Purpose and principles
Internal investigations protect people, assets, and reputation. Done right, they encourage reporting and deliver outcomes that withstand legal and regulatory review.
Program architecture
- Clear mandate: What issues qualify (harassment, fraud, data misuse, safety)? What’s out of scope?
- Intake channels: Anonymous hotline, manager route, security/legal inbox—one case system behind them all.
- Role clarity: Case owner, investigator, legal counsel, HR partner, communications.
- Confidentiality by default: Need-to-know access; documented sharing decisions.
Evidence handling (non-negotiables)
- Preservation first: Issue legal hold; prevent spoliation; snapshot systems as needed.
- Chain-of-custody: Unique IDs, timestamps, handlers, storage locations.
- Forensic soundness: Read-only captures, hash values where applicable.
- Sensitive media: No redistribution; summaries only; consult counsel.
Procedural playbook
- Triage & scope: Allegation, risk level, immediate protections.
- Plan: Sources, interviews, timeline, communications guardrails.
- Execute: Collect, corroborate, document deviations from plan.
- Conclude: Findings, substantiation level, recommended actions.
- Close-out: Notify parties, update policies, training, and controls.
30 / 60 / 90-day plan
- Day 0–30: Draft mandate; choose a case system; define roles and confidentiality rules.
- Day 31–60: Publish intake options; train investigators; test legal hold and evidence workflows.
- Day 61–90: Run a mock investigation; add metrics to the board packet.
Metrics
- Time from report to initial contact; time to close.
- % of cases with full chain-of-custody and signed findings.
- Reporter satisfaction (post-case anonymous pulse).
Pitfalls
- Ambiguous ownership: Cases stall without a named lead.
- Over-collection: Creating privacy exposure and discovery risk.
- Silence post-case: No policy fixes, no training updates.
Result
A fair, repeatable process that protects people and holds up under scrutiny.