Skip to content
Compliance & Risk

Evolving risk in the changing landscape of corporate investigations

Eric Hines  Partner / StoneTurn

· 7 minute read

Eric Hines  Partner / StoneTurn

· 7 minute read

Technology and workplace behavior has changed much since the pandemic, now corporate investigations need to adapt to these changes

Three years since the onset of the global pandemic, many of the cultural and behavioral transitions that resulted have persisted. Technology remains the bridge between physical and online experiences, particularly in corporate settings. Indeed, this year, 71% of the U.S. workforce will be made up of fully remote or hybrid knowledge workers, according to Gartner. This means information is being transferred and exchanged digitally at a rate and capacity unlike ever before.

With such a step up in activity and the volume of information exchanged, corporations have seen their digital footprints grow exponentially — and with it comes increased risk. For a corporate investigator, this can dramatically change the scope and reach of an investigation. And for organizations, this means time is past-due for taking stock of this new reality and what it means for risk management.

A digital-first ecosystem: Increasing volumes of evidence

The transition to remote and hybrid workforces has had a significant impact on corporate investigations. To start, there is more data and information being exchanged. From Slack messages to Teams calls, data is being logged at an unprecedented magnitude — much of which may need to be preserved under an organization’s retention policies. This inherently multiplies the volume of data that can be pooled and dissected by corporate investigators.

While the proliferation of these information channels has opened opportunities to communicate across the organization, departments, and geographies, it has also normalized the exchange of information — some of which may be privileged, sensitive, and confidential — in a more candid or casual demeanor. Such information can provide critical evidence in an investigation when properly preserved. And investigative teams should be conscious of not only how to collect and analyze such information, but also whether there are appropriate governance and controls in place to manage access within an organization.


The transition to remote and hybrid workforces has had a significant impact on corporate investigations. To start, there is more data and information being exchanged.


Similarly, another by-product of remote work is the increasing trend of bring your own device, in which employees may be using their own personal laptops or phones to do work or access work-related information. In many cases, these devices are not configured with the proper security and infrastructure aligned with the organization’s compliance posture. Worse yet, they can create opportunities for accidental or deliberate misuse or loss of data. In this instance, too, employees’ personal devices may be in play for investigative fact-finding, if handled appropriately.

Organizations should have policies and procedures in place, such as acceptable use policies and technical guardrails, that make clear from the beginning whether and how employees are allowed to access company email and other records from personal devices. The onus is on the organization — often its IT, Legal, and Compliance personnel, working collaboratively — to monitor employees’ access and communication as it relates to business matters across channels and devices. For organizations in highly regulated industries, such as financial services, failure to capture this information can result in costly fines or other regulatory sanctions.

New software solutions yield opportunities and risks

Emerging software is also being used across functions and teams, from Finance and Accounting to HR and Legal, in order to streamline data management and process workflows. Ten years ago, an investigation may have been exclusively focused on information collected from a single department, such as Finance, but corporate investigations today can leverage data and other evidentiary material, and the insights they provide, across various functions.

Cloud-based software tools are becoming increasingly cross-functional. For example, the Sales team may use the same platform for customer relationship management (CRM) and leads that the Finance team uses for timekeeping and billing, customer opportunities, payments, and invoices. Leveraged across the organization, the software — and its corresponding data — can provide a more complete view of a specific issue.

Cross-referencing this data with other available systems, such as travel and expenses, can provide a wealth of investigative insights. For example, an investigator might observe how trends of expense patterns relate to CRM activity (i.e., client touches), and identify possible red flags for fraud or problematic third-party interactions. This kind of data can present information that may not otherwise be discernible from an email or interview alone and can help bring together pieces of the investigative puzzle that may have otherwise been residing in silos.

The typical investigation today often intersects with different functions of the organization than has traditionally been the case. As more organizations shift to data-driven processes, the opportunity to find, analyze, and extrapolate new and meaningful insights in an efficient, cost-effective manner has become imperative. However, in order to have the ability to analyze such data, organizations must have clear policies in place surrounding record-keeping, access protocols, and accountability.

What’s at stake: It starts with good governance

As employees become increasingly comfortable with hybrid work models, there can be a natural tendency for their guards to drop, resulting in lapses in internal controls, oversight, and compliance. This heightens organizational exposure to risk, internal wrongdoing, or fraudulent behavior — all of which needs to be considered in a corporate investigation.

Given post-pandemic realities, coupled with growing regulatory scrutiny, organizations need to consider the information at their disposal, associated risks, and the cost-benefit of the manner in which risk is addressed. While change can be difficult to oversee, there are key steps organizations can take to safeguard their business and improve the information available for corporate investigators.


While the proliferation of these information channels has opened opportunities to communicate across the organization, departments, and geographies, it has also normalized the exchange of information — some of which may be privileged, sensitive, and confidential — in a more candid or casual demeanor.


First, organizations must be adept at conducting risk assessments, and updating those processes periodically, to more clearly understand current and new vulnerabilities that may be on the horizon. Second, organizations should account for the data, systems, relevant processes, and emerging resources at their fingertips. This should include compiling an inventory of relevant systems and corresponding data to better document and track core information that could be available for investigative and compliance use. Generating this inventory of systems and data is particularly important given the increasing focus by regulators, such as the U.S. Department of Justice, on how organizations use the information at their disposal to monitor compliance with laws and regulations.

Additionally, findings from data-driven tests and analyses can be leveraged for a more quantitative, automated, and repeatable risk assessment processes, which could then complement the key learnings derived from traditional risk assessments over time. Indeed, pulling together both approaches can help identify potential modifications and strengthen an organization’s overall risk resilience.

Finally, investigation and compliance leaders should develop a framework for systematically addressing risks by asking introspective questions.

The world has changed, and good governance and enhanced use of available information are needed now more than ever before. By getting a handle on new technologies — while considering their impact on processes, policies, and procedures — organizations can be better prepared to help paint a holistic picture when an investigation is underway. Or, at least, they should be able to identify red flags to help avoid sweeping investigations in the first place.

More insights