Inquiring Minds: Building an Investigative Team

To build an effective investigative team, CSOs need to assemble the right mix of specialized talents. Then they have to cultivate trusting relationships with other organizational leaders.

1 2 Page 2
Page 2 of 2

Communication skills are also a critical capability for investigators. They have to be able to view a case through a big-picture lens and with an attention to detail, and they must be able to present and encapsulate their findings to an executive audience or in court if necessary. This requires excellent verbal and written skills combined with good interpersonal skills. "You have to be able to not only articulate findings and explain what you've discovered," says Nihill, "but you have to talk to people involved in the organization, establish a relationship and promote a good exchange of information." Building the Right Kind of In-House Support A corporate investigative unit has four critical partners in an investigation: human resources, general counsel, internal audit and the manager of the business involved in the investigation. Building constructive relationships with each of these groups should be one of security's key goals. However, it's not always easy. Selecting what information to share and when to share it is an ongoing challenge. "The hardest thing we balance is determining who needs to know and how we help them understand that they can't share that information without jeopardizing the investigation," says Ashby. Several CSOs we spoke with recounted cases where they have informed human resources of an impending employee interview only to have HR notify the employee. In retrospect, most security executives admit that this was caused by a lack of communication. Campion says, "You can get too used to how you do [things] and assume other people have the same knowledge, but when you set your expectations up front, nobody spills the beans."

A similar problem often occurs when security informs a business unit manager that an employee or transaction involving his group is under investigation. Often that manager cannot resist doing a little Miss Marple-ing of his own and unwittingly tips off the people involved. It is a delicate balancing act. Sharing too little information will lead to inevitable criticism from the business, while too much can blow the investigation.

Investigators can manage this best by including managers and human resources in the process, giving them as much information as is practical, explaining how they can help and the importance of confidentiality in preserving the investigation. For example, in a sexual harassment case, security might wish to notify a manager that an allegation has been made of some inappropriate behavior in his department and that they will be conducting interviews. Security might choose to withhold the identities of the accusers and the accused to prevent any awkwardness or unsolicited sleuthing.

Involving legal early and often is also a good rule of thumb. "Our policy, by default, is to have everything covered under attorney-client privilege, wherever permissible, so that we can preserve our discretion on how to proceed," says Denis Verdon, senior vice president and head of the corporate information security group at Fidelity National Financial. Verdon adds that keeping knowledge of investigations on a strict need-to-know basis is critical. "If information regarding an investigation is inappropriately divulged, this may in some cases compromise client-attorney privilege and may become discoverable," he says. Fidelity National is a speciality insurance provider and is the nation's largest real estate title insurer.

In addition to those protections, a contact in the legal department should be involved in cases that include the potential for termination, to prevent creating additional legal exposure. General counsel should also be brought in early on any case where disclosure of an incident to police or government regulators could be mandated by law.

Recognizing what these other functions bring to an investigation and adhering to strict boundary limits in security's role are critical to building a strong investigative capability. "Corporate security is an independent group. That's what makes us good investigators," says Campion. "HR tends to be viewed as employee advocates, and legal is concerned with risk. We're not out to get employees, but we're not their advocates either. We weigh in as an equal partner at the table, but the decision of whether somebody is hired or fired is not made by corporate security."

Though security should not make any punitive decisions, they can be instrumental in preventing one of the frequent pitfalls of an investigation: unequal treatment. At Boise Cascade, Ashby stresses the importance of having senior management and counsel sit down and work out what the policy of the corporation will be toward different infractions so that security can approach each case in a uniform manner. "I strive to make sure that we don't fall into the trap of every case being treated differently based on how well management likes or doesn't like that employee," says Ashby. "It's difficult to get everybody on board, but there has to be a definitive agreement that this will be the criteria [for prosecution or dismissal], and it doesn't matter who you are." Develop a Flexible ProcessThe CSO's role in an investigation is to be the navigator. He sets the direction that the investigators should follow and checks in frequently to recheck their course. The first 24 to 48 hours of a case are critical, and in order to hit the ground running, the investigative team needs a process that is rigorous enough to make maximum use of that early window but flexible enough to ensure that the investigation is not unduly restricted. The first few days of an investigation are especially important in cases where law enforcement or a regulatory agency is likely to get involved. "Once you go to the U.S. attorney or a regulatory agency, that limits what you can do on your own," says Nihill. "If somebody embezzled money or has gotten kickbacks from contracts, you should do as much as you can before the perp can get counsel. A lawyer won't let them talk, but [if you get to them early] you might get a confession."

The CSO and lead investigator should meet early to outline a game plan for the investigation. This will include a discussion of the resourcesboth technical and manpowerthat the investigation will likely require and some initial goals. "We talk about what we have and where we think this is going to take us," says Campion. "Even if it's a small case, we lay down those road markers." At 3M, the investigative unit has also found that by reaching out to the business unit early, it buys them goodwill and assistance when they need it. "It's best to meet or communicate with that division's vice president because not only can we get additional perspective, it buys corporate security the support it needs to do its job. So we're never in the position of being the snoopers."

As an investigation unfolds, the lead investigator should report to security executives at frequent intervals to assess their progress and refocus and amend the operation if necessary. At 3M, the investigative unit has a process called case review. Every other week the investigative teams gather around a table for an hour to discuss the cases they're working on. "This is not to show how busy we all are," says Campion. "It's a chance to throw out what we're working on, leverage the talent and expertise of the team, and draw out some new ideas and approaches."

After an investigation is concluded, it's also important to ensure that the business leaders involved are apprised of the findings so that they don't come back six months later wondering what happened to the investigation. This is an area where many investigative teams lose a lot of goodwill. At 3M, investigators typically wrap up each case with a formal findings meeting. They also cherry-pick their biggest cases and every quarter issue a report to senior management that includes a short paragraph about each case and what's been done to resolve it.

Whether a company decides to go public with the results of an investigation is another matter. The CSO and senior management have to weigh the potential downside of pressing charges: the expense and, in some cases, the potential damage to the company's reputation. But there are often benefits. If money was stolen, for example, restitution might be a possibility. Elaine Wood, a managing director with Kroll, recently led a forensic audit to trace $13 million that had been stolen by an employee of a New York money management firm. The company was able to recover more than $5 million in assets. Going public can also discourage other would-be offenders from attempting the same crime. However, sometimes the only benefit is to the public good, and even that is no small thing.

A few years ago, Marquet worked on a case where he was tasked with vetting a CFO candidate for a public company. In investigating his background, Marquet discovered that a previous employer had fired him for misappropriating corporate funds. Because the previous employer had brought civil charges, Marquet was able to find out what had happened and prevent his client from making a potentially disastrous mistake. "I think it's incumbent on companies to go after individuals who do [such] acts and bring it to light," says Marquet, "so that they won't get into a position of trust again."

Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a SIEM solution: 11 key features and considerations