Published in Asian-mena Counsel: Sanctions & Investigations Special Report 2019
How to respond effectively and recover from disruptive investigations, by John Macpherson and Tung Jung Tan of Control Risks.
Investigating allegations of compliance breaches is an expensive affair. Employee and third-party malfeasance remain a costly budget item on P&Ls across Asia, whether it is corruption or fraud; conflicts of interest; data breaches or IP theft; sanctions violations; or allegations of ethical and behavioural misconduct.
While companies account for direct costs — forensics and data analytics, legal and consultancy fees, in-house resources and time — for many, capturing the true cost of investigations remains unknown. Indirect costs, which can include interruption to customer relationships, disruption in the supply and distribution chain, loss of productivity, loss of market share and significant reputation damage, are often not realised until after the investigation. They are the costs of implementing investigation outcomes; of terminating employee contracts; of finding new third parties, of having to rebuild relationships with customers; or finding new ways of differentiating from competitors. The simple fact is, even investigations that do not end up getting an unexpected knock on the door from corporate regulators are a business disruption. In some cases, they are an uncontained crisis — a potentially debilitating incident percolating under the surface of normal business operations.
Thankfully, borrowing from crisis management and business continuity methodologies when conducting investigations, can make indirect costs and reputation damage more controllable. The time it takes to recover and revert to normal business conditions is faster. This means your business becomes more resilient. The approach below, refined over many years of combining crisis management expertise with investigations teams, is how to achieve maximum resilience during your investigation.
Have clear objectives
A generic investigation plan would be something like: “Confirm the scope of the investigation; identify, collect and preserve evidence; review and analyse data and documents; conduct transaction testing and interviews; ascertain the veracity of the allegations being investigated.” But when you overlay this with broader risk-based objectives, such as “ensure continuity of business operations and conditions, protect key stakeholder relationships, assets and reputation”, you are compelled to take a holistic approach to a business-wide problem. Conducting the investigation becomes part of preparing for, and recovering from, a potentially costly business disruption.
Consider the case of investigating a key supplier for conflict of interest and fraud (a problem of increasing frequency across many parts of Asia), where there is a likelihood that you will move to terminate contracts of employees and the supplier at the conclusion of your investigation, taking the appropriate action against a grievous compliance breach, but also threatening the continuity of a critical supply chain.
By focusing on minimising operational risks to the business as a key objective (in addition to your investigation objectives), you initiate a plan to identify the impact of losing a key supplier, or key employees, and you identify alternative suppliers and plan for additional resources in your supplier management team — the outcome of which is, you reduce the risk of falling short and bounce back faster to “normal business operations”.
Have a robust process
Following process is something we’re all familiar with in an investigation — but when your objective includes business recovery, there are a few critical extra steps that help build resilience into your process. They are (i) scenario planning and (ii) risk assessment.
Scenario planning, conducted early in the investigative process, forecasts how the outcomes of the investigation might affect operations and reputation. For example, in an investigation of significant embezzlement by a senior executive, one of your initial scenarios may be “disgruntled executive influences government officials to delay licensing approvals”. Early identification of this as a possibility allows you to implement preventive measures early on.
As you near the end of the investigation, scenario planning becomes formal risk assessment, where you can, with greater certainty, measure where the business might be vulnerable, assess the likelihood and impact of key critical scenarios, and ensure you are prepared to react.
Governance is important
Governance is always important in investigations and putting a clear governance structure in place for complex investigations is a critical step in risk prevention. In many of our complex investigations, particularly when they involve regulators, and even more so when those regulators operate in some of the more opaque regulatory environments throughout Asia, we are working with a project team that includes not only compliance and legal, but IT, HR, government relations, security, communications and media. It involves extensive liaison between local operations and headquarters, not to mention coordinating the plethora of external advisers, forensics and data experts, and legal experts. Each function will have critical tasks to achieve to minimise business risk. Clearly defined parameters, objectives (aligned to broader objectives) and reporting lines for each “work team” is paramount; knowing who the ultimate decision maker is and what can be delegated is essential. Disciplined project management, control of information flows and operating in a secure environment are indispensable components of a well-run crisis-investigation team.
Hope for the best; prepare for the worst
The risk of politicised regulatory enforcement across parts of Asia is high. What started as an anti-corruption campaign in China, targeting foreign companies in the healthcare and automotive sectors, is now a full-scale weaponisation of regulation across parts of the region. While “dawn raids” are part of the regulator toolkit the world over, the opaque nature of enforcement means that there are not always the same legal protections that we might otherwise expect. So when a regulator comes knocking on your door, it can be a political issue just as much as it is a legal one.
The aim of a regulator in a dawn raid is to catch you by surprise. Such raids are often designed to generate fear to ensure that you comply as quickly as possible. They can range from a small-scale raid on a local office, to be highly coordinated across multiple locations. Regulators may take evidence and documents — sometimes without warrants in place, image computers and servers, or interview and intimidate large numbers of employees. In a worst-case scenario, they may compromise your system, detain your management team, and your entire business grinds to a halt.
How you are prepared to respond in those first minutes, hours and days is a critical issue for companies. How you respond affects your ability to negotiate outcomes, protect your reputation and employees, and keep key business functions operating and ultimately ensure a quick path to recovery.
The top three things you can do to prepare for regulatory enforcement are:
• Know your regulators
Anti-corruption, anti-competition, environmental protection, food safety, tax evasion and data privacy have all been subject to aggressive regulatory enforcement. Establishing a nuanced understanding of regulators that are enforcing the rules in your sector, their goals and motivations and modus operandi and where decisions are made, is essential preparation.
• Treat whistleblowers, disgruntled employees and third parties very seriously
Whistleblowers and disgruntled parties are often a trigger for closer scrutiny by a regulator, but can be overlooked as a nuisance, having an agenda and an axe to grind. Many regulatory investigations in some key markets across Asia are initiated by whistleblower complaints. It is therefore important to look beyond the veracity of their claim at the broader risk to the business they might pose.
• Have a plan
The first hours are critical — who you are going to notify, how you need to escalate, how to secure documents and evidence, the team you need to form are all central issues that you need to prepare, plan and train for in advance of a real situation. Dawn raids are highly stressful situations for employees; it is essential to war-game your most likely and worst-case scenarios with those employees likely to be involved in a real-life raid situation.
Have an eye on the future
Finally, resilient leaders in crisis are always looking to, and planning for, the future. It is a key component of recovery. Here’s a noteworthy example: a company suffering through the early days of a highly politicised and extensive regulatory investigation into corrupt activities, whose operations had ground to a halt, whose market share was rapidly diminishing (in a high-growth market) and whose reputation was taking a severe beating, established, early on, a “recovery team”. Knowing they would come out of the investigation in 18 months needing a different business model, a more compliant way of operating, a new management team and a different proposition in the market, they began work on that immediately, thereby improving their recovery time by years, bouncing back after a critical incident, stronger, faster, better. That’s resilience.
E: john.macpherson@controlrisks.com
E: tungjung.tan@controlrisks.com
Click Here to read the full issue of Asian-mena Counsel: Sanctions & Investigations Special Report 2019.