Conducting investigations is second nature to many security executives. Since a large percentage of CSOs have a law enforcement background in some form or another, conducting inquiries is a routine function with which they are very comfortable. How a security executive approaches investigations can contribute to the “Corporate Cop” image that CSOs have been battling for years, or it can completely change the perception of security. Keep in mind that a number of security executives have lost their jobs over the manner in which an investigation was handled.
Another thing that has to be taken into account, depending on where in the world an issue has arisen, the security executive may find that it is illegal to conduct an investigation in a particular country. A number of countries around the world prohibit any type of investigation from being conducted in their country unless it is performed by officials of the country.
A few years ago, I conducted a study on investigations. The company requesting the study identified 12 separate functional organizations within their enterprise that played some role in investigations. As part of the process, 62 distinct types of investigations that are typically conducted in the corporate world were listed in a survey. One of the questions asked of the participating functions was if they were the lead or performed a supporting role in each type of investigation listed. The results of the study were very interesting. Multiple functions queried stated they were the lead on 56 percent of the different types of investigations; and, surprisingly none of the functions accepted the lead role on 11 percent of the types of investigations listed.
Company culture plays a huge role in how companies view and handle the process of investigations. In the case of the company that requested the study on investigations, the solution they ultimately chose was to create a core team of key functions to oversee the process of investigations within the company. I convinced them to name the group the “Business Practices Review Team.” They didn’t include the word “investigations” in the title or documentation associated with the team or their processes. Their charter stated the team was to ensure that violations of good business practices and policies are thoroughly reviewed. Yes, they were still looking for bad actors, but their efforts were mainly focused on root cause analysis, taking corrective measures and preventing reoccurrences. They listed the 62 types of potential “business practices violations” that typically occurred with a company and, for most types, assigned which key function would be designated the lead for each type of “review.”
I got out of performing “investigations” years ago and found this enlightened approach extremely beneficial. Additionally, I have yet to find a single country where a company is prohibited from conducting an internal audit, root cause analysis of their business processes, or a review of their business practices. I know what you are going to say – If it walks like a duck and quacks like a duck… However, please consider that this approach has significant upsides and minimal risk… and can eliminate the Corporate Cop mantra… So what are you waiting for – Get quacking!
As always, I look forward to your feedback.