When an allegation is received by an organization within the public or private sectors it can be an upsetting experience for management. For large organizations, it is not really a question as to whether allegations of conflict of interest, financial malfeasance, information leaks or other policy violations will occur, it is a question of when.
The personnel receiving the allegation may have a reflexive action to either dismiss an allegation or to conduct a thorough investigation of every allegation; neither of these approaches are efficient or effective over the long term.
We have helped internal investigation units in government departments address their allegation management processes and have learned a number of lessons which we will share here. In summary, we believe that having a standardized set of criteria for assessing allegations; and having a good understanding of the roles and responsibilities of stakeholders within an organization will provide tangible benefits to the organization in terms of effectiveness, efficiency (and therefore cost savings), procedural fairness and risk management when it comes to determining whether an allegation warrants a complete investigation.
First, we will describe an illustrative set of assessment criteria an organization may wish to consider when they receive an allegation. The list is not exhaustive, and organizations will reduce it or expand on it as appropriate.
We expand on each of the points below and as we do so we emphasize the importance of cooperation and communication between stakeholders within an organization to support efficient and effective allegation assessment (and if required, investigations).
Sample List of Assessment Criteria
A list of allegation assessment criteria could include the following:
- The preliminary credibility of the allegation.
- The policies, regulations, contracts, or laws that have been contravened.
- The severity of the alleged contravention and any legal obligations.
- Whether or not the complaint is within the purview of the recipient of the allegation.
- The organizational resources that are required to assist.
- Whether or not there is likely to be information available to support or refute the allegation.
The preliminary credibility of the allegation
Recipients of allegations must do a preliminary assessment of the allegation’s baseline credibility. This step is not a fulsome investigation, rather it is a baseline assessment as to whether allegation is sufficiently specific and credible to warrant further action.
For example, an anonymous email making generalized, derogatory statements about a vendor, partner or employee with little specificity, no supporting records and no opportunities for follow-up is likely to receive a lower credibility rating than a situation where assessment personnel can interview a complainant which allows them to obtain additional context and to gain an understanding of the complainant’s motives. If preliminary checks can validate the information (such as the person who is the subject of the complaint exists, works for the organization, etc.) then the credibility score rises.
Conversely, there is no need to assess the motives of an alert from an information technology security system. There is the need to validate that it is working properly and to understand the circumstances that would have tripped the alert.
The source of the allegation and its content will impact the ability of the personnel involved to make a preliminary assessment of the information they receive.
The policies, regulations, contracts, or laws that have been contravened.
An investigation, unlike an audit, is narrow in scope and generally deals with specific alleged contraventions of policy, regulation, contract, or law. It is important for those involved in the assessment process to be able to connect the information they receive to a possible contravention.
Information that generates a potential investigation can take a variety of forms, from the proverbial “brown envelope” (which still happens even though there are anonymous email and telephone whistleblowing options) to an alert generated by an IT system.
In the Government of Canada context, if an allegation is received that an individual is sending protected information to their personal email account, it may be deemed a contravention of information security policy.
An allegation involving a non-arm’s length relationship with a vendor may be a violation of procurement policies, internal financial policies, and the Financial Administration Act.
All of the above may also be a violation of the Values and Ethics Code for the Public Sector and the department’s internal ethics code.
In both the public and private sectors, there are agreements between the organizations and stakeholders. Employment agreements, customer agreements and supplier agreements are all contracts, and it could be the terms of those contracts that are at issue.
If a formal investigation is eventually commenced, the professionals involved need to what potential infractions have occurred in order to properly set out an initial scope of the investigation.
Notwithstanding the above, new information will be developed as the assessment process, and any ultimate investigation occurs which may expand or reduce the scope of the investigation.
The severity of the alleged contravention and any legal obligations.
The severity or materiality of the alleged contravention will impact the decision to proceed with an investigation. After initial inquiries, it may become clear that the alleged contravention was not serious enough to warrant a full investigation; or that the matter is better resolved through another means such as employee coaching.
Conversely, a single alleged contravention may be so serious as to warrant the immediate launch of an investigation combined with risk mitigation measures such as putting an employee on temporary leave. Similarly, a single disclosure or alert may be the thing that alerts the employer to a pattern of conduct by an employee that the employer was not aware of, in other words, the tip of the iceberg.
In other cases, the department may have no choice but to conduct an investigation because of policy or law.
An investigation can be a disruptive, resource intensive and time-consuming process. A good assessment process will allow the department to judge whether the allegation is sufficient to warrant a full investigation.
Whether or not the complaint is within the purview of the recipient of the allegation
In many organizations it is common that there is more than one unit that could have responsibility for an administrative investigation. Labour relations, corporate security, information technology security, internal disclosure, audit (or forensic audit) may each have a responsibility for administrative investigations. Depending on the nature of the allegation one may have primary responsibility.
In cases where the allegation involves third parties such as recipients or vendors, additional consideration must be given to which group within the department has responsibility.
It may be useful to engage an outside organization such as an investigation firm, digital forensic firm or in some cases, a law firm to investigate in order to ensure independence; maintain legal privilege or to support the organization because it does not have sufficient resources to conduct the investigation internally.
Finally, there are cases where the allegation should be immediately referred to law enforcement.
The organizational resources that are required to assist.
Related to the above, although one group may lead the assessment, and possibly the ultimate investigation, it is important that all key stakeholders are aware of the process, at the correct time to provide the necessary support.
Preliminary inquiries in administrative investigation almost always involve the interrogation of internal records. Research of external open-source intelligence (i.e. public records) may be also be conducted. These types of preliminary inquiries are useful for establishing key facts and do not generally require the assistance of too many individuals in the organization.
Like a formal investigation, in all aspects of the assessment process, the privacy and reputational impact of the stakeholders must be considered. Where whistleblowers are concerned, steps must be taken to protect their identity if it is known.
Depending on how quickly the assessment process progresses, it is important to have a plan to involve other stakeholders such as labour relations, legal services (or external legal counsel), corporate security, information technology security, records management, etc. Depending on the seriousness of the allegation, the organization’s executive should be notified and where appropriate assistance should be sought from communications/public relations.
Different organizations use different processes to facilitate this interaction. In some cases, allegations arise so rarely that informal meetings between the stakeholders are sufficient. In larger organizations where situations may arise more regularly, a formal mechanism is created to deal with situations as they arise.
Whether or not there is likely to be information available to support or refute the allegation.
To conduct an investigation, there has to be material to review. The material can come in various forms including electronic records, paper documents, witness statements, camera footage, open-source research and much more; however, there are circumstances where the organization does not have access to the materials and may not be able to gain access for legal, financial, or logistical reasons.
In those cases, the assessment process may determine that the complaint is credible but that alternative actions should be undertaken because the likelihood of a successful investigation is limited.
The challenges in determining whether or not to investigate a complaint within an organization are multifaceted. Organizations must navigate a complex landscape of credibility assessment, resource allocation, compliance with law and policy; public perception, stakeholder impact, and generally what is required to effectively conduct an investigation. Not to mention that the personnel involved must determine which stakeholder is the appropriate authority within the department to proceed, irrespective of how the complaint was communicated in the first instance.
Based on our experience, having documented assessment criteria, appropriately resourcing the assessment team, ensuring good communication between internal stakeholders such as legal, labour relations, security, information technology and the department’s executive can have a substantial impact on achieving better outcomes in the complaints process. These steps also help maintain accountability, the privacy of the parties involved, support procedural fairness, and ensure stakeholder confidence in the process.
In summary, a good assessment process is an effective measure that bridges the gap between the receipt of a complaint and determining whether to launch a formal investigation.
If you represent an organization that has an investigation function and you would like to further discuss your assessment processes, please contact Chris Pierre, Managing Director of the KeyNorth Group at firstname.lastname@example.org or 613-233-8509.
This post is for informational purposes only and is not intended to be legal advice. Contact legal counsel for further questions.