[00:00:00] Speaker A: Hi everyone. In this episode we'll learn how you can manage the risk of cross border external investigations. I'm your host, Bill Coffin and this is the Ethicast.
One of the most pronounced concerns of the 2026 risk landscape so far is that of external investigations that involve multiple jurisdictions.
Many businesses operate on an international, multinational or global basis and if they don't, their third party suppliers and partners certainly do. At the same time, a worldwide fracturing of regulatory expectations, enforcement paradigms and legal controls have made the threat of a cross border investigation an even greater risk than it has been traditionally for any business facing the possibility of dealing with legal troubles that span jurisdictions there, there has never been a better time to prepare in advance than right now.
Joining us this episode is Sagarika Chakraborty, CEO, India and Golf and global Head of investigations of Iris Consulting, the largest Indian digital risk and intelligence consulting firm. SAGA is based in Mumbai and her strong foundation in law, investigative practice and strategic risk consulting brings nuanced expertise in fraud investigations, due diligence, financial analytics and insider threat mapping. Having built and delivered bespoke investigative models for national organizations and banks, she is a passionate advocate for youth leadership and women's empowerment. And she's also an award winning author, policy contributor and speaker at global platforms including UNESCO.
Saga, welcome to the Ethicast. It's an honor to have you here today.
[00:01:42] Speaker B: Thank you, Bill. It's an equal honor to be presented on the show and to interact with your audience.
[00:01:48] Speaker A: My first question for you is how serious is the risk of cross border external investigations today? Especially where jurisdictions are no longer as aligned as they once were and do you see this risk changing anytime soon?
[00:02:02] Speaker B: Well, the answer to both the question, main question and the sub question is yes. And it is most important today. It has never been more important.
If Covid has taught us anything, it is that the world is much more cohesive and closer and than we actually think.
So sitting at one place, a click of a button, I'm able to incorporate a company in another jurisdiction. Today we have jurisdiction. The term tax havens is no longer a misnomer. During a conversation earlier, whenever somebody used to mention okay, attacks, have an attack safe place, we used to look at that person with skepticism. Today, it's an acceptable part of the conversation, right? And you have to understand that once it gets acceptable part of the conversation, that that means that you're different dealing with a jurisdiction which has a completely different set of laws and compliances than the jurisdiction you operate in. So when a fraud happens or when an investigation actually happens, a company may just think that they're investigating into a person or a third party based out of US or uk, wherein the actual routes may be in Panama, maybe in GCC countries in Africa.
So yes, the world is truly our oyster now.
And each of these jurisdictions are complicated. Each of these jurisdictions are unique. And yes, each of these jurisdictions are beautiful in their own rights. So it's very, very important today, how
[00:03:26] Speaker A: should organizations prepare in advance for cross jurisdictional investigations? And in particular, how would you recommend like legal department and the compliance department work together?
[00:03:37] Speaker B: So I guess that today organizations first need to accept that an investigation is not really a negative term.
What we tell our clients, and I personally tell this to everybody, that just because you are investigating, you are not witch hunting. There's a difference.
We are fact finders as investigators and that is exactly why we trust people. But we want to verify the moment you have this in your mindset. The inherent mindset investigations becomes a collaborative approach wherein teams are not skeptical about sharing information with each other. Wherein the compliance team is not testing the investigative team or the legal team is saying that no, this is a privilege. I will not privileged information which I will not be sharing. So the first thing organizations need to see is that everybody is on the same page.
There are no documents or no information which is kept away from the core teams whose ultimate objective is the same.
That is number one. Number two is understand that whether you think that just because your investigation has started from uk, you only need to be, you know, aligned by the UK laws because you may need to defend that investigative report in five other jurisdictions wherein you're finding evidence.
So that is why whenever you're having a legal strategy, make sure that your legal strategy is localized for your investigator to be able to do a back end tracking or a back calculation as they used to teach us in school, and ensure that the scope that is basically being drawn up at the very outset is robust.
[00:05:19] Speaker A: What are some of the key challenges in running an internal investigation across jurisdictions, especially when issues like privacy are involved in? And do you have any best practices you can recommend for organizations that are doing all this for the first time?
[00:05:33] Speaker B: Absolutely. See, organizations frequently assume that internal authority extends across borders, which is not true.
Your team, which is sitting in a different jurisdiction, may be covered by your company code of conduct, but they are also covered under the local labor laws wherein your local company is actually registered.
So to be able to map that difference and to be able to respectful to the privacy concerns is something that organizations need to discover at the very outset it cannot be that once you have done an investigation, completely oblivious of the local culture and the local norms, and then when it backfires, you come back and you know, you come and say, oh, we did not know about it, or try to enforce that. This is the HQ rule. And I say this because I work across multi jurisdictions, specifically jurisdictions like gcc, okay, Gulf, which is very different in terms of their privacy norms, in terms of their, you know, the cultural norms, in terms of what you can ask and what you cannot ask.
So in such jurisdictions, you have to be globalized in your outlook, but localized in your actual approach and your delivery.
Majority of the investigators face and hurdle because just because they find a particular document or an information in one jurisdiction, they expect that document or that information trail to be available in the other jurisdiction, which is not the case. You may have a UK company's house, okay, you may have a Delaware state kind of a registry or a Ministry of Corporate affairs in India or an ACCRA in Singapore, wherein you can get documents. But come to Dubai, okay? Like they say, come to Dubai, habibi. And yes, there, there are no public records which are available. You have to rely on human int.
So majority of the organizations when running internal investigations, they think that it needs to run as per the HQ norms or wherever the compliance team or the legal team actually is sitting. The best practices is to draw up that which are the jurisdictions that you are dealing with, number one. And more importantly, where you can do what.
Third is that there is no harm even if you are running an internal investigation in jurisdictions where you don't have capability, resources or even an idea to have an external investigator or an external support firm to actually step in and be your on ground partners.
Because that is the best legal defense that you will have, that you hired an expert to guide you.
[00:08:14] Speaker A: How can organizations balance legal privilege with transparency when regulators across jurisdictions might expect different levels of disclosure?
[00:08:24] Speaker B: See again, generally organizations where legal team is giving out an investigation mandate, they assume that privilege is associated with, with everything investigative because the mandate is coming from the legal team. And I say this as a lawyer, I'm one of those who moved from law to investigation. So yeah, I have seen both sides of the world, okay.
As a part of the legal fraternity, yes, we have that shield or that cover of privilege which, which is there. And it is a very, very powerful shield that we have. But unfortunately investigations do not come with that shield in majority of the jurisdictions.
So that is why we need to understand, okay, how to separate the fact finding from the legal analysis from day One, you have to understand that sometimes what an investigator finds is to help in making the legal strategy rather than what is to be put in the legal brief.
Sometimes you have to be innovative to understand that. I am armed with this particular information that I can use in a cross question.
One of the biggest things that, you know, I, I really face is that I'll give you a case wherein we were dealing with this case in Middle east and Middle east is a close jurisdiction wherein you can actually have very limited public records. But we did on ground intelligence and we did source interviews and wherein we found a lot of incriminating information which was corroborated across the different sources.
When we took it back to a lawyer, okay, who was to represent, and this was a UK firm, the first thing the UK lawyer asked me was that where is the evidence? Okay, how do I present this in the court of law? The court is not going, so again, putting on the legal hat, if you have privilege, you also have presumption of doubt, which is an equally important and a very, very powerful tool.
And armed with intelligence, you are telling the court that, that I have a doubt that this, this, this has happened. So I request the court to call for these particular four information which the court can do officially and that is exactly what the lawyer did.
So under the mandate, the third party supplier was forced to disclose.
And yes, it exactly came out as per the intelligence which has pointed out. In fact it was much more.
So whenever we are talking about this privacy concerns or evidence concern or what can stand in the court of law, don't look at everything from an evidentiary value that can immediately be filed, don't look at everything that has a cover of privilege.
First, look at the investigative report as a dossier of fact finding.
It tells you where you stand, it tells you what are the odds in your favour and it tells you that what you should be careful about.
So like in B school, okay, or in management classes you're taught do the SWOT analysis, you will exactly know what are the threat parameters that you shouldn't even get into in the court of law. Because quite often or not, investigations are not often one sided.
Like, you know, there are times when, yes, there has been a miss by even your own employees which has led to the escalation. And no, I'm not saying always there is an ethical concern, but there may be a oversight. We are all humans at the end of the day.
So treat that dossier as a fact finding dossier that will tell you what exactly happened.
And once you know what exactly happened. What works in your favor, what doesn't work in your favor, only then please put on your legal hat and analyze it.
And when you are doing that, analyze it for principles, analyze it for evidence, and also analyze it for an act of curiosity that you can present to the court to seek for further information.
[00:12:29] Speaker A: What mistakes do boards and senior leaders commonly make when overseeing cross border investigations?
[00:12:36] Speaker B: Well, actually I'm going to tell about two which may sound to be completely complimenting, but it just sounds complimenting. The first thing is that the assumption that it is a local issue but when detected not treating it as a local issue, to be treated as a local as per the local norms.
So there's a difference. First is that if you assume that it has only happened in that one team, it has only happened with that one third party vendor, or it has only happened with that jurisdiction or that employee, you are actually trying to minimize the problem. You're trying to oversimplify the problem.
Quite often or not, it is not really restricted to a single resource or a single error.
A large quanta of fraud actually takes years to plan or a different level of motivation or a different group coming together.
Because there's a like, you know, as they say in fraudster psychology, there is a self justification theory that plays in the fraudster's head that as for him, he's completely justified in doing what he has done so to in order to be pulling off that particular heist. For the lack of any other word, he has convinced himself and rarely is it a, you know, a lone wolf show.
So don't consider it to be a small issue that is restricted locally.
However, once you have detected it, please don't treat it.
If you have treated it say in US the same way that you would treat it in UK the same way you will treat it in India. No, every jurisdiction has a different way of treating. Like when you are going to open a new business, right, you will check for the ease of doing business norms. You will check for what? What are the local compliances.
Then why not during risk mitigation, why not during planning your investigations?
So you have to treat as per the local jurisdiction because you need to know what sort of cases the legal system takes more time to delay just because over there an attachment order or recovery case makes made sense. Because in jurisdiction A it is time bound. Like say if you go to Netherlands, okay. Or you know, you, you go to up north Europe, there is a time bound thing the court needs to give a judgment. In India there is no time bound. You can take deferments. There are cases that go on for two years. So just because it worked in one jurisdiction does not mean that the same action will work in a different jurisdiction. So quite often or not, boards actually face to, you know, overshoot that the last one which is that that we assume that we are legally covered by what our legal team in house sitting in the headquarters tells us are you legally covered the way investigation was done locally in a jurisdiction where you have a branch office.
So the term legally covered also needs to be hyper localized when you are deciding on a scope when you are deciding on a methodology that needs to be undertaken for every investigation.
[00:16:00] Speaker A: Well Saga, thank you so much for shedding so much light on this complex topic. I know that there's a lot of people in the ethics and compliance community that are going to find your insights on this extremely helpful. So again, thank you very much for joining us today.
[00:16:13] Speaker B: Thank you. It was a pleasure.
[00:16:15] Speaker A: To learn more about how Iris Consulting can help your organization seamlessly integrate security into business strategy and ensure that risk management becomes a catalyst for growth rather than a challenge to overcome, please visit irisconsulting.com that's I I R I S consulting.com and make sure to follow Saga on LinkedIn as well. We'll provide a link to her profile in this episode's Show Notes. And for more on cross jurisdictional investigations, be sure to check out our related episode Inside the 2026 Global Disputes Forecast, which we'll link to in the show Notes. There's also plenty of material on this topic in the Ethisphere resource
[email protected] resources thanks for joining us. We hope you've enjoyed the show. For new episodes each week, be sure to subscribe to us on YouTube, Apple Podcasts, and Spotify. And if you haven't already, please follow at the sphere on LinkedIn to learn more about how we help organizations measure and improve their ethics and compliance programs. Together, we can make the world a better place by advancing business integrity. That's all for now, but until next time, remember, strong ethics is good business.
