The Venn Diagram of Risk Assessment and Investigation

No matter your company’s size, industry, location or legal budget, increased scrutiny by authorities is prompting more focus on regulatory compliance. This article discusses the interplay among the compliance department, in-house counsel and external counsel for two compliance-program elements in which these three entities often interact — risk assessments and investigations. This article will help you decide whether, when and how to use external counsel and help you protect your company by improving your compliance program, decreasing costs and protecting against discovery of information that should be privileged.

Attorney-client privilege and work-product protection

Before we begin, a brief preliminary discussion of the general rules, purpose and protections of attorney-client privilege may be helpful in understanding its limits and applications.

The purpose of the attorney-client privilege is to encourage open dialog between attorney and client. Though there are some jurisdiction-specific rules, in general, the attorney-client privilege protects from discovery communications by and between the attorney and client, made for the purpose of seeking or providing legal advice. It does not prohibit discovery of communications with an attorney for other reasons, communications to an attorney when unnecessary parties are present (e.g., trying to keep a strictly business communication privileged by cc-ing an attorney) or communicating underlying facts.

The work-product doctrine is similar to the attorney-client privilege. Work-product protection is harder to waive and broader in scope and makes materials prepared by or for another party or its representative, in anticipation of litigation, ordinarily immune from discovery.

The attorney-client privilege and work-product doctrine are crucial protections and may have a critical bearing on whether you involve external counsel. However, US attorneys general have articulated different positions on corporate cooperation if the company decides not to waive these protections during an investigation.

The Upjohn case (1981) best articulates the factors used to determine whether a communication with a corporation’s counsel, particularly in-house counsel, should be protected by privilege. Essentially, the factors are:

• whether communications were made by employees for purpose of obtaining legal advice;
• whether communication contained information needed by counsel to give legal advice;
• whether employee knew the purpose of communication was to obtain legal advice for the company;
• whether information concerned matters within scope of employee’s duties;
• whether communications were ordered to be and remained confidential; and
• whether the employee was warned that the company owns and can waive the privilege without his or her permission.

US courts have eroded the privilege for in-house counsel, citing that in-house counsel give both legal and business advice. In a given communication, it can be difficult for a court to discern which one is being sought or provided. Further, some communications contain elements of both business and legal advice. It might be a good exercise to review some of your own emails that you think are privileged and ask whether they meet all of the above criteria. In-house counsel can unobtrusively clarify emails with helpful reminders such as, “Thank you for requesting my legal opinion regarding. … ”

Risk assessments

In addition to being best practices, the laws applicable to many industries require the regular performance and documentation of compliance risk assessments.* Most US states have enacted consumer data security laws that provide similar requirements across industries. Even if the laws in your jurisdiction do not explicitly require you to perform a risk assessment, you have likely already found that doing one can save your company a lot of money in the long run — by avoiding fines and litigation and improving quality and efficiency.

* For example, 45 CFR §164.308 requires this of health-care providers and business associates for data security.

Risk assessments can be done internally or externally, tend to be less formal than audits and more focused on proposing potential solutions to any problems discovered. Therefore, they can arguably be privileged if performed by attorneys for the purpose of finding facts and advising legal action. This is important because the recommendations and corrective action plan from the risk assessment will generally contain opinions that might otherwise be admissible and harmful. However, when performed for regulatory compliance purposes, or if your company uses the advice of defense counsel after a problem arises, your company may wish or be required to waive the privilege.

The risk assessment may use both internal and external counsel by using in-house attorneys to define the scope of the assessment and external counsel for their experience with the practices of multiple companies. For example, if your company has any customers who are California residents, then you are required by California law to use “reasonable and appropriate security procedures and practices to protect consumer data.” To determine what is reasonable and appropriate, you are likely to perform a risk assessment, and you may need help from external counsel.

What, if anything, about the risk assessment should be or stay privileged?

You expect the risk assessment to find instances in which your company’s practices are not living up to the legally required standards. You do not want this information to become public or admissible. But if your company experiences a breach, audit or lawsuit, the best mitigating evidence you can provide is a risk assessment and proof you are following its recommendations within a reasonable time frame. To satisfy regulators, you will have to provide documentation of the risk assessment.

Prior to commencing a risk assessment, we recommend you understand that all or part of it may be found by a court not to be privileged. Even if privileged, you may later decide to waive the privilege for the entire assessment or for certain aspects. Remember that you generally cannot waive the privilege for certain documents on one topic without waiving it for everything on that topic. Thus, you may not be able to waive the privilege regarding only the final report and action plan but may also be forced to show regulators the intermediate documents. If possible, try to protect these via work product, and try to protect whatever documents you do provide via protective orders, stipulations or both.

If your internal compliance or audit department is sophisticated and has appropriate bandwidth, it may be able to save your company money by doing all or most of the work in-house. But regardless of what proportion of the work is performed internally, having internal or external counsel help define the scope and monitor progress can increase efficiency and may help protect work product from discovery. An added advantage to this structure is that internal personnel will gain direct knowledge of areas for improvement while performing the risk assessment and thus be more effective when implementing solutions.

Investigations

Compliance investigations have elements of routine business practices, legal advice and preparation for litigation. The decision of whether to involve in-house counsel, external counsel or both should be made as early as possible. If the compliance department starts performing the investigation on its own and learns that it should involve legal, “better late than never” applies, but it is possible that the privilege will never attach to interviews and investigation materials. In addition, the potential benefit of the experience of a skilled attorney is greater the earlier he or she is consulted regarding direction.

Rather than rehashing factors as to whether external or in-house counsel should handle the primary duties or overall responsibility for an investigation, this article looks to specific aspects of an investigation and discusses factors to consider when divvying up duties between internal and external counsel.

The allegations

The allegations themselves are the biggest factor in determining whether and in what capacity to engage external counsel. If the allegations require content-specific expertise that is not within the company’s legal department, external counsel can be a great resource. But there is a big difference between asking external experts for guidance versus engaging them to lead or conduct an investigation. Also, your company probably cannot afford to punt to external counsel every time there is a compliance issue with elements outside of your department’s expertise.

Before deciding whether and how to involve external counsel, you should evaluate the credibility and severity of the allegations. How likely are they to be true, and if true, how quickly do you need to know? If you expect to eventually need to call in external counsel to help disclose findings to regulators, it is often helpful to have them on board early.

The scope

Though not always the case, external counsel usually have a more detailed understanding of the relevant fine points of law and industry standards, whereas in-house counsel usually have a better understanding of organization dynamics. Both industry norms and organization dynamics are critical to defining the scope of the investigation. Consider not just what the allegations state but also what they imply and what else needs to be investigated.

In-house counsel need to make sure external counsel do not set the scope of their own work, as this could lead to a conflict of interest, and to monitor the hours and work product, to ensure that the work performed accurately fits within the scope and budget. If in-house counsel, or someone to whom counsel reports, is one of the parties under investigation, it can be helpful to ask the compliance committee to appoint a single point of contact so decisions regarding scope can be made and documented quickly.

Document review

The bandwidth of external counsel can be helpful to review large volumes of documents, although this comes with a price. However, there are other considerations than cost. For example, if the compliance officer will be leading an interview with one of the main suspects, it is helpful if the compliance officer performs as much of the review of the suspect’s emails as possible to ensure freshness with the relevant facts and the themes of the emails that cannot be gleaned from reading a report prepared by external counsel.

Document review can be time-consuming and thus expensive, and in-house counsel are frequently evaluated on the amount spent on external counsel. Though this one data point can be meaningful, it is just one data point. In-house counsel should not be pressured to save costs above all else. Just because the legal department has the bandwidth in a certain circumstance to perform the necessary document review does not mean that in the long run doing so will be cost-effective. Document review can take in-house counsel away from other tasks, costing the company more than external counsel’s hourly rate.

Remember that having external counsel review documents does not make them privileged, and also stress the importance of reminding others in your organization about this.

Witness interviews

In-house counsel and compliance usually know the witnesses. This can be advantageous for encouraging open participation and cooperation if they have developed a positive rapport. But it can cause problems if hard questions need to be asked and the employees are likely to have to work with internal counsel and compliance. If both internal and external counsel will be present, it is important to discuss, ahead of time, who will lead the interview, the rights of the accused (i.e., presence of union representative, ability to stop the interview and obtain counsel) and who should ask which tough questions. We have found that sometimes external counsel are so used to having only one chance to depose witnesses that they may forget that they can interview employees as many times as they need. Thus, interviewing witnesses before all of the documents have been gathered or reviewed, and then again afterward, is allowed and often helpful.

Reporting

Each organization has different dynamics regarding upper management and the board’s perception of internal versus external counsel. Frequently, in-house counsel have more credibility because of the time they spend working with leadership. External counsel are frequently seen as more independent because they do not maintain a working relationship with management. In addition, leadership often takes notice of a big name and a high-priced firm — even if the only reason is the expectation that because a lot of money was spent, the work product must be good. Plan who will lead the presentation and who will present which points.

Drafting a final written report can be time-consuming and expensive. Attorneys generally want to ensure they have reviewed all documents and included all findings to avoid later questions about work quality and thoroughness. If in-house counsel or compliance intends to draft the final report or presentation, take great care to ensure that privileges are maintained.

Creating and auditing a corrective action plan

Best practices involve collaboration between internal and external in creating and monitoring a corrective action plan. Though external counsel tend to have more industry understanding from multiple clients, in-house counsel tend to have a much better understanding of the operational realities for your company. Proposed solutions are useful only if they can actually be implemented.

Conclusion

We hope this article has helped guide the integration of in-house counsel, external counsel and compliance at your company by reminding you of the issues to consider when planning for risk assessments and investigations. We have found that asking the right question is far more valuable than trying to have the answer, as it prompts you to think about what you are looking to accomplish and how it will be used.