Episode 2, Corporate Crime and Investigations: Reflections and responses to an investigation

Nathan:

Hello, I'm Nathan Willmott. I co-lead Ashurst's Global Investigations team, and I'm joined today by my fellow partners, Adam Jamieson, Julia Sutherland, and Matt Worsfold. Adam is a partner in our dispute resolution practice in London and specialises in representing financial institutions and their senior management in regulatory investigations. Julia is a partner in our employment practice in Perth. She focuses on employment law, industrial relations, and discrimination law, as well as work in the health and safety space, with particular experience of working with public and private sector clients on compliance with work health and safety issues. Matt is a partner in Ashurst's risk practice. He's an experienced data, technology and risk analytics leader with a great deal of experience in delivering large scale risk, regulatory and compliance projects.

Today we are going to focus on what comes after an investigation, the outcomes, remediation and follow on risks, and how lessons can be learned from investigations. We'll be focusing on regulated expectations of post investigation remediation, employee misconduct, the follow on risks, and the need for cultural change, and cyber investigations and how to learn from them. So I'm going to start with Adam. Adam, you do a lot of investigations in the financial regulated sector. I wonder if you could just talk us through how do regulated businesses reflect on and learn from investigations when they come to an end?

Adam:

Well, thanks, Nathan. I guess the starting point is the reflection and the response to an investigation, of course, depends on the outcome. And there are cases where if the investigation was unjustified or there aren't any adverse findings and it's discontinued, then the company, of course, can move on with often fairly limited impact. However, where there is an adverse outcome or issues are identified through the investigation process, then depending on the nature of those issues, there's a number of steps that companies regularly take. And I think that there's lessons to be learned both for regulated companies and unregulated companies from the themes that we see here. I guess first and foremost in the aftermath, certainly where there's been an external regulatory investigation, thinking about mitigating the risks of reputational damage arising from the outcome. Now that may involve engaging with PR, external PR consultants and just thinking about how the company's going to best position the issue and the steps it's taking to address it to the outside world.

Moving on from that, I guess one of the most obvious ones is implementing enhancements to systems and controls to prevent a reoccurrence of the issue. Following on from that, validating and getting often external assurance on the fact that actually we do now have a robust framework in place to deal with those types of issues. Now, often this type of work is commenced prior to the investigation concluding, but certainly if it hasn't been concluded by the time the investigation finishes, then it's going to be a priority for the board and senior management of companies. Associated with that, enhancing governance and oversight over controls and key risks. For example, new risk management forums, often more formalised with terms of reference and agendas and minutes. It could be clearer allocation of responsibilities for certain issues among senior management or clearer delegation down from senior management to middle management, for example, through updated role profiles or formal letters of delegation so that nothing falls through the cracks.

And then finally, and perhaps most importantly in terms of from a governance perspective, is any improvements to management information and escalation procedures, ensuring it's not too long, that it's produced in a good time, such that people can consider it, for example, before board meetings. Does it highlight the key risks and the KPIs that are most relevant?

Now, depending on the nature of the investigation, and I know we've talked in previous podcasts about non-financial misconduct, considering any cultural aspects to the findings and addressing those. For example, is training or better staff communication on the importance of certain issues required? Or does the performance management framework, remuneration structure, or disciplinary process need to change to address certain behaviours? It may be the case, particularly where there's been a detrimental impact or a loss to customers that there needs to be a past business review completed and a redress exercise to compensate customer losses carried out. That needs to of course be done fairly and comprehensively, may include a proactive customer contact exercise and engagement with external stakeholders like regulators in relation to how that ought to be carried on. And those type of redress exercises can be voluntary or imposed by regulators within the financial services sector certainly.

Rebuilding relationships with key stakeholders can be a key focus post investigation. That could be with shareholders, customers, clients, or indeed regulators. And that's something that from our experience, we often see senior management focusing on in the immediate aftermath of investigations completing. And then finally, defending litigation claims and thinking about mitigating and managing those types of litigation risks. And as discussed in a previous podcast certainly, following damages litigation is something we expect to see more of in 2023. So that's very much a live issue.

Nathan:

Well, that's a long list, Adam. You mentioned senior management. How important do you think the role is that they play in taking those steps forward?

Adam:

A really important role. They're expected to take the lead. It's this point around both accountability and also I think time from the top. They need to be able to demonstrate to internal and external stakeholders that the company and senior management and the board have learned from the issue and are taking the requisite steps to address it. And ultimately, if the steps taken following the investigation aren't adequate, then often what can happen is there might be increased pressure to make managerial changes and often that pressure will come externally.

Nathan:

That's really interesting. Thanks, Adam. Julia, I'm interested, does that focus on outcomes and learning lessons resonate with you?

Julia:

Yes, it absolutely does. I suppose I come from a slightly different perspective than Adam does, but in Australia there has been an increasing focus on investigations in the context of what I describe as respectful workplace behaviours. So what I mean by that are investigations into concerns around subjects like sexual harassment, bullying, discrimination, whether that be gender, race, or any other ground. And broadly, really exploring whether conduct has been engaged in by workers in a business which would be seen to be inconsistent with organisational values, codes of conduct and policy. These concerns in particular are now being seen through a work health and safety lens. And what that then brings with it is that we're really looking rather than seeing each investigation into conduct as a transaction if it were - so you look at that particular allegation, you deal with that, you implement outcomes on an individualised basis - we're really seeing organisations identify what trends arise from those investigation outcomes, with a view then to preventing that conduct from occurring at an organisational level.

Nathan:

Yeah, that's interesting. And how have you seen enforcement develop over the last year?

Julia:

Enforcement is increasing in the area. So as I said, if we look at sexual harassment or those sorts of psychosocial risk events through a work health and safety lens, which is now broadly accepted as a work health and safety issue in Australia, then that brings with it, different regulators. So we have a variety of work health and safety regulators in different jurisdictions in Australia, together with equal opportunity tribunals and commissions, each of whom are looking at these issues in different ways. But certainly our safety regulators are now actively looking to enforce the law in this area, and that might mean some form of prosecution activity or other enforcement action as well as taking an educative role in the area.

Nathan:

And I'm interested, where have you seen the focus on outcomes?

Julia:

It arises in a few different ways. I might just give a couple of examples. So one of the sort of outcomes we might think of as an outcome of the investigation process, which has been really highlighted in Australia, is thinking about the impacts that our investigation processes are having on individuals who go through that process. So if we think about those investigation processes through a work health and safety lens, one thing we're thinking about is how we minimise the impact of the process on those individuals. That might manifest itself in the language that we choose. So rather than allegations, we might say, "We have concerns that we'd like you to respond to." We're thinking about support for those people during the process. So that's one area.

As I said before, Nathan, that the other sort of real focus is on identifying those risk factors within organisations so that you would look at the particular areas in which this conduct occurred, identify those risk factors, and then take that information and use it in your risk assessment to understand what control measures you have in place to either eliminate that conduct from occurring or minimising it so far as is reasonably practical. And it's fair to say in Australia now, there is such scrutiny on these particular issues that these are conversations that are being had at board and officer level. And so getting that trend data is quite important for those officers also to discharge their personal duties that might be owed under work health and safety legislation or other corporations' legislation.

Nathan:

Yeah, that's really interesting. And data can play a really crucial part in those investigations, can't it? Both in scoping and performing investigation itself, but also in terms of the remediation, detection and prevention of wrongdoing.

Julia:

Yeah. Agreed.

Nathan:

And maybe that's a good area to bring in, Matt. In terms of the use of data, both in relation to investigations themselves, but also in terms of remediation and risk management.

Matt:

Yeah, absolutely. Data plays a really crucial part across the investigation lifecycle now, including that post investigation phase or circumstance. And this particularly can be achieved in many ways. So one example might be around devising data analytics models to look at things like audit trails, historical data, particularly when we're talking about structured data, not necessarily the unstructured or although that is absolutely possible. And the aim here is really to identify anomalies or outliers in the data. So looking for data points that don't look right when you're comparing them to historical trends of normal behaviour, or to identify patterns of human behaviour that might seem odd or outside of the norm. An example of this around reconstructing human behaviour may be, for example, the investigation of suspected rogue traders. So performing analysis of specific trading activity within a certain window or period in question. And then looking at that alongside an analysis of broader market data or market trends to understand the types of behaviours that were occurring and whether these may be outside of the norm.

And this is around making determinations using that data as to whether or not traders are trading with the intention, for example, of creating false or misleading appearances in the market. I mentioned unstructured data as well. We can also apply things like AI, natural language processing through a variety of tools to identify things like key terms or keywords, and also performing sentiment analysis. And if we touch on being able to identify risk or particular areas to investigate and other use cases, performing analysis over complaints data. And this can be complaints data of any type. It could be text or even voice to understand things like sentiment, the nature of the complaint, and understanding really what the early warning indicators are and what the complaints are trying to tell us to understand where we should be investigating to identify areas of particular wrongdoing before they become repeated or systemic. And these can be any type of complaint, and touching upon some of the areas Julia was referring to, things like employee complaints. And it could also be customer complaints as well that might signify things like misconduct or similar.

The other power of data is using data to identify or investigate suspected issues, so those that may be unsubstantiated. And then using data to substantiate those claims, number one, but then also understand is it systemic? And if so, how long has the issue been going on for? What is the impact of issue either to employee or to customer or client? And then understanding the scope and also any other related issues. So anything similar in nature that may have occurred that we would need to go and investigate because the data is telling us to do so.

An example of this and use cases in things like payroll investigations. So looking at things like suspected error in payroll practices and the impact of those. And that's in particular context of employee underpayments, which is a particular topic at the moment in Australia. And using data allows us to take in a really large range of data sources and some pretty significant sizes of data sources as well. So looking at things like time and attendance, roster data and pay slips, and then using the Ashurst Advance team as well to support around digitising and transcribing legacy documentation that may have been there for a long period of time, turning that in into structured data and then reconstructing what had happened from a historical standpoint, understanding how they've been paid, understanding how they should have been paid using legal interpretation.

And that really gives us that sense using the data to understand scope and extent of issue and also to come up with adequate remediation plans, also rectification plans forhow do we fix the issue? And that involves, and I think Adam touched on a few of these points, identifying the root cause. Then identifying controls that need to be implemented to rectify those root causes. And also things like operating model changes, in this example, in the payroll teams. And that's around ensuring that the same issues do not repeat themselves again, albeit in a different form or a different guise.

Nathan:

So Matt, it sounds like you're using data in all of those stages in the regulatory life cycle. I'm particularly interested for today's podcast on how you're using data really to help clients learn from the outcomes of investigations.

Matt:

Absolutely. So in addition to supporting with things like rectification and remediation, we can also use data to help spot risks early. And those could be risks in many different forms and therefore support with prevention or at least very early detection. One of the key ways we can do this is through ensuring adequate risk monitoring. So things like dashboarding and reporting and ensuring that goes to senior management and those such as the C-suite and the board level. And that's about defining the early warning indicators. So what are the key risk indicators and how do they notify or signify that issues are emerging or occurring? And then developing continuous monitoring solutions over the top of those so that we can do this in an automated way where it can alert using dashboards and reporting where things need to be looked into. And that's about setting up the systems that identify risks before they become issues.

And this involves things like tracking how risks are increasing or decreasing over time, how they're performing against particular risk tolerances that the business will set out, and understanding where those risks are emerging and in which parts of the business so that we can keep on top of them and keep track of them. This also helps around ensuring senior managers can demonstrate that they're discharging their accountabilities when it comes to oversight of particular risks and questions, and that could be across a range of examples.

Nathan:

That's really interesting, Matt. I wonder maybe you could give us two examples of the ways in which you're doing that.

Matt:

Absolutely. So one person area, and this is another area that Julia touched upon, which is in the psychosocial space. So we can look at things like time and attendance data, looking for erratic working patterns, things like not taking holiday or annual leave, and then cutting and slicing that by geographical focus area, particular business lines that may be riskier than others, depending on the nature of the business. Also teams supervised by individuals, and that's about understanding where to go and look and the questions to ask and the action that needs to be taken in order to address those psychosocial risks.

Another example is in the financial crime space, looking particularly around bribery and corruption and looking at those key risk indicators. For example, things like spend on gifts and entertainment or corporate sponsorships and donations, and highlighting where there may be requests for approval that may be outside of policy or maybe just within policy, but only on the edge. For example, looking at the threshold for spend and repeated requests just under that threshold to see where people are trying to navigate policies in order to push through particular approvals for spend that may indicate bribery and or corruption. This can also include things like tracking the number of exemptions that are being sought outside of policy on a repeated basis, and who is that and are they doing that on a repeated basis again? So that we can go and ask the right questions and investigate the right areas.

Nathan:

That's fascinating. Thank you very much, Matt. It sounds like there are a lot of parallels in these different areas. Adam, I wonder if you could just conclude really by talking us through how important is it to the financial regulators that firms are taking these steps in terms of learning lessons and making sure that the same problems are not recurring?

Adam:

Yeah, it's really important from a number of respects. I mean one of course is rebuilding the supervisory relationship that exists between a company and a regulator post an incident occurring, but separately and applicable to all companies, whether regulated or unregulated, it's just ensuring there isn't a reoccurrence. And I think one of the things that's come out of the discussion that we've had this morning has been that in order to do that, you need to have a clear framework in place to implement a range of different mechanisms to prevent a reoccurrence.

Now that might be preventative controls like policies and procedures training. It might be detective controls around monitoring and surveillance or risk warnings to pick up incidents going forward. And also that oversight and governance piece, and ensuring that people are made aware of issues going forward such that it can be dealt with by senior management and ultimately that the board can be accountable. So I think that these points that come out of investigations, these aren't things that can be swept under the carpet. The issues need to be addressed in order that external stakeholders can be reassured that the company's business has got a robust risk management framework in place going forward.

Nathan:

And then just before we end, Julia, Matt, any concluding remarks in terms of the parallels that you see across these very different areas, but what we're seeing is a really consistent range of issues in terms of both how issues are investigated, but then also the importance of how you learn the lessons and prevent them from recurring.

Julia:

Yeah, I think I just echo Adam's comments just now that we've moved on I think in terms of investigators to, we investigate what's occurred, but we don't stop there. And from an organisational perspective, the outcome that we're all seeking is that we don't investigate these matters in the future. So it's around how we develop, as Adam said, a framework to really focus on prevention strategies and that will be good for shareholders, our people, and really what society is asking us to do across all forms of conduct.

Matt:

I would, just in addition to that, and two of the key points there around just ensuring the adequate monitoring of the business, monitoring conduct amongst other things, and that's leveraging data to provide that level of reporting and oversight, getting a real understanding of key risks and a sight of them early using that data, to then to be able to address anything that may be emerging in terms of particular risk areas. But more importantly, preventing them from becoming issues and occurring to then prevent any future investigations and those issues repeating as well.

Nathan:

Well, that's all we've got time for. Many thanks to Adam, Julia, and Matt for joining me on this episode. If any of our listeners would like to get in contact with Adam, Julia, Matt, or myself, then our details are on the Ashurst website, ashurst.com. If you'd like to learn more, look out for the next podcast in series where we will be exploring the emerging risks and conduct that will lead to investigations and enforcement in 2023. To ensure that you don't miss any future episodes, do subscribe now on Apple Podcasts, Spotify, or your favourite podcast platform. And while you're there, please feel free to keep the conversation going and leave us a rating or a review. Until then, thank you for listening.