Control Risks crisis management experts on how to avoid damage to business continuity, reputation and share price resulting from a corruption investigation by a regulator


A corruption investigation by the regulators can be a highly complex process, especially if it crosses multiple jurisdictions. It is vital that organisations plan how to best manage their response to an investigation to limit the negative consequences on the business.

Regulators tend to become involved for two main reasons. The organisation may have self-reported, perhaps on legal advice following an internal whistleblowing event. In this case, the organisation is in control. The alternative scenario, which is potentially more harmful as it usually comes as a surprise, is that regulators have become aware of an issue through an external party – often losing bidders in a tender process or disgruntled former employees. Sometimes, information emerges regarding issues in an entire sector, such as finance or pharmaceutical, that triggers a widespread investigation.

In some jurisdictions, rivals may also seek to put competitors into a damaging position. It can be a tactic for diverting attention away from a business that is up to no good or attracting some negative press; making it look as though they are the good guys, co-operating with the regulators by whistleblowing on everybody else.

Responding to and managing the process correctly is critical because the potential effect on the business could be significant, not only in terms of financial or other penalties, but also in relation to damage to business continuity, reputation and share price.

An organised approach is also essential because multiple agencies may be driving a corruption investigation. In Germany, for example, as many as five independent agencies are tasked with managing corruption and the US has four. Added to that there are also international government and non-governmental organisations such as the Interpol Group of Experts on Corruption, European Partners Against Corruption and European Anti-Fraud Office to name a few.

First responders 

How the organisation responds to an investigation from the outset can affect what it may end up being prosecuted for or whether the regulator is satisfied there is no case to answer. Organisations need to be able to show they acted properly and appropriately from the start. It is critical they shift immediately from standard management processes to crisis management, as their standard way of working is likely to be too cumbersome to enable them to respond in a timely manner to an investigation.

Some organisations, are alerted to a corruption investigation only when law enforcement authorities arrive unannounced. Often, a big team of lawyers, policemen and accountants make a dawn raid. The directors may not be present and if nobody knows what to do and who to call, the organisation is exposed. It is essential that everybody knows their responsibilities, what they need to do in these situations, who to call and what they can and cannot do legally.

Good governance and an effective crisis management plan and team will enable an organisation to address scenarios ranging from evacuating staff effectively from a war zone to dealing with potential exposure to regulators. The expertise needed for each scenario is different but should be addressed through a shared crisis management framework.

All organisations that are governed properly should have crisis management plans yet, surprisingly, even some large enterprises will admit to having either no crisis management plan in place or one that is outdated or overtaken by events such as mergers and acquisitions. Not only must crisis plans be kept current, but it is also a good idea to regularly exercise that team with realistic scenarios relevant to the organisation. It is one thing sitting in a room and doing a workshop about an event, quite another to simulate a real life raid with an element of panic and immediacy.

It is pointless managing a crisis successfully if no business is left at the end of it. Crisis management must be separated from ongoing business management if both are to operate effectively. A crisis can strike at any level and regulators could descend on any office. It is possible that regulators could be in the building that houses the people who would normally run the crisis management, so organisations must look for alternatives and build resilience into their plans.

Lining up resources

The crisis management team for each organisation is best placed to determine what resources their particular organisation will need once faced with a live investigation, which may include external resources. In any investigation, most organisations will be able to tap into established external legal support. Organisations are also likely to need technical support in areas such as; crisis communications, forensic accounting and forensic computing.

In addition, investigations tend to generate numerous documents, emails and accounting records. It is essential to have a structure in place for storing, searching and managing all the data and documents generated in the investigation. Companies often do not have the internal capacity to do the necessary e-discovery on this amount of documentation.

A need may also arise for local knowledge in terms of local law, culture and language skills. This may have to be outsourced if employees who could otherwise help are themselves under investigation. If the organisation does not have framework agreements in place for that type of support, this will cause unwanted delays in responding to the regulators, which is potentially harmful.

At the same time, it is important to manage the political and security risks arising from an investigation. In certain countries, the business community, including third parties that may be implicated in an investigation, is closely associated with the political establishment and it is important to ensure that, while the regulators are kept happy, the company does not do lasting damage to its future operations in the country.

Communicating good decisions

Crisis management is about applying expertise effectively and making good decisions, but if the organisation does not communicate these well, its reputation may still be damaged. An organisation’s Corporate Communications team should work hand in hand with the crisis management team, who will be making decisions about what to do, and then communicate those decisions honestly with appropriate messaging to internal and external stakeholders. That way, with the correct preparation and communication, a corruption investigation need not become a crisis.

Top tips for investigation readiness

1.      Start with a thorough business analysis to inform the crisis management plan.

2.      Make sure everyone in the company knows about the plan and their role within it in the event of a corruption investigation.

3.      Know where your data is and who has custody of it. Ensure people are clear about the legal implications of securing, destroying or moving documents and data. 

4.      Once the plan is in place, keep it up to date through scheduled audit and review.

5.      Keep your crisis management team match fit with regular training exercises.



About the authors

Alex Martin is practice leader at Control Risks’ Crisis Management and Security Consulting division.

Simon Yarwood is associate director, Forensics Accounting within the Corporate Investigations division of Control Risks.