The board’s ability to manage crises has become more critical than ever during this time of COVID-19 disruption. According to the EY Global Integrity Report 2020, 90% of respondents believe that the pandemic poses a risk to ethical business conduct at their organization. Similarly, a recent survey by the Association of Certified Fraud Examiners found that as of August 2020, 77% of respondents had seen an increase in fraud cases since the start of the pandemic and they expect this trend to continue.1
While it is imperative that a strong integrity culture is established within the organization to reduce the likelihood of adverse events, crises may still occur despite best efforts. Boards should see that a sound crisis management framework is in place to guide themselves and the organization in handling significant incidents, with the aim of minimizing impact and securing stakeholders’ trust.
Overseeing a corporate investigation — such as a short-seller attack, a whistle-blower complaint that calls into question the integrity of senior leaders or a sophisticated cyber attack — is often complex and time-consuming. Failure in oversight can carry personal risks for directors. Board members are personally liable for failure to exercise reasonable diligence in the discharge of their duties as company directors. The board should therefore understand the key steps involved in the investigative process, including the common pitfalls at each stage.
Triggering crisis management
At the onset of the incident, a dedicated crisis management team comprising cross-functional business unit leaders that reports to the board should be assembled. A preliminary assessment should be conducted on the allegations or issues to determine the response strategy, including the use of appropriate incident response playbooks that the management team prepared. At this point, the board should also identify key intervention actions, which may include the suspension of senior executives named in the allegations as well as mitigation and contingency plans.
Robust communication strategies, both internal and external, are key to protecting confidential and sensitive information. Legal professional privilege protocols may be adopted to protect attorney and client privilege over confidential information, such as situation analyses, mitigation plans and strategies.
Conducting the investigation
To convene an investigation, the board must clearly establish the objective, scope, investigative actions and timelines. Where the allegations are directed at the senior management’s integrity over matters like financial reporting irregularities or other fraud-related matters, such personnel must not be in the chain of command in the investigation.
The board must also assess the need to engage external forensic investigators and legal counsels to conduct the investigation independently without undue influence. For serious allegations, it is worthwhile engaging independent forensic investigators who report directly to a committee comprising independent non-executive directors. Engaging external counsels may also be useful, particularly for matters involving multiple jurisdictions.
Once the board has convened the investigation, steps must be taken quickly to preserve all potentially relevant documents. A document preservation notice must be issued to all relevant employees to preserve both electronic and paper records. Equally important is preventing the overwriting and deletion of electronic data that occur as part of business-as-usual activities, such as system audit logs, recycling of data backups or purging of emails as part of regular housekeeping when mail size quotas are exceeded. Failure to preserve documentary evidence could impede a thorough investigation and seriously compromise the company’s legal position with regulators or in any ensuing litigation.
The board must also decide how and when to disclose the investigation ﬁndings to stakeholders, statutory auditors, regulators and other impacted third parties. Although there are no hard-and-fast rules governing the timing for reporting the preliminary or final findings of an investigation, the board must consider the potential impact of the disclosures on the company’s financial statements as well as criminal and civil liabilities that may arise from the investigation results. Communications regarding the investigation must therefore be conducted on a careful and “need to know” basis.