SIGNIFICANT EVENT INVESTIGATIONS - IMMEDIATE ACTIONS

As mentioned in a recent post on LinkedIn, a significant part of our practice here at Heminsley is in undertaking investigations into employee wrongdoing or advising on them. Over the last 25 years we have undertaken a vast number of employee investigations ranging from discrimination and significant data privacy breaches to fraud and bribery & corruption. And we’ve done that across a wide range of organisations, ranging from regulated industries such as financial services, insurance and law firms through private sector organisations in the manufacturing, construction and retail industries, to the charities and public sectors, acting for a wide range of public bodies. Often such investigations commence with a whistleblowing event. This is the first blog in what will become a series of such blogs designed to help you to navigate the jeopardy of a significant event and the ensuing investigation.
We are big believers in starting at the start and considering things in a logical fashion, so this blog focusses on the immediate actions you should consider on receipt of evidence that there has been a significant ‘event’ that might need investigation. You’ll spot the common theme in this, but one that is very often not given due consideration: the protection of evidence at the very outset. The success or otherwise of an investigation will often rest on the crucial early steps set out below:
- Protect the evidence – unless you have a contractual obligation to do so (and even if you do, take legal advice on that) consider giving the suspect as little warning of the investigation as possible.
While it’s not our place to provide legal advice when acting as independent investigators (quite apart from anything else because such advice is unlikely to be protected by legal privilege and in cases like these it can be important to protect such communications, more on that in a future blog), we often find that long before an employee investigation begins the key suspects have been made aware that the issue has come to the attention of the organisation. This can lead to the suspects introducing a range of problems designed to hobble the investigation ranging from the individuals simply going sick and refusing to engage with the investigator all the way through to evidence and witness tampering. As a result, you should consider how much investigation can be done before the matter is expressly brought to the attention of the individual. Consider also whether a suspect or key witness should be ‘ambushed’ and at what point in the investigation. Always consider whether suspects should be suspended and when
- Protect the digital evidence – ensure no-one is able to delete evidence held on an IT system. If an individual may hold evidence on a portable device rather than on the organisation’s server, that may mean having an image taken of a laptop or company phone so that evidence may be explored down the line. You may choose to have a technical reason for the device to be returned to IT for a short time (just long enough to have it imaged) before any sniff of an investigation gets out to the wider organisation.
In, for example, discrimination or lesser misconduct cases it may be enough to simply ask your IT team to provide support on this, but if the matter is a very significant event which may place the organisation in wider regulatory or legal jeopardy, it may make sense to engage an external forensic IT consultancy to head off any argument that evidence has been corrupted and to provide chain of custody support.
In one case in which we acted for a global law firm it was decided early on that we would undertake witness interviews on their premises and recordings would be uploaded directly into their system for transcription without leaving the building. Unfortunately, that firm’s transcription team failed to retain copies of the recordings which were deleted by on delivery of the transcripts. When the regulator later required disclosure of the original recordings, they were unable to provide them. This hammers home how evidence can be at risk even where actions are entirely innocent.
- Protect the documentary evidence – ensure the suspect isn’t able to remove paper files which might contain evidence of guilt.
In this digital age it’s easy to assume that the key evidence will be held digitally, and probably on the organisation’s servers where it will be easily accessible. Often, however, key contemporaneous evidence is held on paper, whether that is on a signed expenses form or a scribbled note in the day-book of a middle manager. We’ve had cases where a suspect has been tipped off about an investigation and has shredded expenses forms and others where individuals have stolen their manager’s notebook to ensure key evidence against them cannot be found. Think how such evidence can be protected at the outset.
- Protect the witness evidence – ensure that suspects aren’t able to tamper with witnesses.
There are a range of things to think about here. If, of course, the key evidence in the investigation is likely to come from witnesses rather than documentary evidence it is very important that the evidence obtained is free from witness tampering. While it may appear simple to tell witnesses not to engage with the subject or, indeed, not to tell anyone that they have given evidence about the matter, if there is a concern that witness tampering might occur it may be helpful to ensure that evidence is obtained before the suspects know that they are in the frame. That may, of course, be complicated where the witness is a friend of the suspect though even that problem can be avoided if, for example, you have some form of leverage you can exert to encourage witnesses to engage honestly.
Often the client has fallen down some of these manholes before we are even instructed. Where, however, we are involved at an early stage we can help to plan the investigation to mitigate the kinds of risks mentioned above. As an example of this, on one occasion our client, a FTSE 250 with global operations, received a tip off from an anonymous whistleblower that the Managing Director of their Asia Pacific operation was ‘on the take’. The whistleblower provided documentary evidence including bank statements.
While we flew to Asia our team organised a forensic IT consultant not only to sandbox copies of key email accounts on the server but were given entry to the office of the MD to collect his laptop which he left in the office overnight. At the same time the Chairman of the Company messaged the MD to say he was passing through on holiday and he had booked a meeting room at the airport for a catch up with the MD. Of course, when the MD arrived, he was met not by the Chairman but, instead, with our investigator bearing a letter saying he was under investigation and instructing him both to engage and to hand over his work mobile phone.
During the course of the meeting that followed the MD, realizing on sight of the evidence that the game was up, provided a long narrative of his own wrongdoing including fraud, bribery and anti-competitive behaviour. The evidence he provided, including his unlocked work mobile phone, when he felt he had nowhere else to go, led the investigation to unearth yet further evidence of wrongdoing and to the identity of his accomplices. This allowed the Company to deal robustly with the issues and to ensure that the rot was cleared, root and branch, from the organisation.
Taking the above steps on notification of an ‘event’ is likely to ensure that the investigation findings are robust enough to be relied on in future action, whether that is a report to the regulator or simply achieving the best outcome for your organisation.
If you’d like to speak to a Heminsley partner about an employee related ‘event’ or need an independent investigator to support your organisation please feel free to drop us an email or, if the matter is urgent, pick up the phone and give us a call.