Control Risks has conducted due diligence and investigations on behalf of many of the world’s largest companies. With regulatory bodies and law enforcement agencies collaborating in a world of global business and data, organizations often find that regulatory issues increasingly demand investigations of radical scope, often disrupting business as usual. With these large-scale investigations making headlines, Charles Hecker, Senior Partner at Control Risks, sat down with members from our global investigations team to find out what it’s like to be on the front lines of one of these large-scale investigations.
Global regulatory cooperation is becoming the norm:
- Rolls-Royce agreed to a $800 million global resolution with authorities in the United States, the United Kingdom and Brazili.
- The SEC worked alongside the Department of Justice Criminal Division’s Fraud Section, the Federal Bureau of Investigation, the Brazilian Federal Prosecution Service and other local agencies in the investigation into Petrobras which resulted in nearly $1.78 billion in penalties and disgorgementii.
- In 2017, Singapore’s Keppel and U.S. based subsidiary agreed to pay $422 million in penalties to authorities in the United States, Brazil and Singapore to resolve a foreign bribery caseiii.
It’s happened.
The abyss is in front of you. The earth has opened up, ready to devour your company or your client.
Three letters have come to get you. The DOJ. The SEC. The SFO. The CSL. Worse yet – an insider has fleeced your company of something with seven zeros on the end.
The results are all the same: you’re under investigation.
These days this most likely means you’re in trouble in more than one place: multi-jurisdictional investigations are more than ever the norm, rather than the exception.
Over the course of a multijurisdictional investigation, companies discover what they are made of. Some companies will be resilient – they are prepared with comprehensive compliance programs and have the information and the resources they need to respond to regulators. Others will sustain serious damage – the rot will be too deep, the response too chaotic and, in the end, the penalty too big.
What makes the difference?
To survive a comprehensive international regulatory investigation, companies need to be able to do several things successfully, all at the same time. They need to be crisis management experts. They need to manage oceans of data. They need to control for the role that unpredictable or rogue employees may have played. They had better take politics into consideration, too. And, as much as is possible, business needs to continue.
Back when regulatory investigations were more simple affairs, their effect on a company was often likened to throwing a pebble in a pond. There was always a ripple effect, but it dissipated.
Those days are over. Data has changed the science of investigations, bringing systemic issues to light in a faster and more defensible way.
Given this, it is perhaps surprising - in an age where everyone is talking about data - that most companies have no idea where all their data is. And many of them don’t know who to ask to find it.
The crisis hits
As an investigation gets underway, here is what usually happens first: things go wrong and a company can quickly feel like it is facing an existential threat. Andrew MacIntosh leads on forensic and technology solutions for Control Risks’ Asia Pacific investigations team. He witnessed the chilling effects of a three-year regulatory investigation in China:
“I saw first-hand what this investigation did to the operations of our client’s business. It fundamentally destroyed them: sales dropped by 90% from the start of the investigation. Mass disruption. Mass confusion. And everything else. They had underestimated how hard the regulator would come at them and how that would impact their core business.”
This is not uncommon.
Companies are not designed to wage a multi-front battle with multiple agencies or manage a massive internal investigation. They tend to default to operational reporting structure, rather than empower an investigative panel that has all the required components. Too often they are overly deferential to the reporting structure that existed prior to the crisis.
Companies can pivot to combat mode, with the help of special functions and structures, but that shift requires overriding so many organisational instincts that it doesn’t always work.
“Being able to do these things on multiple fronts is one of the hallmarks of a successful investigations response,” says Greg Esslinger, Control Risks Senior Partner and Head of Compliance, Forensics and Investigations in the Americas. “Multi-cultural, multi-legal and multi-geographic issues require a great deal of dexterity on the part of the company. It’s the ability to transcend operational structure into an overarching approach to investigations. The more a company gets caught up in their operational structure, the slower it will be and the less likely they are going to respond quickly enough to a potential prosecution.”
If the message isn’t yet clear: there is a lot to get right, exactly right, when an investigation lands. Writing at the end of hurricane season, the metaphors are front of mind; the success of a recovery from an investigation hangs on a company’s level of readiness. This is a lesson learned from decades of crisis management. Readiness, response and recovery sit on a strategic continuum.
“We’ve been having a lot of conversations about moving clients from a reactive posture to a position where they can become strategic,” says Michele Wiener, a Senior Partner in Control Risks’ Washington DC office and Head of Regulatory Risk and Investigations.
“You have an investigation that starts in South Africa and then moves to Vietnam and then it’s in Indonesia, then the Middle East. The pace can be very destabilising. When you’re in it, you can’t suddenly become strategic,” adds Wiener.
Companies don’t have to be reactive; they can have a plan. If they assess their risk up front and understand their data sources when an incident happens, there will be a wobble, but there will be a plan.
Read the article A crisis of compliance: How to respond effectively and recover from disruptive investigations by Tung Jung Tan.
Kiss today goodbye
Part of pivoting to crisis management mode also requires companies to accept that something has gone wrong, and perhaps in more than one location. They have to resist the temptation to minimise the magnitude of what’s happened. A company may think it has a vested interest in making the problem seem smaller or limiting its scope, but it can’t do that and simultaneously demonstrate it is taking the investigation seriously.
To underline this point, in April 2019, the US Department of Justice (DOJ) published new guidance for corporate compliance programs which suggests that corporations conduct a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement actioniv. And if the company wants full credit for cooperation under the sentencing guidelines, they must do so and implement remedial measures to address the root cause(s).
Back to the crisis: what happens next is that business as usual becomes a concern. The business will have to convince the market that the investigation will not disrupt its ability to execute on operations. The most valuable outside advisers are the one who assist the company’s preparation for a response to regulators while allowing the organisation’s core operations to continue with minimal disruption.
“These investigations don’t happen in a vacuum. We understand that companies cannot shut down everything else that is going on in order to deal with these matters. There are processes under way that are as important – if not more important – than the investigation,” says Esslinger.
Learning from Brazil: international cooperation
“International investigations have been around for a while,” says Geert Aalbers, Senior Partner in Control Risks’ Sao Paulo office and Head of Brazil and Southern Cone, who has led on several of the largest regulatory investigations in Brazil.
“What’s really different now is multi-jurisdictional enforcement.”
In other words, you know you’re in trouble when all the agencies investigating your company start texting each other.
“There’s this new level of intimacy in international investigations,” continues Aalbers.
“The frequency of the collaboration and the information exchange – investigators are sharing methods, sharing text messages, WhatsApp-ing each other. With formal and informal communication, it’s become a global enforcement community.”
Even by 2016 more than 40% of the resolutions in US foreign bribery cases involved co-operation with foreign law enforcement agenciesv.
This trend has only strengthened as the global economy becomes more interconnected and data sources supercharge the ability to investigate malfeasance as seen with the Electrobras investigation. Regulators and enforcement authorities from different countries are becoming more collaborative on their approach to fight bribery and corruption: the OECD Working Group on Bribery currently has 44 member parties. Corporations and their counsel should take note and be prepared for the possibility of an isolated investigation snowballing into a multi-jurisdictional matter. The possibility of facing multiple prosecutions and regulatory disclosures is very real.
“The calculus for companies has completely changed,” adds Aalbers. “A big scheme like ‘Car Wash’ involves people in many different countries, even if the case itself is in Brazil.”
With that, data proliferation, and the rules and regulations that have followed, comes into consideration. Corporate investigations are now a data management minefield. As laws in this area grow increasingly complex, investigations teams need to understand what is permitted and what is not, and need an up-to-date assessment of the legal, political and cultural context. The technical capabilities of a digital forensics team must be augmented by sound legal strategy around data privacy and protection, particularly when approaching cross-border investigations. (Read more on this topic here.)
As Wiener notes above, large-scale investigations start in one country, and go viral from there. “Companies run much more risk that something else gets uncovered somewhere along the line. It’s not a self-contained system that a company keeps. Records are everywhere. You can’t control the information flow anymore.”
Apart from data considerations, this new, metastatic threat has two critical by-products.
First, avoiding reputational risk becomes a game of whack-a-mole. Companies genuinely have no idea where their brand might be slated for demolition. The difficult part, especially if you’re sitting in HQ, is that the threat is often outside your home market.
Second, the multi-jurisdictional nature of investigations now poses an age-old question even more acutely: where, when and to whom to make a disclosure.
“Companies in Brazil have been struggling with this for quite some time,” says Aalbers. Other companies are just getting used to this. “What kind of guarantee do you have that another regulatory body won’t prosecute your company later?”
This complexity tends, ironically, to discourage disclosure in the first place.
“When you go for disclosure, you want to have a reasonably good idea what this ultimately might mean,” Aalbers said. But a disclosure in one jurisdiction runs the risk of setting off a global chain reaction. “Companies are feeling very insecure on this front.”
The only thing companies can do – or the best thing companies can do – is investigate exhaustively to discover the true geographic extent of the damage. Then plot their disclosure strategy.
Data is what people do
“In 13 years of doing this, I’ve learned that I understand data better when I understand human behaviour. With data, there is always the interface with human beings. The data is a reflection of human contact – people create it.”
That’s Wayne Malgas, a Partner in Control Risks’ Johannesburg office and Head of Fraud and Business Intelligence for Southern Africa.
Malgas is not making a plea for everyone to begin studying the human mind. It is, however, a suggestion that data becomes more powerful when it is backed by strong intelligence.
From intelligence comes a risk assessment and with that, the team knows what sort of data to look for. Intelligence is also the key to filtering out data that is malicious with intent.
“There are people who leave digital footprints to confuse and obfuscate,” adds Malgas. “It’s a new theatre for engagement. Data is not sacrosanct. Data can be used; data can be abused.”
It doesn’t have to be like this
Companies can do much to reduce the pain of a large-scale investigation. It’s still going to hurt, but difference between a strategic response and a scrambled reaction is immeasurable in terms of its effectiveness and the company’s chances of recovering at the end of it all.
Pivoting to face a crisis:
- Educate regional and local management on the needs of an investigation (data, documents and people) and the urgency of response.
- Create and embed a structural system of data management that will allow the business to acquire, capture and analyse enormous amounts of data quickly. It’s best if this is done proactively, but in a crisis or at the outset of an investigation, data preservation and collection should be a top priority.
- Appoint regional coordinators to help organize locally but as part of a broader response team that is cross-regional and cross-functional.
- Have a team of internal and external investigative resources that can respond quickly. Put simply: know who to call.
- Make sure that team is closely aligned with the company’s geographic footprint and company structure.
- Consider how a major organizational change such as an acquisition might impact an investigation and make sure the integration process accounts for that from the beginning.
It’s never too late to try and improve
As is the case with many things in life, no one can describe the pain of a large-scale investigation. You have to feel it for yourself.
“The stories sound outrageous, but they are the reality of large investigations. There isn’t one without it all – sex, drugs and rock-and-roll. I can tell you the war stories, but until you’ve lived it, you can’t understand it,” comments Wiener.
It’s hard. It’s expensive. And the payoff may never come. But it’s a calculation that, sooner or later, rests on the value of a reputation. “Reputation is a hard thing to protect in the marketplace,” says Wiener. “You can’t generate profit without it. These plans are the only measure to protect that commodity.”
No compliance program is bulletproof – all things being equal, the regulators are often much more concerned about what a company did when it discovered a problem than they are about why it occurred in the first place. The importance of rapid and thorough response and remediation cannot be stressed enough when facing a regulatory issue. As an example of this working in a company’s favour, the SEC recently limited French pharmaceutical company Sanofi’s civil monetary penalty, highlighting their cooperation in the investigation. It’s never too late to show intent and set things on a path of improvement.
Read the article Closing the loop – Compliance program assurance by Michele Weiner
ABOUT CONTROL RISKS
Control Risks is a specialist risk consultancy that helps create secure, compliant and resilient organizations. We believe that taking risks is essential to success, so we provide the insight and intelligence you need to realize opportunities and grow. And we ensure you are prepared to resolve issues and crises. From cross-border investigations, high-profile monitorships, complex disputes, a cyber breach, or compliance and risk mitigation strategies, we’re proud to be trusted advisers for our clients and their legal counsel in solving matters securely and efficiently.
With 3,000 professionals in 36 offices and on-premise and cloud data centers throughout the globe, we can handle everything from the most challenging assignments involving electronic data and evidence to delivering meaningful intelligence on a prospective investment, business partner, competitor or adversary in litigation.
Control Risks was recognized as one of the leading Investigations Consultancies of the Year by the Global Investigations Review (GIR) in 2019 and within the Best of Corporate Counsel 2019, across 10 categories, including:
Author
You may also be interested in