top of page

Strengthening Workplace Forensic Investigations

By Marais Dekker, Oliver Schoeman, Christo van der Walt and Todd Hutchison.

Investigations, just like all legal matters, are projects. The rigour in the process of collecting, preserving and presenting evidence warrants a greater formality in the planning and execution of investigations, independent if they relate to homicide cases, private investigations and through to organisational-based workplace investigations.

Regarding workplace investigations, the corporate goals of an organisation are continuously shaped and moulded by its unique operational requirements, characteristics and culture, often exerting undeniable influence on the formation of internal corporate policies and procedures.

The contextual aim of internal policy regulation is to unite employees in their understanding of their respective individual and complementary duties, with a clear view of the rules in participating in a corporate ‘team-game’. When these rules are not followed, an investigative process is required to validate the circumstances and key factors that lead to misconduct to enable the taking of reasonable measures to remedy any non-conformance.

Internal investigations related to suspected employee misconduct require not only a consistent application of the investigative and disciplinary procedure, but also the effective remedial application of any findings in order to guide the process of constant improvement in implementation, management and enforcement of corporate policies.

The organisation’s legislative framework, with its policies and related procedures and work practices, help guide the terms defined in the employment contract. They need to embody the collective rules and regulations applicable to the workplace that presents a mechanism to provide insights to acceptable conduct to guide employee behaviour.

Ingrained in any employment relationship ought to be the principles of fairness and equity. The employer therefore retains an ongoing duty to manage and communicate policies and procedures effectively, setting out the parameters to the employees of what is reasonably expected of them. This includes any sanctions applicable when they are being non-compliant. This basically constitutes the aim of the governance framework that sets out a ‘disciplinary code’.

Internal investigations within the workplace for cases of suspected employee misconduct by allegedly contravening the employer’s policies are best managed by a clear investigation plan when seeking to establish a prima facie case against the employee.

The aim of discipline is to enforce the employer’s policies with the coupled objective of implementing a progressive disciplinary code in order to bring employee behaviour in line with the employer’s rules. The disciplinary process must represent fair and consistent implementation of the employer’s rules through the adherence to principles of standardised application of discipline and corrective disciplinary measures.

To ensure the aims of disciplinary processes are achieved, completed investigations and hearings should allow the organisation to accurately review and develop its governance framework based on reviewing actual employee misconduct events; in alignment with the intent of the rules. This enables ongoing policy effectiveness and identifies and addresses the risk of having a disciplinary code that does not act as a deterrent.

Enforcement of the rules to maintain and promote progressive discipline within an informed and participatory process aims to gain buy-in by employees and an aligned understanding of the expectations of what constitutes desired performance.

Not all employee misconduct is worthy of investigation when considering limited inhouse investigation time and resource constraints. A reported suspicion of employee misconduct may reflect only a contravention of the employer’s policies as a once-off event, or as a possible indication of an ineffective set of rules that fails to align employee conduct with organisational goals.

Proper control over investigation protocols can often identify the underlying origins of what seems to be merely surface ripples in policy mismanagement, while in fact being caused by much stronger internal currents of maladroitness practices. Internal investigation processes may however not always produce, as its default output, information or data relevant to policy review considerations, especially if the investigation was not designed and performed with the objective of providing constructive input to improving the governance framework.

Although a reported suspicion of misconduct would naturally require proper investigation planning and execution, when an employer is being inundated with hundreds of complaints and reports, due process becomes inhibited by the limited in-house investigation resources provided. This warrants the severity of the misconduct to be assessed.

Whilst some of these triggers may contain valuable information that could save the organisation, many may be menial, maligned, vexatious, misinformed, or simply ‘fake-news’. The reality is that fact-finding exercises performed by investigators are often open-ended to start with, despite clear objectives and an effective investigation methodology. The smallest crumb of evidence has the potential to lead to the unraveling of large-scale policy transgressions within the organisation and may not be limited to the alleged offender.

Deploying a Legal Project Management (LPM) approach requires the establishment of repeatable processes for specific legal projects, organising actions of critical role-players, by following a blueprint that is resilient to contingencies. Legal projects in this context include general legal matters and investigation cases, both of which can lead to court actions.

The investigative lifecycle in LPM is explained in its four phase life cycle of ‘define’ that looks at the investigation requirements, ‘plan’ that ensures an adequate strategy of an effective investigation is confirmed, ‘deliver’ that enables the plan to be executed within the boundaries set, and ‘close’ where the objectives of the investigation are confirmed to have been met. This is supported by the investigation methodology that comprises the selected tools to maximise the investment in the investigation toward the desired outcomes.

The process begins with formulating the definitive identification of the scope and context of the investigation that is critical to purposeful work. This includes understanding what possible contraventions may be present (working theories / draft charges), what evidence is likely to be required to prove those charges against the employee, and a cause of action. These all must be determined (or at least determinable) in the early phases of the life cycle.

By focusing on pragmatic sequences, the investigator needs to seek validation of ‘prime sources’, alleging specific contraventions of the employer’s rules, allowing for well-organised outcomes to a duly structured investigation.

These outcomes have come to define what is known as the ‘Prosecutor Led Investigation’ approach. The defined phase of the LPM planning must determine the investigator’s brief. The ‘plan’ phase then is well informed to set out the whole scope of the investigation before resources are deployed.

This allows the ‘deliver’ phase of the investigation to be purposeful and leads to capturing and preserving the evidence that will enable charges. Drawing up and presenting the charges in accordance with the disciplinary process of the employer and the labour relations legislation should always be reasonably sufficient to allow the employee to answer the case against them. The likely result of the successful prosecution of an offending employee is also considered early on to identify the appropriate sanction, based on the seriousness and extent of proven irregularity and culpability of the employee’s conduct. Therefore, the LPM approach simply brings a robust approach to standardising the process of an investigation with the ability to respond, adapt and maneuver to the needs of the findings.

The International Institute of Legal Project Management recognises the uniqueness of certain legal and investigation projects that incorporate forensic science due to the need for stringent evidence collection practices. This covers the wide medical-based and physical crime scene forensic specialisations, on one end of the spectrum, but includes the increasing reliance of digital forensic disciplines that extend the traditional computer forensics, to analysis of on-board electronics on any digital device, like the mobile smart phone or drone, and video and audio files.

This is because forensic-based investigations are subject to outcomes-based evidence gathering for the purpose of internal investigations and internal disciplinary hearings. The standard of gathering and presenting facts must always adhere to the generally accepted principles of the law of evidence. Leading toward relevant admissible evidence must be able to withstand the scrutiny of court proceedings in the event that cases are to be referred to the courts or disciplinary tribunals. This rigour means a stronger focus on process guiding consistent behaviours of the investigation team members.

Assurance that the investigative procedures comply with evidentiary thresholds related to the rules of evidence, admissibility, chain of evidence protocols and source verification of evidence are therefore of critical importance. The onus of proof will be met more efficiently by strict adherence to a system that may effectively be implemented and managed by knowledgeable forensic investigators, especially when working with legal practitioners that are competent in legal project management.

Forensic evidence varies depending on the nature and context of each case that may heavily influence the appropriate approach to be followed given the sensitive nature of some investigations and the privacy and protection requirements of those involved. Consider the following examples:

  1. an anonymous tip-off may require basic verification before a committing to an investigation;

  2. a whistle-blower may need personnel identity protection that avoids disclosure of witness identities;

  3. fraudulent behaviours may need covert technology intervention, given that the offenders are often at the controls of the financial systems or may have visibility into internal communications;

  4. sexual harassment and discrimination that may require extra sensitivity due to the discomfort felt by the victims;

  5. allegations against senior employees may have to be investigated outside normal channels to prevent interference with the investigation; and

  6. misconduct involving persons outside the organisation may not be subjected to internal policies, unless agreed to in terms of a contract of appointment in the case of contractors and consultants.

Each of these factors are important contextual elements to be established in the ‘define’ and ‘plan’ phases. This is where the boundaries and level of rigour to the investigation project is set, however enabled by variation through the LPM change management process where warranted given that the investigation is still subject to findings as it progresses.

Taking a formalised LPM approach also means the holistic consideration upfront of the key factors of resource allocation, schedule and budget provisions, with due consideration to the level of stakeholder engagement, information flow and quality assurances, as well as managing process-based risks, issues and changes.

The combined forensic and legal project management approach promises easier cooperation and smoother transitions between legal, investigative and forensic science practitioners as they align their work through a formalised project-based approach.

This enables the different expertise required to be allocated to the right tasks in a managed approach to best utilise investigative resources for the purpose of taking appropriate actions against employee misconduct and to ultimately increase organisational performance in accordance with the organisation’s governance framework.


About the Authors (LTR)

Marais Dekker leads Bind.Africa’s Transaction Risk Management Services Research & Development Team as Executive Director, focusing on industry specific process modelling and system design to improve control over contractual performance.

Oliver Schoeman is Corporate Legal Counsel at Jenny Internet in South Africa. Previously an Advocate of the Pretoria Bar and and director at Argumentum Legal Project Management, specialising in Consumer Law, Construction Law, Commercial and Criminal Litigation.

Christo Van Der Walt is a practicing attorney and Director of Len Dekker Attorneys Inc in South Africa specializing in Employment and Commercial law and a member of the International Ombudsman Association.

Todd Hutchison, Adjunct Associate Professor, is an executive of Australian law firm Balfour Meagher, a police-licensed investigator and digital forensic specialist with Forensics Australia, and the Chairman of the International Institute of Legal Project Man


bottom of page