What do you do when compliance issues arise?

There is no doubt that organizations and their managers are more and more exposed to compliance breaches, be it in data privacy protection, anti-corruption, quality control, tax payments or meeting regulatory requirements in general.

It is also very clear that the reputation of organizations hinges on their compliance records and how compliance breaches are handled. So, what do you do when compliance issues arise?

When a compliance issue is raised, the organization’s response should be reasonable and proportionate to the circumstances. For compliance professionals, the witness interview plays a critical role in determining the scope of an internal investigation.

These interviews, however, can be undermined by poor planning, lack of preparation and inadequate record-keeping, among other factors.

A variety of avenues lead up to the point where you have no choice but to launch an investigation: someone in finance could report that they think something fishy is going on with a certain reimbursement request, or an employee could call your hotline to report a case of suspected bribery, or a member of your staff could claim that his or hers personal data protection has been violated by the organization.

In either scenario, the next steps are going to require you to talk with the people who may have witnessed this issue.

Conducting interviews to gather this information is no simple matter. As the interviewer, you want to be civil and elicit responses from the person you’re interviewing. At the same time, you have to be ready to confront that person about uncomfortable issues.

The witness interview is just on step in the investigation process, but it is an important part that requires finesse and preparation. Here are seven tips, based on best practices:

Determine whether a government agency is investigating the issue. If an agency is already involved (or likely to investigate), you have to carefully consider whether the government could later request notes you’re taking as evidence.

Plan the sequence of interviews. Compliance issues usually involve more than one person, and the people being interviewed sometimes talk amongst themselves even though they are not supposed to discuss the issue. For that reason, it’s important to think about what person you want to have on the record first, and plan the sequence of interviews around the potential of chatter between your interviewees.

Make in-person interviews a priority. Talking in person helps you gather information effectively and get people to open up about what could be an uncomfortable issue. Body language also helps you size up the interviewee and how honest they’re being with you.

Prepare as if you’ll only get one shot at the interviewee. It’s a big mistake to assume that you can ask follow-up questions later, because you may not get another chance to interview a person -- they could lawyer-up, for example. It’s better to do your homework and gather any documentation you want to ask about, so that it’s a meaningful and thoughtful discussion. Prepare a witness outline as well as answers to predictable questions a witness may ask you.

Provide a warning on relevant company rules. Interviewees should be told that you represent the company, and reminded about company policies that require their cooperation.

Employees typically have a duty to cooperate in an internal investigation, but not always.

Document the interview in detailed written reports and memoranda. The interview is a fact-gathering activity. While the goal is to ask open-ended questions and make people feel comfortable to obtain as much information as you can, the process also needs to be recorded in copious notes.

Conclude with clarifications and reminders. End by reminding the person to refrain from talking about the issue with co-workers and give them some parameters for what to do if they are contacted by outside parties, such as the government. Ask them to provide you with any relevant emails, documents or other data. Finally, you also want to clarify whether the interviewee would be willing to help in the future. Give the interviewee your contact details in case they think of additional information, and ask if it’s OK to call with follow-up questions.

Let me remind you that for instance in data privacy protection breaches, criminal liabilities arise. Personal data controllers have to comply with the following:

a. Appoint a data protection officer

b. Conduct privacy impact assessment

c. Create a privacy management program and manual

d. Implement privacy and data protection measures, and

e. Establish a stringent breach reporting system (which could well be based on the above mentioned witness interview best practice).

If you need any assistance contact me at [email protected]