The phone rings and your company's general counsel (GC) is on the line. She tells you an employee has reported potential wrongdoing within the company that may implicate the board or senior management. You do not know whether anyone outside of the company — including the government or the media — is aware of the allegations. Your GC has ideas about what to do next but wants your advice. What do you say?
This scenario has become more common in recent years as regulators have increased focus on corporate compliance and worked to strengthen punishment for wrongdoers. Thus, the board must take great care in these situations. An internal investigation can help the board understand legal exposure, mitigate potential risks and prevent further wrongdoing, if it exists.
Assess the situation and gather the right team. The first step is to understand the allegations. What happened? When and where did it happen? Who was involved? Is the alleged conduct possibly ongoing? Who else may know about it? What is still unknown?
Pursuant to In re Caremark International Inc. Derivative Litigation, a board must ensure that the company has information and reporting systems that are reasonably designed to provide “timely, accurate information” sufficient to allow management and the board “to reach informed judgments concerning both the corporation's compliance with law and its business performance.” More recently, in the unanimous Marchand v. Barnhill decision, Chief Justice Leo Strine Jr. noted: “If Caremark means anything, it is that a corporate board must make a good faith effort to exercise its duty of care. A failure to make that effort constitutes a breach of the duty of loyalty.” Thus, when significant allegations of misconduct arise, consider forming a special committee to investigate the allegations, especially in cases where:
- Directors and/or senior management are implicated.
- Directors are otherwise conflicted.
- The issue is too large for management to handle.
- The government is investigating the allegations.
The board should ensure the committee is independent and investigates reasonably and in good faith.
Next, the full board or special committee must decide whether the company can (and should) conduct the investigation on its own. If the matter is isolated to line employees or consists of common personnel issues, the GC may be able to conduct the investigation with the human resources department. On the other hand, certain conditions may dictate the need for external assistance. For example, does the organization face legal exposure? Was the alleged misconduct widespread? Could it significantly affect the business? Were shareholders impacted? Is the government investigating? If so, the company would benefit from the help of outside counsel. Law firms — especially ones that do not represent the company on other matters — will be viewed as independent and objective. This independent objectivity will help assure outsiders — including regulatory bodies, the media, the public and the company's auditors — that the company handled everything responsibly and did not try to cover up misconduct. Additionally, attorneys who specialize in internal investigations have invaluable experience, training and resources at their disposal to conduct an investigation most efficiently.
Attorneys may not be the only external assistance required. For example, if the allegations involve financial misconduct, the company will need a forensic accountant to analyze financial records and internal controls. Alternatively, if there has been a data breach or other privacy issue, the board may need cybersecurity specialists to patch the company's systems.
Disclose. As your team is assessing the next steps, part of the immediate inquiry will be whether disclosures are necessary. There are two kinds of disclosures to consider: those required by law and voluntary disclosures beneficial to the company's business and reputation.
Depending on the situation, the company may be legally required to report the allegations to regulators. For instance, a public company must file an 8-K with the SEC if the investigation is material enough that shareholders would want to know about it when making investment decisions. There is significant time pressure in these circumstances, as companies must file 8-K reports within four business days of discovering the allegations. Public and private companies may also be subject to reporting requirements for certain violations under applicable law. The company's insurance policies may also require notifying insurers of potential wrongdoing immediately upon discovery.
Moreover, even if not technically required, voluntary disclosure may benefit the company in certain situations. For example, if the allegations are already known outside the organization, a short initial public statement may help lessen media scrutiny and assure shareholders and customers that you are responsibly addressing the situation. As discussed further below, other disclosures may be advisable after concluding the investigation.
Importantly, whether disclosures are mandatory or voluntary, all disclosures must be complete, accurate and timely. Adversaries and the public will jump on any misrepresentation or unreasonable delay, which could damage the company's business and reputation and create additional legal risks.
Investigate thoroughly but efficiently. Effective investigations must be tailored to the allegations and the unique circumstances of your organization. From the outset, the board and counsel should make clear directions and plans. The investigation should be organized — approach it in phases, make deadlines and stay on task. It should be thorough but not so broad that it would prevent you from identifying and resolving the primary problems in a timely manner. Losing focus will also increase costs and the risk of informational leaks.
As soon as you learn of the allegations, ensure that there is a companywide hold on communications, documents and data, and work with IT to preserve all potentially relevant information. Next, review these materials and interview all company personnel who may have knowledge of the situation. As this situation is unfolding, be careful about your own written communications. While most senior managers and directors understand that their more formal communications (such as memoranda and emails) may be reviewed and become public at some point, others often fail to comprehend that more informal communications about the situation (including text, Teams, Slack and WhatsApp messages) may also become public.
Most importantly, maintain the company's attorney-client privilege. Attorney-client privilege protects communications between a client — individual or organizational — and their lawyer made for the purpose of seeking or obtaining legal advice or services. Do not presume that all communications with in-house counsel will be privileged. Indeed, some courts are more cynical about such communications because they may be viewed as more about business or compliance activities than legal advice. Communications with law firms hired for the purpose of providing legal advice regarding this internal investigation would provide a greater degree of privilege protection.
Analyze the consequences and respond. After reviewing the facts and learning the nature of the misconduct (if any), identify and analyze the risks the company faces based on the updated information. Two common risks at this point include litigation and public scrutiny.
Depending on the allegations, federal or state governments could commence criminal action. Regulatory bodies may seek penalties for civil violations. Angry shareholders could file direct or derivative securities cases. Business partners could seek recovery if contracts were broken. Employees who were mistreated could seek compensation for their injuries. It is important to prepare for all litigation possibilities.
To fend off criminal penalties, assess whether to self-report any violations to the Department of Justice (DOJ) or other applicable agencies. Prosecutors consider an organization's cooperation in voluntarily providing all facts relating to misconduct when deciding whether to bring charges and the severity of the penalties. Self-reporting has real risks, however, as it could waive privilege or create a roadmap for potential civil plaintiffs.
Handling potential scrutiny from the media and public will also be critical. Working with its communications team, the board should demonstrate the company's commitment to fully investigating the allegations and cooperating with authorities. Avoid making strong public denials or pronouncements of innocence before the investigation concludes, as doing so could rile the public against you or provoke the government to investigate more vigorously. Taking the right public approach will keep other stakeholders — partners, clients, consumers, vendors and others — committed to working with the company and prevent you from losing business.
Remediate the situation. Now that the board understands the allegations and potential liabilities, address any wrongdoing you uncovered. This may include the discipline (including termination) of certain employees or vendors, as well as the institution or revision of internal compliance policies and controls.
Moving forward, DOJ officials have said their prosecutors strongly consider an absence of compliance controls in their investigations and assessment of penalties. Therefore, you can enhance and invest in your company's compliance and ethics programs today to prevent future violations and, if they do occur, mitigate penalties.
The board and senior management should incorporate compliance and ethics into the company's culture. Specific actions include:
- Providing compliance and ethics programs with adequate resources (human and financial).
- Empowering compliance personnel with direct communication lines to the board and senior management.
- Holding regular trainings targeted to employees' roles (i.e., not a general training inapplicable to many attendees).
- Aligning employee compensation and incentives with ethical outcomes.
- Increased and/or improved audits.
Employees follow examples set by company leaders. The board's oversight of an internal investigation with the appropriate responsibility and care can ensure the best outcome for the company, shareholders and employees.