International Organization for Standardization issues ISO 37008 about internal investigation of organizations
The complexity of these processes exposes companies to risks in various dimensions, particularly in the absence of qualified and trained personnel to conduct these processes or a guide for these purposes. Failure to conduct an investigation - or conducting it incorrectly - can lead to adverse effects in economic, labor, criminal, data protection, or reputational aspects.
On this point, last July, the International Organization for Standardization ("ISO") issued Standard 37008, that, although not mandatory, becomes a relevant tool to orientate conducting internal investigations within organizations (the "Standard"). The Standard is directed to organizations of any type, size, location, structure, or purpose.
The purpose of the Standard is to establish the principles applicable to investigation processes; support investigations; establish policies, processes, and standards for conducting an investigation; set criteria for communicating results; and provide guidance for the implementation of corrective or remedial measures.
The main principles outlined in the Standard, according to which companies should conduct their internal investigations, are as follows:
- Independency: An internal investigation should not be influenced or controlled by other people, events or incentives in relation to the subject matter that is being investigated.
- Confidentiality: All documents and information gathered in the context of an investigation, including records, evidence and reports, should be treated in a confidential and sensitive manner. The documents and information should only be revealed on a “need to know” basis and investigators should be aware of applicable statutory laws and regulatory requirements.
- Competency and professionalism: An internal investigation should be conducted by investigators who have professional skills, knowledge, experience, attitude, and capacity to ensure the quality of their work.
An internal investigation should be conducted with integrity, fairness, truthfulness, tenacity, trust, emotional intelligence, good judgement, and diligence, and completed in a timely manner.
- Objectivity and impartiality: An internal investigation should be free from conflict of interest, conducted objectively and based on factual evidence. The investigation should not be influenced by personal feelings, interpretations, or prejudice.
- Legality and lawfulness: Those establishing or conducting an internal investigation should identify the regulations and applicable statutes and legislation in all applicable jurisdictions to ensure the legality of the investigation.
The Standard also emphasizes the importance of the company's management supporting the establishment, implementation, maintenance, and continual improvement of internal investigations. This support includes allocating resources and committing to an independent, objective, impartial, and confidential internal investigation.
Regarding the investigation's process – including its preliminary stages and the ones after its completion - the Standard establishes criteria for preserving and securing evidence, protection of wellbeing and support to personnel involved in an investigation and anti-retaliation. It also highlights the need of conducting a preliminary assessment, determining the scope of the investigation, planning the investigation, and updating the plan as needed, documenting evidence gathered, conducting interviews with involved individuals and witnesses, preparing the investigation report, and implementing post-investigation measures, including disciplinary actions.
The issuance of the Standard makes it advisable to review and eventually adjust the internal investigation procedures and protocols of companies and/or train the teams in charge of conducting them to align with the good practices on these matters contained in the Standard.
Link to article