Conducting thorough corporate investigations: Don't get lost in the data
Conducting thorough corporate investigations: Don't get lost in the data
Technology has brought new life to the once onerous corporate investigation, uncovering cases of fraud, bribery, corruption and white-collar crime that might have been overlooked just a decade ago. At the same time, many aspects of corporate investigations remain unchanged. The key to a smart investigation that saves time and resources is to build on traditional methodology with the right mix of technology and human-led intelligence.
Corporate investigations are triggered in a variety of ways—abnormalities flagged through general accounting or compliance controls, whistleblowing, government intervention and civil litigation are just a few.
It is critical that an investigation be thorough in order to understand what happened, contain the impact, identify a path to recovery and, in some cases, minimize regulatory fines and intervention. But what do we mean by “thorough”?
Ever-increasing data volumes make this a difficult question to answer. The need to preserve millions of documents, which must then be processed, filtered down and manually reviewed, is now a routine part of almost every investigation. The Serious Fraud Office in the UK has publicly referred to a recent case that involved more than 40 million documents. Carrying out a thorough investigation on such a large document population often involves knowing what not to review as much as what to review. A strategic investigative approach is needed, which optimizes resources by focusing on the information that matters most.
While there is no one-size-fits-all approach, there are certain steps you can follow to ensure that an investigation is thorough and that the right evidence is collected. This enables you to assess and remediate potential issues and demonstrate proper protocol should there be regulatory intervention. Based on our experience conducting complex and technically challenging global investigations, we advise clients to follow these standard principles:
1. Take a step back and assess. The outset of an investigation is often a period of high stress, maximum visibility across stakeholders and time-sensitive pressures. It’s important to maintain focus and strategic direction to avoid getting distracted by volumes of data and detail before you truly understand the scope of the issue at hand. We advise our clients to make a preliminary assessment to help frame an investigation plan. Initial information should answer questions such as: are you facing a contained and isolated issue, or could it be more widespread? Is the alleged misconduct currently happening and does it need to be addressed immediately, or is it a historical issue? Considering the full consequences for business continuity, possible regulatory issues and the potential evidence footprint will help formulate this strategic investigation plan and align the appropriate resources at the outset.
This is also the time to consider whether you should handle the investigation internally or whether external resources are warranted. If qualified internal resources are not available, if there is any indication of potential bias by internal resources charged with the investigation, or if a matter is likely to lead to litigation, regulatory or prosecutorial action against the company, an external resource can help preserve legal privilege. It is wise to retain outside consultants and in some case external counsel as this reinforces the independence of the investigation. External investigators will remain objective and may be able to gather more direct interview-based evidence than an internal resource might. Bringing in these resources at the early stages can help avoid potential missteps and pitfalls such as destruction of evidence or failing to preserve data to forensic standards. Obtaining advice on voluntary disclosure of wrongdoing can also frame the issue for regulatory consideration and begin to demonstrate cooperation with the authorities.
2. Prioritize and plan.Once you understand the big picture, you can identify and focus on your priorities. This might involve narrowing the investigation to a specific jurisdiction or set of custodians. It might involve prioritizing structured data analytics and transaction testing above interviews or email review. Or it could be about how rather than whom you investigate. For example, it is normal practice to apply the same review protocols to all custodian devices, but it is usually more effective to segregate the devices of key investigation suspects and subject these items to more in-depth analysis. In several recent cases, we would have missed crucial evidence had we not conducted more detailed analysis of key suspects’ devices. In some instances, this could be a review of all messaging related to an individual, whereas in others it could be searching for webmail fragments on an employee’s laptop.
3. Right-size your response.We often see costly and resource-intensive investigations that end up having no material impact on business decisions. Consider the potential outcome of an investigation before mobilizing. If you are investigating a regulatory issue, you would want to ensure maximum evidence gathering. For lower-stakes investigations, a phased approach might be appropriate, such as collecting and analyzing a population of initial evidence and then assessing what additional information is appropriate rather than frontloading your budget and effort. This could save significant time and resources.
In all cases, you should employ a mix of human-led intelligence gathering and electronic evidence gathering. When preserving digital devices, being thorough does not necessarily mean collecting everything. While the temptation might be to pick up everything that stores data, being more targeted in your approach is likely to yield the best results. Investigators are usually very careful to target which enterprise and cloud systems are in scope but often apply less discipline with physical devices. Investigations often involve looking for a needle in a haystack, so you need to be confident that the box of CDs in the store room marked “software” isn’t just making the haystack bigger.
4. Understand the local operating environment.Issues often arise in remote locations far from an organization’s headquarters. Nuanced views of realities on the ground are extremely useful during investigations or, in the worst case, during crisis management in connection with allegations of misconduct. Applying local-level knowledge enables companies to paint a more accurate picture of specific fraud or corruption dynamics. Combining this knowledge with a comprehensive map of various stakeholders, analyzing the likely paths forward and establishing strategies for managing these situations will help focus the investigation.
At the same time this local-level strategy helps companies stay informed about external developments that could influence how an investigation is likely to evolve and—crucially—how results will be received by key stakeholders (including authorities in the host country). Moreover, developing political risk scenarios will help identify potential pitfalls and prepare for worst case assumptions more efficiently.
It is essential to understand and comply with data protection and localization requirements. Data privacy regulations are often complex and vary by territory. You should consider whether moving data between jurisdictions might contravene regulations or create unnecessary risk. For more detail on the subject, please refer to our recent article on digital evidence and privacy pitfalls in corporate investigations.
5. Filter out irrelevant documents.If your time is occupied by manual review of clear false positives, you stand little chance of getting to the pertinent material. Now more than ever, use technology to filter out data that is unlikely to be relevant. An initial round of filtering should remove clearly irrelevant data, such as system files and identical documents. You can then cut down a significant chunk of the population by activating email threading removing near duplicates and using repeat content detection to eliminate redundant content. Every hour of reviewer time you save by removing duplicate material can be used to review more promising documents.
6. Use the latest technology to search for evidence.Traditional keyword-based reviews are increasingly outdated. They fail to mark potentially relevant documents as responsive, they flag huge numbers of obvious false positives and they ultimately waste time that could be better used elsewhere. A thorough review should use innovative technologies to identify documents of interest. Using concept clustering and keyword expansion technologies up front helps to gain an understanding of relevant topics before defining initial keywords. Machine translation should be considered on large multijurisdictional investigations that involve a range of languages. Text analytics and natural language processing should be used to understand the content of documents from the perspective of named people, corporate entities, places and how they are all related. And finally, technology-assisted review (specifically continuous active learning) should be considered on all investigations, because it identifies relevant material quickly, cuts time spent reviewing false positives, ensures that the review is broad enough and helps confirm that it is measurably complete.
With the proliferation of data and almost endless innovations in technology, expectations of thorough investigations have heightened. But the term “thorough” can mislead you into thinking that more is better. A strategic investigative framework can set the foundation for a strong investigation, right-size your response at the outset to maximize effort, ensure that the right evidence is preserved, account for regional nuance and focus your resources on what matters most.