Written by León Lanis V., Paralegal
Over the past few years compliance has become one of the biggest concerns for companies due to new laws and standards for different markets, most predominantly the rules of taking care of the environment, social issues and governance within an organisation. These are commonly known as ESG practices.
Within the “Governance” aspect of ESG, there is a great surge in the idea of companies being able to trace and investigate their actions prior (or otherwise to facilitate) a regulators investigation. The problem with internal investigations is that there is usually no standard principle to follow, therefore making each investigation different and making the clarification of determined acts more difficult. As a response to this difficulty, the International Standards Organisation very recently created a new standard for said investigations, formally known as ISO 37008:2023. The standard sets out principles and guidance for companies that want to better their efforts to trace actions within their organisation. It also sets a guide of standard good market practices that regulators may impose in the future, especially for hyper regulated markets that require internal investigations. One very important aspect to keep in mind while applying said standards is that it will never be a substitute for government research and formal investigations.
Which standards serve as reference
ISO used many of its existing standards and best practices in order to create these new standards. Some of the references are: ISO 37001 (anti-bribery), ISO 37002 (whistleblowing management) and ISO 37301 (compliance management systems)
The standard’s fundamentals
Bearing this in mind, the standard relies mostly on its principles that should be applied in any investigation, mainly because ISO did not want to expand on the technicalities of a specific investigation, rather the guidelines for every type of investigation within a company. The fundamental principles are:
- That any investigative process within an organisation must be developed and done under legal parameters, by competent people and professionally;
- That the investigations are done by an independent role and with full confidentiality throughout the process, ensuring always objectivity and fairness of the investigation.
In order to assure this, the standard practices sets the idea of having a governing body, within an organisation, that independently does the fact-finding, while the management of the organisation must provide said role with all the resources needed to fully employ the investigations while maintaining said principles.
Scope of every investigation
Under ISO 37008, internal investigations are to be done in order to clarify the facts that are initiated within an organisation to establish its relation to alleged or suspected wrongdoing, misconduct or noncompliance to the law or regulation.
Establishing an investigation policy or procedure
In order to maintain professional compliance of the standard, it is imperative to have a written policy or procedure with different aspects and limitations to an internal fact-finding process. Some of the key aspects said procedures should have are:
- Definition of scope, process and responsibilities of internal investigators;
- Link the procedures with other internal investigation or risk management policies (e.g: whistleblowing policy);
- Require timely and appropriate action every time a concern is raised;
- Ensure the investigation is done while respecting every involved party’s rights;
- Require cooperation in the investigation by all personnel;
Amongst other requirements to enable a professional and complete investigation.
It is very important to understand how investigations work and have a very clear standard procedure in order to ensure that its objectives are clear and accomplished correctly, while ensuring the confidentiality of the process, the independence of the roles of the investigation and the protection of the rights of the involved parties. A nuanced understanding of how investigations operate, coupled with a well-defined and standardised procedure, is imperative for organisations aiming to achieve clarity and accuracy in their internal investigative processes. ISO 37008 serves as good guidance, emphasising the importance of confidentiality, independence, and the protection of the rights of all involved parties. Adherence to this standard is not only good corporate governance but also a strategic imperative for business, reinforcing their commitment to transparency, accountability, and ethical conduct.