The use of external counsel, once an investigation or prosecution has been made official, received across-the-board support from participants in this survey. 77% of respondents considered it at least moderately important for external counsel to be involved at that point, with almost half of those considering it highly important. 14% reported feeling that external counsel would not be involved.

‘Especially in smaller departments I have been a part of, having a good lawyer outside your business who knows your business is critical,’ explains one senior legal director in the European aviation industry.

‘Departments are strapped for resources as it is; the overhead of responding to a regulator – or worse, a formal prosecution – is beyond the capabilities of most departments.’

Those counsel who were a part of smaller departments were more likely to expect external counsel to be involved. Respondents in teams of 50 or larger were less likely than any other group to involve external counsel, with 31% reporting no involvement of external counsel at that stage.

When it comes to involving external counsel in anticipation of an investigation (as opposed to when one has formally been announced), approaches differ. Just 8% or respondents reported always involving external counsel at this stage; 33% reported occasionally involved external counsel and 38% reported involving counsel ‘often’. Almost 20% rarely involve external counsel at any point before the formal launching of an investigation or prosecution.

‘We are in almost constant contact with at least one outside lawyer to consult with on any real or potential investigations,’ says one veteran in-house counsel in the North American energy sector.

‘We can’t afford not to. If the first time you are meeting with a lawyer is when the regulator is at your door, a lot of (avoidable) damage has been done.’

While the in-house community has been vocal in pushing for diversity in their partner law firms, a company instructing external counsel on an investigatory or other white collar matter is typically more likely to involve a single practitioner for representation than other types of legal work. Therefore, survey participants were asked how important of a factor diversity and inclusion is when selecting counsel in these situations. The overwhelming majority felt it important, with 40% considering it a ‘highly important’ factor and another 40% considering it ‘moderately important’. Just 5% felt it unimportant.

In choosing external counsel, respondents reported choosing from a variety of sources. On average, in-house counsel were most likely to have found their chosen counsel by direct outreach to single firms – 20% of counsel reported choosing their representation this way. The next most popular source was the use of a company-curated preferred provider panel at 15%.

Virtually all respondents to our survey had an opinion on whether ethics and compliance were treated as two different topics within their organisation. There was no overwhelming consensus, however 61% of survey participants said that they are not treated as distinct concepts within their organisations; 35% said that they were.

‘Many companies think that these should be separated, where one should focus on the law and the other on the company culture as a whole,’ explains Armando Cruz, director at KPMG in Mexico.

Regardless of the relationship between the two, some consensus has emerged from the results suggesting that the question of ethics does and should touch all areas of the business – not least of all in avoiding the ire of regulators and investigatory bodies.

90% of in-house counsel consider corporate ethics highly important in avoiding white-collar investigations. Similarly, 87% considered the legal team as ‘highly important’ to the promotion of an ethical business culture within an organisation – 12% consider it ‘moderately important’ – and just 1% of respondents thought that the legal team was less important than that.

The results show a near-universal appreciation for ethics within a business by in-house counsel. This is unsurprising. However, what is surprising is the extent to which that feeling from general counsel does – or doesn’t – manifest within the wider business.

Despite near-universal agreement among in-house counsel that their teams are important to an organisation’s ethical makeup, just 63% felt that they and their teams are appropriately placed to promote an ethical business culture within their organisation.

‘Even though they are managed by same team, they are materially different,’ says Miguel Oyonarte, VP legal and corporate affairs at VTR Comunicaciones SA.

‘Ethics is much bigger in terms of scope and impact on culture. For its successful management, it requires the lead of the CEO and all their direct reports. It is also much more difficult to change – it requires full cultural change.’

Indeed, those who didn’t feel that their team is appropriately placed overwhelmingly pointed to factors external to the legal team as being the biggest reason. 61% cited institutional structure as making legal’s involvement impractical. The next most cited reason was that culture and conduct were the domain of another department (17%).

Plans to mitigate sources of investigatory risk and respond when an investigation does occur must change according to the risk profile of the business. Between novel technologies, evolving sensibilities and seismic shifts within industry, regulators and investigatory bodies are changing focus regularly. So too are business attitudes toward risk changing.

Generally speaking, when asked how the risk profile of their business has changed over the past five years, 53% of in-house counsel said it had at least somewhat increased. When asked to look ahead at the next five years, 26% felt that the risk profile of their business would significantly increase over the next five years, with 61% feeling that there would be at least a slight increase in their business’ risk profile.

When looking at changing risk profiles, data breaches are a good example: it wasn’t so long ago that the range of companies that rely on the collection and use of data was limited. Now, data has pervaded nearly every aspect of commerce. Retail stores that may historically have collected very little personal data now capture all manner of information at the point of sale for loyalty programmes, not to mention the continued recission of relatively anonymous brick-and-mortar buying in favour of online shopping.

To go back further, increasingly globalised markets and supply chains have largely informed recent interest in modern slavery. Modern slavery regimes set an expectation that companies must not hide behind the strongest link in the compliance chain, instead being held accountable for the weakest link: a company in the United Kingdom may be perfectly above-board in a foreign jurisdiction, but regulators now hold those companies to the standard of UK law for their actions in jurisdictions further up the supply chain, where protections against abuse and exploitation are not as strong.

Reading the room

GC surveyed top in-house counsel from across the world, asking participants to rate their organisation’s current risk levels on a scale of 1 to 5, 1 being the lowest risk, and 5 the highest. The responses were broken up into the following categories:

• Accounting fraud
• Antitrust/price-fixing
• Bribery and corruption
• Compliance/due diligence
• Cybersecurity and data privacy
• Environmental regulatory
• Money laundering
• Sanctions evasion
• Securities/commodities fraud
• Tax evasion
• Trade/foreign investment violations

Cybersecurity and data privacy risks were rated as the highest concern by survey respondents, both in terms of the risk they currently pose to businesses and how that risk was expected to change in the next five years. Cybersecurity and data privacy risks were rated at an average of 4.48/5 currently, which ballooned to 4.75 when respondents were asked to look ahead at the next five years.

Compliance and due diligence are also top of GCs’ minds – both when speaking about their organisation’s current level of risk and when looking ahead to how this might change over the next five years – coming in at an average rating of 4.27 with an expected increase of 0.22 to 4.49 in the next five years.

On average, nearly every category is expected to become more risky over the next five years. Bribery and corruption risks polled the biggest jump, increasing by 0.32 points on the survey’s five-point scale.

Risking it online

With cybersecurity and data privacy almost unanimously rated as the most pressing risks for GCs both currently and in the coming years, many of the in-house counsel surveyed and interviewed for this report had much to say on the subject.

‘Cyber threats form one of the biggest security risks of the 21st century,’ said Ritankar Sahu, general counsel and head of compliance for the Maxpower Group, operating throughout Southeast Asia and the Middle East.

‘Most Fortune 500 companies have been victims to some form of cyberattack leading to economic damage ranging from a few thousand to a few billion dollars. Cyber-attacks have increased dramatically in the last few months amidst the pandemic.’

Until relatively recently, it might have made sense to talk about cybersecurity and data privacy in terms of specific sectors, but the adoption of mobile platforms and cloud services – be they for internal operations, customer interactions, or both – has made cybersecurity everybody’s problem. In fact, the sector in which a given survey respondent is working had virtually no impact on their perception of cybersecurity and data privacy as a risk: GCs working for manufacturing companies were just as worried as those working for healthcare providers.

This is something that Seshani Bala, general counsel at Chartered Accountants of Australia and New Zealand, has seen personally.

‘Another big challenge is that we are trying to give customers and members a personalised experience, and to make data-driven decisions as a business,’ says Bala.

‘So, we are collecting more data to focus on that personalised, segmented experience. That increases the potential privacy risks in the event of a data breach. The penalties are very high under GDPR and Australian law. We are now seeing other countries move to a mandatory notification system that is in line with GDPR standards, and this poses greater pressure on organisations to make sure they have robust policies and procedures to quickly comply with those notification requirements.’

‘With the rapid development of online services, the risks associated with data storage and cybersecurity will develop,’ agrees Roman Kuznetsov, legal manager at WILO RUS.

Bala has worked closely with stakeholders in the wider business to make sure data protection policies are both clearly understood and rigorously enforced.

‘Once we have made sense of that, we can then drive processes and controls to reduce risk in that space. We partner very closely with our IT team. I think that has probably been the biggest change I have seen the last 12 to 24 months. I think Legal and IT need to be best of friends in-house, and you really need an integrated approach to effectively manage risk in that space.’

‘Before moving to a digital solution, I think it is really key to understand how each platform stores, secures and moves data. Mapping out that data flow process and understanding the data risks and data journey, as well as how it integrates with other platforms or plug-ins in other locations is important. It’s a given that digital solutions need to comply with applicable privacy laws but legal technology solutions also need to appropriately protect legal privilege, corporate record holding, and in-house destruction and recovery policies.’

Modern working

While the large difference between current risk and expected risk over the next five years is undoubtedly a reflection of an increasingly data-driven world, the effects of the COVID-19 pandemic will certainly also be playing a role. With home working becoming near-ubiquitous over the past few months, the volume of data being transmitted – either from workstation to workstation, colleague to colleague or business to customer (and vice versa) – is at an all-time high. This, too, means that the scope for bad actors to gain access to confidential data is also higher than ever.

‘The effects of the pandemic, and the current situation the world is in, pose several challenges for us in terms of rearranging our fraud agenda,’ says Gustavo Sáchica, chief legal and compliance officer at Allianz in Colombia.

‘In-house legal counsel need to anticipate the possibilities of fraud under pandemic circumstances. At Allianz, we have measured and stressed our risk tests in order to consider as many possibilities as possible.’

‘Due to Covid-19, increased working from home has resulted in a rise of remotely-accessed work platforms and digital ecosystems,’ says Sahu.

‘This has made us highly dependent on technology which in turn has exposed us to more sophisticated cyber threats. For MAXpower, this has not been much different. Our fleet of gas engines are spread across remote sites in South Asia, and given applicable travel restrictions, we have had to rely extensively on our cloud based technology platform which lets us track ‘live’ operating performance, profitability and emissions from a centralised asset dashboard. The technology also lets us engage in predictive analytics and gives us valuable fleet-level insights.’

‘From a risk management perspective, I think the industry view is that enterprises still have lots to do before they can claim that they are breach-proof. MAXpower’s exposure is no less than other similarly placed power producers in the market.’

‘We constantly strive to make our systems less vulnerable to digital threats. As general counsel, I recognise that we are not breach-proof and regularly engage in conversations with our operations folks trying to gauge whether we are doing enough.’

For some in-house counsel worried about what the future might hold for their cybersecurity efforts, the risk is already eventuating.

‘We have also seen our mail servers being the victim of ransomware attacks and we have had to strengthen our firewalls,’ explains Sahu. ‘In the months to come, I am certain that companies will allocate more budget and resources to address cybersecurity risks, and I do see a rise in procurement of cybersecurity insurance coverage.’

Regulators

The interaction between the regulators’ attitudes to risk and the reality on the ground for in-house counsel is complicated. In some instances, regulators are leading the charge by focusing on an area of concern and proactively shoring up the relevant protections, or cracking down on non-compliant entities. On the other hand, regulators may have fallen behind the in-house community in how they approach these areas of concern. In this way, regulators can make a company’s compliance journey both easier and more difficult.

Khaled Shivji, chief legal officer at the UAE’s Moro Hub, highlights this point. ‘In order to reduce the regulatory cost of compliance, we would be grateful to see more proactive guidance from regulators and prosecutors about the kinds of risks they believe are rated by the national and state governments as risks that, if not tackled, will diminish the country’s overall international rankings concerning white-collar crime.’

‘Increased oversight by regulators is reshaping the way we approach risk,’ agrees Armando Cruz, director at KPMG in Mexico.

And as with everything, this dynamic between regulators and the market is being redefined by COVID-19, according to Maria Alvear, general counsel at Chile’s GASVALPO.

‘In my view, the whole landscape will change after COVID-19 crisis lowers its impact. It will probably remain within us for a while and that encourages us to change our old ways of working and doing business, including regulatory risk management.

‘Regulatory risk management has been very challenging during these months, with several regulations being issued due to COVID, so it’s hard to keep up-to-date and perform accordingly. I guess this uncertainty that we are facing will remain; sticking to regulatory compliance will become more important than it is today to avoid a situation where lack of control and uncertainty give space for corruption to enter the business.’

At a time of increasing regulatory scrutiny in virtually all corners of business, and with the stakes having never been higher, now is the time for companies to get their house in order in terms of their compliance and investigatory response regimes. Our survey of top in-house counsel from across the globe revealed great disparities between organisations, not just in terms of how they plan for a potential investigation or prosecution, but also in terms of how high a priority such an endeavour is, and who within the business is best placed to take ownership of it.

But while most businesses – and certainly nearly every lawyer – would recognise the risk of inadequate preparation in this area, whether this recognition had translated into action is another story. Just 57% of respondents in our White Collar Investigations Survey reported that their organisation had implemented a response plan for regulatory investigations or white collar prosecutions. 39% reported that their organisation has no such plan.

49% of respondents felt that their company had robust and effective investigative protocols in the event of an external investigation; 29% said that they did not believe that they had such protocols and 22% were unsure.

While it might first seem reasonable to assume larger companies are more well-resourced and thus more likely to be in a position to create an investigatory response plan, this does not appear to be the case. In looking at whether respondents’ organisations had implemented a response plan, those from larger companies (with over 100 employees) were less likely to report their organisations as having implemented a response plan, at a rate of just 57%, compared to almost 80% of those from smaller (less than 100 employees) companies.

‘There can often be too many distinct business units that would be involved in an organisation-wide plan. What you end up finding is in those cases, it’s much harder to get a far-reaching plan together as in-house counsel,’ says one legal director in the Australian telecommunications sector.

‘It is very important in our view to avoid a culture where the operating commercial organisation believe that no written guidelines from the top of the organisation means “green light”,’ says Kjell Clement Ludvigsen, general counsel at Norway’s Nortura.

‘It should be very clear to all that they are responsible themselves for what they do, but they should ask for assistance from legal or compliance if they are in doubt.’

Preparedness

Another problem with trying to get a clear view of where businesses are in their white collar investigations risk is that areas of concern will differ from company to company, and sector to sector. Our survey asked respondents to rate their level of preparedness in a variety of key areas on a scale of 1 to 5, with one meaning ‘not prepared at all’ and five ‘very prepared’. On average, respondents reported that their business was most prepared in terms of their financial compliance policies, scoring an average of 3.9. Companies were least prepared in terms of their modern slavery policies, which came in at an average of 3.0.

Those who said that their organisation had implemented a response plan for regulatory investigations or white collar prosecutions reported being more prepared almost across the board than those who did not. In particular, respondents whose organisations had such a plan rated their preparedness, on average, up to a full point higher than those who did not. In particular, both bribery/corruption policy and modern slavery policy preparedness increased by almost a point (0.97 and 0.92, respectively) from companies without a plan compared to those with one.

‘Aramco has zero tolerance in relation to any anti-bribery and corruption activities,’ says Ahmad Ismail, general legal counsel at Saudi Aramco Shell Refinery Company.

‘Therefore, I align my plan backwards from there. At each board meeting, I will align this with my president – I will check if there are changes, or any fine tuning for the plan. We need to be agile yet able to optimise.

‘Particularly now, as we have seen Saudi Aramco has been listed on the stock exchange, that represents a higher level of responsibility, citizenship and corporate compliance for the organisation, including at the subsidiary level.’

Whose problem?

One reason why organisations appear to be behind the curve on investigatory planning is that it isn’t an area that uniquely lends itself to the legal team. Efforts in this area are likely to require active input from all corners of the business, as well as an ambient level of support from the leadership team.

Indeed, when asked who within their organisation was responsible for designing and maintaining the response plan, answers were split. While the legal team was the most commonly cited department, it ultimately accounted for just 35% of the responses – and just as many reported not having a response plan at all. 13% – the second most common response – said it was currently a multi-departmental effort, and 10% said it was the domain of a dedicated crisis management team.

‘Day by day, the executive team is more conscious of the importance and necessity of the identification, mitigation and follow-up of risks,’ explains Diana Daza, legal director at SGS in Colombia.

‘As a legal team, we are highly involved in daily risk management operations in order to prevent these sort of risks.’

Despite a current lack of ubiquity around which departments are given investigation planning responsibilities, there is a sentiment that this is changing. From interviews with participants in this survey, it seemed a common view that over time, the pre-investigatory planning job is landing more and more with the in-house team.

‘Based on conversations that I have had with peers, it has become quite common that legal teams, in particular the leadership team, are involved in assessing the risk of investigations and prosecutions,’ shares Oliver Jarberg, deputy chief legal and compliance officer and director of integrity & anti-doping at FIFA.

‘I personally believe that it is one of the key aspects – in particular at management level – for the legal and compliance function to be involved with. In particular, in-house legal teams should already be involved at an early stage by the business so as to flag critical operations, transactions, and provide advice and support on measures to be implemented to mitigate legal and compliance risks – including the risk of investigation and prosecution.’

Annual reviews

Another reason that uptake and confidence in organisations’ planning for white collar investigations is subdued might be because there needs to be an ongoing commitment to reviewing and modifying the plan in order for it to stay effective: external risks are changing constantly, while the risk profile of a business will likely change as it expands or contracts into or away from new business units.

When it comes to reviewing their planning and preparation processes in the context of investigation and white collar prosecution risks, 38% said that they review their process annually, while another 38% reported only conducting such a review on an as-needed basis – another 19% said that they never review their plans in this area.

‘We undertake an annual review and it is critical to understand both the changes in the legal landscape as well as regulators’ approach,’ explains Kwong Wen Wan, group chief corporate officer and group general counsel for Mapletree in Singapore.

Ahmad Ismail is both a proactive participant in his organisation’s investigation preparation, and an avid proponent of conducting regular reviews of any plans or policies.

‘The way I align my plan – especially in relation to anti-bribery and corruption and also in relation to legal and compliance – is that I first understand the company legal risk appetite and then align that to the business cycle of the organisation,’ he says.

‘Clearly, all organisations have their own business planning cycles, and within that business plan cycle you decide on the capital expenditure of the organisation, in other words, what type of investments they are making for the year.’

‘That is normally also mapped against the company’s risk map. So based on that, I will determine what the plan would be for the year in relation to legal compliance. I would analyse that risk map, and get clarification from the auditor and the Chief Financial Officer and the controller. I’d then identify what would be the risk appetite for the organisation, and then I’d map the plan for legal compliance for the year.’

For Jaberg, ‘at FIFA, we have a working group composed of representatives of different professional functions within the organisation, including internal audits, finance, legal and compliance, and different business units.

‘They meet on a regular basis to map FIFA’s main risks and devise strategies and plans so as to mitigate the risks identified within this working group.’

‘I think it is important to establish a formalised risk management process to identify the different risks – including that of investigations and prosecutions – as well as ensuring the processes and measures designed to mitigate such risks are defined, evaluated and implemented. As risks evolve over time, I think it is important that they are reassessed and the processes to address such risks are then amended as required, based on the learnings related to each risk identified. So, in fact, this is a very dynamic task which also requires the legal and compliance function to thoroughly understand the business, the processes and operations of the company.’

‘It’s important to be agile and on top of things, and adapt to the changing circumstances as required to protect the interests at stake.’

Renewed interest from regulators

Give the importance of preparedness for regulatory investigations and white collar prosecutions, why do companies of all sizes and sectors report such vastly different levels of planning in this area?

While the subject may have been on in-house counsel’s radar for many years, many counsel interviewed for this report mentioned a ‘sea change’ in the wake of the global financial crisis, which saw a redoubling of efforts on the part of regulators to rein in inappropriate and illegal conduct, particularly in the financial sector. While a decade is a long time in some respects, in terms of cultural shifts within massive organisations it isn’t very at all, and businesses are still coming to terms with heightened sensitivity on the part of regulators and similar investigatory bodies.

‘It takes time – lots of time – to see real cultural change take hold in a company, or industry,’ says one long-time banking general counsel based in the United Kingdom.

‘There is an increased level of consciousness around white-collar crime which I would say began post-GFC and has continued since then. But unless an organisation has already been stung, it can be difficult to enact change quickly – something I suspect every in-house lawyer will be familiar with. It is on the in-house lawyer to keep their foot on the gas and make sure the company keeps momentum towards compliance.’