A recent article in Corporate Counsel raises some interesting points about the nature of governance risks and specific ways that corporate legal organizations can protect themselves against these risks. In my view, the most interesting observation from this article is that the biggest risk factor for general counsels in this area isn’t what they do or fail to do before an adverse incident occurs, it is what they do or fail to do after an incident occurs.
This emphasis on what happens after an adverse event reflects the typical role of legal counsel in the governance and compliance function of a large complex enterprise. Quite often, it is the general counsel that is asked to lead such investigations, manage the appropriate response, and report relevant findings and actions to senior management and the board.
The importance of this role can be observed quite clearly in two recent high profile FCPA incidents in the US. By accounts of the US press, when Wal-Mart’s executive team was faced with the decision to investigate openly and self-report a purported violation of the FCPA, they chose to try to hush the investigation and firewall the damage. As we have seen since this story broke, the financial and reputation impacts of this decision have been staggering. Conversely, when MorganStanley was presented with a similar situation, they opened a transparent investigation, self-reported the alleged incident to DoJ and the SEC, and cooperated with their investigations. This response was referenced by the Department of Justice as one of the factors that led them to decline prosecution of MorganStanley in this incident.
Clearly, how counsel handle a potentially adverse incident can be critically important in the final impact of that event. Some things to keep in mind when planning your response and responding to incidents:
- Have a mechanism in place for the investigation to remain independent. Especially before all of the facts are known, undue influence from stakeholders can be subtly exerted so as to undermine the investigation, sometimes without the knowledge or intent of the investigator. When high risk indicators are present (e.g. Alleged involvement of senior executives), take additional steps to maintain the independence of the investigation.
- Maintain a knowledge base of your organizations experiences with similar types of investigations. Where possible, have best practice definition of your preferred response procedures to likely, frequent incident types.
- Track incidents and related investigations across your organizational silos, so that you can see patterns and trends that might not be otherwise apparent.
- Have clearly defined roles, responsibilities, and accountability and information boundaries in your incident response and investigations processes. This can not only minimize the risk of accidental disclosure of sensitive information, it can also minimize the risk of undue influence on critical investigative resources.
- Keep in mind the political maxim: It isn’t the crime it is the cover up that takes you down.
Here at Mitratech, we are proud that many of our leading client legal departments are using our incident management and investigations solutions to minimize these risks, helping to make their Office of the General Counsel the best-run function in their respective companies.