ISO 37008: Internal investigations within organisations

In recent years, ISO has released multiple standards to guide organisations in developing, measuring and reporting on key aspects of their compliance programmes. The most notable of these, ISO 37001, focuses on anti-bribery and corruption, while another, ISO 37031, provides general principles and requirements that organisations can use to build systems around any major compliance programme area (such as due diligence, export controls or even ESG-focused areas such as human rights).

The timing of ISO 37008 couldn’t be better. Given the advent and proliferation of several new compliance and ESG laws with critical requirements around reporting and investigations (such as the German Supply Chain Due Diligence Act, Australian Human Rights Act, and bribery laws such as the United States Foreign Corrupt Practices Act and United Kingdom Bribery Act), ISO 37008 provides organisations with guidance on how to develop and manage programmes for these areas.

In this article, we will discuss:

• the key concepts outlined in this standard
• how organisations can more effectively manage reporting and investigations requirements imposed by compliance and ESG regulations by getting certified against ISO 37008.

ISO 37008’s key concepts

ISO 37008 sets out five areas to guide organisations in developing their investigations programmes, being:

• core principles
• resources and expertise to carry out investigations
• establishment of policies and procedures
• reporting
• application of remedial measures.

ISO 37008 espouses traditional principles around which most corporate investigations programmes are built. These principles remind organisations to ensure that investigations are:

• independent
• confidential
• conducted by skilled professionals
• objective and impartial
• conducted in accordance with applicable laws.

ISO 37008 places great emphasis on ensuring that the board (referred to as ‘the governing body’) and executives (referred to as ‘top management’) invest in the investigations programme so that competent, skilled resources are in place to manage investigations. While this may seem obvious, the standard emphasises that organisations must also demonstrate commitment to allocating financial and physical resources for managing investigations. The standard asks organisations to utilise appropriate technology platforms to manage reports and investigations and commit financial resources to invest in these products.

Beyond skill, expertise and money, ISO 37008 also emphasises that the governing body and top management must ensure the independence and impartiality of the investigations programme. If you are familiar with other ISO standards on compliance (such as ISO 37001), ISO tends to place great importance on the top levels of an organisation demonstrating commitment to compliance. Unlike other frameworks, the responsibility for compliance and ethics doesn’t exclusively lie with compliance and ESG departments; instead, the board and executives need to ensure there is clear communication between themselves and integrity-focused teams so that the latter are empowered to carry out their responsibilities and have a direct line of communication to top levels of the organisation.

ISO 37008 requires organisations to develop a policy to govern the investigation process. While most large organisations already have such documents in place, the standard highlights key elements of the investigations programme that should be explicitly described in the policy, which is essential if you intend to seek certification.

Where ISO 37008 may prove most useful is section 8, which governs the planning and execution of the investigation process. One of the key aspects described in section 8 is establishing a ‘reporting line’, which can be separate from the team carrying out the investigation work. According to the standard, this reporting line should ensure the impartiality of the investigative team, consider whether authorities need to be contacted (based on the nature of the incident), and assess the risk and impact to the organisation. The investigation team should keep the reporting line updated as the investigation is carried out.

The standard also calls on the investigation team to conduct and document a preliminary assessment of potential incidents. While most organisations likely have a triage process in place, the preliminary assessment, as described in the standard, helps ensure that organisations clearly document key aspects of each investigation, such as contacting relevant parties, determining business impact, considering relevant environmental and legal issues, and deciding whether external counsel or support should be gathered. The need for a documented preliminary assessment also highlights the need for utilising software or investigations platforms that can record this information.

Section 8 also provides more in-depth information on the technical aspects of investigations, such as electronic data collection, preservation, analysis and review. The appendix to section 8 lays out interesting suggestions that many organisations can benefit from, including:

• ensuring confidentiality is emphasised with the reporter of a potential incident through what the standard refers to as a ‘written caution notice’
• implementing a ‘review protocol’ to ensure efficient management of key documents through the use of keywords, tagging and categorisation
• staying cognisant of potential interference with an investigation.

ISO 37008 outlines conducting a ‘finalisation process’ that marks the end of each investigation and must include evidence-based findings and sufficient determination of results to initiate remediation.

The standard lays out critical requirements for crafting an investigation report. These requirements include:

• the addition of exhibits and important attachments
• summarising facts
• setting out limitations and constraints
• preserving confidentiality through organisational document retention standards.

Once again, software can help in this regard.

The final pertinent sections of ISO 37008 cover remedial measures and stakeholder interaction. When it comes to taking effective action following an investigation, the standard goes beyond simply stating that remedial action should be fair and proportional to the issues discovered. Instead, the standard highlights the need for companies to identify compliance gaps and vulnerabilities so that longer-term improvements can be made to relevant compliance programme areas.

The final section on interaction with stakeholders covers several aspects of communicating outcomes, next steps and reporting to relevant parties. The standard covers the topic of careful disclosure to authorities, highlighting that compliance and integrity teams should discuss investigation results with the governing body and top management, determine whether disclosure is needed (or beneficial), and consult with legal advisors before communicating.

Applying ISO 37008 to critical compliance and ESG laws

Designing your investigations programme based on the guidelines and requirements in ISO 37008 can help you more effectively comply with specific compliance and ESG laws.

Foreign Corrupt Practices Act (FCPA)

While there are no strict guidelines on how companies should develop their anti-corruption programmes to meet the requirements of the FCPA, one key document that has been used for years is the Department of Justice’s (DOJ’s) ‘Evaluation of Corporate Compliance Programs’ guidance. In this document, the DOJ lays out criteria that prosecutors may use when evaluating a company for potential misconduct.

One of the key programme areas that prosecutors will evaluate is an organisation’s confidential reporting structure and investigation process, which the DOJ indicates is ‘highly probative’ of whether a company has established corporate governance mechanisms. Many of the specific factors that prosecutors will evaluate align with key sections of ISO 37008, including:

• having a process in place to properly scope an investigation
• employing a methodology to ensure investigations are independent, objective and documented
• the allocation of sufficient funding for the mechanisms and tools utilised as part of the reporting and investigations programme.

Beyond alignment with guidelines regarding the FCPA, ISO 37008 can help manage anti-corruption matters in several practical ways, including:

• ensuring the organisation has a process in place to field concerns and reports regarding common bribery schemes, such as kickbacks to suppliers, the creation of slush funds to induce improper business advantages from government officials and customers, and the provision of benefits in violation of company gifts, meal and entertainment policies
• providing guidelines on implementing digital and forensic tools to research and examine documents and transactions describing potential instances of bribery, such as emails, text messages, invoices and receipts
• creating reports that clearly lay out each investigation’s allegations, known facts, involved and affected individuals, and outcomes

giving guidance on determining how and whether a company should disclose potential findings to authorities – in the FCPA context specifically, this could include disclosures to reduce the severity of penalties or to precipitate entering into a deferred or non-prosecution agreement with enforcement authorities.

The German Supply Chain Due Diligence Act (SCDDA)

The SCDDA came into force in early 2023. It is Germany’s first regulation to hold companies responsible for potential human rights violations and environmental concerns. To comply with the SCDDA, companies must implement management systems to monitor relevant risks within their operations and supply chains. Some of the key processes that must be developed include:

• a policy statement that sets out procedures for monitoring human rights and environmental risks, and expectations for suppliers and employees
• a reporting procedure that allows employees, suppliers and concerned individuals to disclose potential violations
• annual reporting to government authorities on the results of due diligence and investigations.

Getting certified against ISO 37008 can better prepare organisations for compliance with the SCDDA. ISO 37008 certification ensures the implementation of several processes that will be useful for SCDDA compliance, such as:

• revising policies to communicate that company reporting lines can be used to disclose potential human rights and environmental violations in addition to traditional issues such as corruption and human resource matters
• setting up an accessible reporting procedure and tools for use by both internal and external stakeholders
• creating procedures for investigating, managing and reporting human rights and environmental issues.

Since the SCDDA requires third parties (suppliers, customers, concerned individuals) to have information on how to report, companies may want to consider setting up a public-facing policy on their website while retaining an internal policy that outlines investigation procedures.

Compliance with the SCDDA can be accomplished more easily by referencing the requirements of ISO 37008.

The Corporate Sustainability Reporting Directive (CSRD)

The CSRD went into effect in early 2023 and requires companies to report on the sustainability of their business practices.

The first major section of the CSRD requires organisations to report on various strategic initiatives and goals around sustainability, such as actions to limit global warming, tactics to meet carbon neutrality by 2050 and internal sustainability policies, as well as the resilience of the organisation’s business model and strategy for sustainability.

The CSRD’s second major section is focused on due diligence; for this directive, ‘due diligence’ refers to information-gathering processes to determine adverse impacts caused by the organisation’s operations and supply chain. One of the key aspects of this section is actions taken by the organisation to prevent, mitigate, remediate or end adverse impacts caused by the organisation. By referencing ISO 37008, organisations can ensure their reporting and investigations processes are set up to field and manage inquiries related to sustainability. While some may consider sustainability issues as less pressing or less relevant from a legal standpoint, they should also remember that sustainability issues can affect those without a voice or who have less access to recourse, such as local communities affected by a company’s operations, customers or suppliers in local markets. By including sustainability issues in reporting and investigations, organisations can more readily manage adverse impacts caused by their operations and ensure accurate disclosures for compliance with the CSRD.

Conclusion

ISO 37008 provides companies with a way to standardise their reporting and investigations protocols while providing a framework to tailor these processes to manage key requirements in new and existing compliance and ESG regulations. From a business perspective, the standard offers a way for organisations to demonstrate that their internal compliance processes align with best practices.