Companies face an ever-changing constellation of risks, enforcement priorities and demands for internal controls and compliance program elements. As more resources are poured into government enforcement programs, companies have to “reinvent” compliance programs to incorporate new priorities and demands.

Many companies have established complaint systems and internal investigation programs to conduct routine and serious investigation. In most cases, these systems do not adequately address whistleblower risks, as well as more recent requirements created by the Yates Memorandum and the FCPA Pilot Project.

A company that is subject to the False Claims Act, as well as SEC and CFTC whistleblower programs, should have a robust program to promote a Speak Up culture. As the SEC and CFTC whistleblower programs become more mature, companies can expect a larger number of complaints.

A company’s internal investigation program has to identify potential whistleblower complaints as early as possible, subject them to expedited triage to evaluate the merits and then decide on a strategic response. Instead, most companies sit and wait, fail to examine the matter, and then act surprised when they receive a letter from the SEC or the Justice Department opening an investigation and requesting documents. Companies have to develop a more effective proactive strategy to prevent a reactive response.

The Yates Memorandum has created an even greater need to re-examine and revise internal investigation protocols. Given the Yates Memorandum requirement of full cooperation in order to receive any credit, and that companies focus their investigations on individuals who may be liable, companies should incorporate this priority into their internal investigation protocols. A company should — from the inception of its internal investigation — identify individuals who may be culpable and design its investigation to collect evidence relating to each individual. A company’s internal report of an investigation should require a careful analysis of each individual who may be liable and the evidence against each individual.

Yates is not a relevant concern for run-of-the-mill investigations where the company is unlikely to have liability, but a company’s internal investigation protocol should address the Yates category of investigations where a company may decide to disclose the matter to the Justice Department. In many of these so-called potential Yates cases, the company will retain outside counsel to conduct the investigation.

In the FCPA space, the Pilot Project requires that a company disclose a violation to the Justice Department and cooperate by conducting a robust internal investigation. In the Analogic FCPA settlement with the Justice Department and the SEC, Analogic did not receive full cooperation credit because its internal investigation failed to uncover information about the identities of a number of state-owned end users of Analogic’s products and did not disclose certain statements made by employees as part of the internal investigation. As a result, Analogic earned only a 30 percent discount from the bottom of the sentencing guideline range as opposed to a potential 50 percent discount.

The Analogic FCPA settlement underscores the importance of conducting a full and complete internal investigation. Analogic’s report to the Justice Department and the SEC appears to have omitted important facts that the government investigators discovered.

In light of these developments, companies can no longer rely on outdated internal investigation protocols. A fresh review and revision is needed, along with appropriate training, templates and other controls to ensure that a company has adequate resources and guidance to respond to a potential violation, investigate the matter carefully, and make an informed decision on the appropriate response.