious-based organizations, and enterprises of all kinds that employ staff, and utilize suppliers, vendors, partners, clients, or customers. Granted, it can be hard enough to remain mission-focused at times, but if you agree that insurance is fundamental, risk review and mitigation is essential. 

So:

  • When did you last assess your internal risks (even with a simple algorithm such as event likelihood x potential impact)? 

  • How robust is your Ethics and/or compliance program? ESG? 

  • Does your internal training program address ethics, fraud, security, whistleblowing, retaliation, relevant policies, rules, and regulations? Is the training mandatory for all organizational insiders (interns, volunteers, contractors, part-time and full time staff, executives, etc.), and provided at onboarding and annually? 

  • Is your code of conduct current, fully deployed - and certified or agreed to - by your insiders? 

  • Are you set up to field and adequately respond to internal complaints and concerns? 

Suffice it to say this list goes on. No points to calculate on the above “test” as organizations are different and nuanced. But answer them honestly, and consider what other steps you need to take to protect yourself and your organization. Don't postpone your risk assessment and never rely on luck, good intentions, or multi-tasking when it comes to risk reduction.

January 12, 2025: Other Duties As Assigned

Never ask an untrained employee to conduct an investigation under the rubric of "other duties as assigned." There's too much at stake. Unaddressed and/or inadequately attended internal administrative concerns such as harassment, retaliation, abuse of authority, and other conduct violations can quickly sap team morale and productivity. Insider and external fraud allegations must be handled expeditiously to ensure the overall well-being and integrity of your operations and the safety of staff, customers, beneficiaries, and other stakeholders - not to mention the protection of you and your company.

If your office lacks a dedicated investigation capability, there are ways nonetheless to accommodate this critical need in line with your resources and situation. Standing up a compliance/investigations office may make the most business sense. A better play may be to outsource a risk assessment or investigation. Sometimes, soundboarding is all that's needed initially. In any case, unless they are appropriately trained and experienced, asking your attorney, HR director, or head of cyber security to address such allegations is like asking a great car mechanic to fix a boat. They could do it - maybe do it well - but other issues may come into play. 

In some small and medium-sized organizations, multi-tasking and multi-hatting are how things get done. When it comes to certain corporate compliance requirements, that can work. “Legal” is often the shop that handles Ethics training and compliance issues, which usually works well. However, having your attorney or Legal office conduct an internal investigation is generally less optimal. For all the benefits and value-adds of a crack legal team, internal investigations should ideally be conducted by trained and experienced in-house or outsourced investigators. 

Why? 

In part, because Legal teams are often swamped and allegations should be addressed timely without pausing other important work. Further, Legal is often involved in recommending or even deciding what the administrative remedy will be once findings are in. If the legal team also conducted the inquiry, a perception (minimally) of conflict may attach. If an interview gets heated or emotional, say, or if any testimonial, evidentiary, or procedural steps are questioned, your legal team may find itself poorly positioned to offer the clean, detached counsel it ordinarily would. Moreover, in-house counsel teams are often inexperienced in fundamental investigative concepts, such as applying investigative strategies, plans, and when appropriate, stealth.

Dedicated investigators also bring a broad skillset to the task. Minimally, this should include the ability to:

  • Balance information gathering with a keen awareness of materiality; 

  • Apply investigative best practices across associated disciplines (planning, research, interviewing, evidence gathering, document review, source development, briefing, report writing);

  • Combine well-developed social/cultural consciousness and EQ with professional-level active listening skills; 

  • Offer competency in other relevant specialties - legal, audit/accounting, forensic/technical - and have resources available when expertise is required; 

  • Maintain an overarching focus on completing a fair, proportionate, and complete investigation. 

Your investigations team, internal or external, should coordinate with your legal team and leadership as appropriate. However, for most internal matters, Legal shouldn't investigate any more than your investigators should give legal advice. Options exist