The new ISO 37008: guide for internal investigations
Last July, ISO 37008 was published, consisting of a guide for conducting internal investigations in any kind of organization. The standard comes after the transposition of Directive (EU) 2019/1937, on the protection of whistleblowers, in most of the countries of the Union. The process has taken longer than expected (the period granted to the Member States was two years), with three notable delays: Spain (February 2023), Italy (March 2023) and Germany (June 2023). Estonia and Poland still do not comply with the transposition mandate.
The guide sheds some light in an area that until now has lacked regulatory references. Although the rules transposing Directive (EU) 2019/1937 regulate some aspects of internal investigations, especially those related to the reception and processing of complaints, most of the procedure remains devoid of legal regulation, at least in Spain. In our Law No. 2/2023, of February 20, stands out the scarce regulation of the investigation procedure in private entities (see arts. 10 to 12), which contrasts with what is provided in relation to investigations carried out by the independent authority (see arts. 16 to 24).
Hence, the publication of this international standard is very welcome, although the guide does not answer the fundamental legal questions raised by internal investigations: rights and duties of those investigated; confidentiality of the documentation generated with the investigation (interview minutes, for example) in relation to a judicial procedure; compatibility of the investigations with the administrative or judicial procedures initiated or potentially initiated; among other.
The main contribution of ISO 37008 is to offer a complete outline of the different phases and aspects that must be taken into account in an internal investigation, from the principles that should inspire the actions of the people who carry it out (independence, confidentiality, professionalism – honesty (truthfulness), impartiality, legality – section 4 of the guide) to basic issues regarding communication with interested third parties (stakeholders), including public authorities (section 10).
Before establishing the phases and measures that should make up an investigation procedure (section 8), the importance of the highest management bodies of the organization showing their commitment to the principles that should inspire these investigations is highlighted, allocating the resources that are necessary so that their involvement can be considered real and effective (tone from the top). The flip side of this requirement is that the organization’s top officials be reasonably informed of the existence and course of the investigations being carried out (section 5).
The commitment of the highest management bodies to the principles set out in section 4 must be translated into an internal investigations policy in which such principles are specified. It must be determined which people or functions will be competent to agree to and/or conduct an investigation within the organization, with what powers, with what limits and, in any case, what rights the investigated persons may have. Documentation of the results of the investigation must also be required, as well as their confidentiality, among other things (section 6).
It is also considered essential to adopt measures to protect both personal evidence (witnesses) and real evidence (material sources of evidence, such as physical and/or digital documents, etc.). Likewise, attention must be paid to the protection needs of any of the people involved in the investigation, especially against reprisals (section 7).
Regarding the investigation procedure in the strict sense, several guidelines stand out. First, it is required that the team has the appropriate mandate (section 8.1.º) and that the internal reporting line of the investigation to the highest management body of the entity is defined from the beginning (8.2.º). It is required that the objective, subjective and geographical scope of the research be defined (8.3.º), being any modification in this regard documented. In matters of confidentiality, maximum confidentiality is required to be requested in writing or verbally from the parties involved, under the warning of the legal consequences of a possible leak (8.6.º). Regarding the interviews, the need to document their content is confirmed, obtaining the interviewee’s agreement with the minutes or document that is drawn up recording the conversation (8.9.º). It is also required to document the results of the investigation (final report), although when there is litigation that has been initiated or is foreseeable, legal advice must be requested regarding the confidentiality of the documentation generated with the investigation (8.11.º).
Although it does not have to be part of the assignment made to an internal investigation team, the guide also contemplates the steps to follow in the event that the team is asked to propose measures to repair or improve the internal organization in view of the violations detected. In this regard, they highlight the need to take into account the principle of proportionality and to monitor the proposed measures. Within the framework of these measures, the review of the compliance system must also be contemplated in order to minimize the repetition of similar infractions in the future (section 10).
At the moment, compliance with the standards contained in this guide does not qualify for any certificate from the International Organization for Standardization.
Internal Investigations Department
29th September 2023