/upright/images/upright-primary-logo-t4bcd.png){kind=logo}
Login
Facing the prospect of a dawn raid or a surprise visit from regulatory authorities can be a daunting experience for any organization. We’ve all feared it, and it has happened to some of us: authorities may visit in person, without being announced, and it’s so much better to be prepared than to be sorry.
In this guide, we will explore a few points to ensure we and our teams are as prepared as we can if it ever happens!
1. Establish Clear Procedures and Guidelines for Receptionists
Receptionists are the first point of entry and contact with the authorities when they visit in person, making it critical to equip them with simple and clear protocols to follow.
Beyond directing authorities to the appropriate personnel, receptionists play a critical role in gathering essential information that can let your team know who’s coming and inform subsequent actions.
They need to know exactly what to do, without hesitation: that is to call the Key Contact(s) designated (you / your team / designated persons), and not the general manager.
To do so, I find it works really well to provide them with a simple form to fill in order to collect information from the visitors. The form should notably collect the following information:
The form should also instruct in big bold letters who the receptionists should immediately call and their contact information. Your Key Contact should be a named person on site who has been trained. Your Key Contact should be more than one person, of course, as we want to make sure someone will come and handle the investigators. You may want your form to adhere to the following format:
The idea is that the receptionists reach someone. To ensure this result, your business continuity policy should plan that at least one of the Key Contact is always present or within a short reach of each entity / site in your organisation.
Your form should also include the number of a law firm and its designated contact to call in case no one can be reached internally.
Once they have recorded the information, receptionists should give the visitors badges, and ask them politely to wait for a few minutes until you or your team are coming. Of course they should not obstruct if the investigators do not wish to wait. But usually, they’re ok to wait a few minutes. This information should also be on their form so that they know what to do using that one paper.
Important: make sure that this form is regularly updated and always available to new receptionists on every relevant site / entity in your organisation. This means taking turnover into account, and making sure receptionists are briefed regularly by the person(s) in charge. It is pretty critical to check this point regularly: just asking when you pass by the reception, and asking all your Key Contacts in your relevant offices and sites to do the same at a recurring frequency will prove helpful.
In anticipation of a dawn raid, establishing a partnership with a reputable law firm will provide invaluable support on the day it’s needed. Ideally, the chosen firm should have a global reach, ensuring access to legal expertise and resources across jurisdictions where you have offices.
That's the team that will be in charge. They should know what to do. The Key Contact and the team responsible for managing the dawn raid onsite on the day(s) when it happens plays a pivotal role in orchestrating a solid response. You want to have your network of Key Contacts for all relevant sites / entities established well in advance and part of your protocols. And this network should be kept up-to-date at all times.
Who should be Key Contact? Our E&C or legal team when they are present. Of course we don't have a dedicated E&C or Legal Team member on every single site, and we can and should rely on Ambassadors in our Network: CFOs, HR etc. The idea is that each entity / relevant site has someone in charge who is trained and knows what to do in case a surprise visit happens.
Once they are named, you want to have a process for Key Contact(s) to follow, as well as solid training so that they know what to do when the day comes.
Depending on your organization, the steps for the Key Contact(s) to follow could be:
The Key Contact(s) and Shadowers will need to be trained and be really clear on what to do. This training and refreshers need to happen regularly.
I also recommend creating a simple form with a few simple bullet points including the above instructions for all the Key Contacts, and to make sure they regularly confirm that they have the form handy and have reviewed the training. A form will make it easy to follow in case a dawn raid happens and not lose their calm in the face of surprise. They should also of course be trained on legal privilege.
Effective communication is central to managing the internal and external implications of a dawn raid. You need to have a predefined robust communication plan that delineates roles, channels, and messaging.
Internal communications should emphasise the importance of cooperation and adherence to legal requirements, while external communications should be managed thoughtfully to protect the organization's reputation and legal interests.
We need to ensure that no evidence gets destroyed during the investigation, and that no seal is accidentally broken or tampered with. We know how much this can cost, and I am sure you all remember when the European Commission imposed a fine of 38 million Euros on E.ON Energie AG (“E.ON”) for the breach of a Commission seal in E.ON’s premises during an inspection!
Hence, an immediate message to the site employees will probably be necessary, explaining what is happening and expressly stating that no documentation should be destroyed or erased. A message to the rest of the organisation may be as well, but a bit later down the line. Very important: make sure to agree on all internal communications related to the investigation with the head of the investigation before sending anything.
Regarding external communications, you may receive questions from the press, and all communications or questions needs to be funnelled to the communication / crisis team. A pro tip: draft a template response message in advance that can be used as a starting point during the investigation.
It could be a great idea to include an authority visit as a practical case in your company crisis management plan. Integrating communication protocols into broader crisis management frameworks will help ensure alignment and consistency in messaging across functions, and again, a smooth delivery on the day.
As key representatives of the organization, members of management are likely to be directly involved in interviews and evidence collection in the event of a visit by the authorities.
It is critical to provide targeted training that equips them with the necessary knowledge and skills to navigate these interactions effectively. They need to know that it’s likely that the management is going to be called in for an interview during the day, or that some of their emails will be taken. Sometimes, I don’t wish this to anyone, they may be taken into custody, and knowing about their rights then is really important.
They need to be trained to manage interviews: the idea is that we are here to collaborate. But collaborating with the investigation does not mean having to remember everything, speculate, answer questions that are not being asked or give what one is not being asked for.
Below a few (real life) examples that I have heard of throughout my career. They will probably sound funny, but I hope that they will convince you that it is much better to train people so that we reduce the likelihood of them panicking and acting weirdly, or worse, harmfully to the company:
Sharing real-life examples and case studies will make this easier for your team to grasp, and illustrate the potential consequences of inappropriate conduct during a dawn raid. We want to empower management to make informed decisions under pressure. The truth is, no one knows how they will respond under pressure, and we reduce this risk by practice and preparation.
One tip for email collection related to the mailbox of top executives: if you can, select the emails with the assistants who have access to the mailbox rather than with the top CEO themselves.
One last tip to think about: do you have a group email retention policy, and if yes, what does it cater for? If no, consider the cost (data storing is pretty expensive) and the potential exposure of keeping years and years of emails.
It’s great to have a good framework in place. But if people forget about it in 6 months, or if people change, it’s just paper and it’s not helpful. We need to make sure that this framework is:
It is also extremely valuable to test your framework. Conducting mock dawn raid simulations provides a valuable opportunity to test the effectiveness of existing protocols and identify potential gaps or vulnerabilities. It’s also a lot of fun to learn about our process and witness how people react.
Also a little tip here: of course the top management of the target entity should know what’s coming, and this may need in some countries to be vetted with the employee representative bodies. If you can, try to make it as real as possible: ask your favorite litigator to play an authority visiting. This is the best way to ensure that everyone understands their roles and responsibilities in the event of a surprise morning visit.
If you don’t feel that you can do the “real deal” in your organisation, an exercise ran by you and your team can also provide you with good insight.
And of course, make sure to update your framework with the insights gathered during your exercise, and to keep it up to date. Use this for further training.
I hope these few points (by no means exhaustive) have been helpful. I wish you to never have to face a dawn raid. If you do, I wish you to be well prepared to protect your organisation in the best way!
Follow Upright Solutions on Linkedin for more inspiration to lead your E&C Team and initiatives.
Love from Copenhagen 💜
