Mourant’s in Jersey have offered an excellent acronym to the lexicon of compliance language, namely “P.R.O.T.E.C.T against sanction”.

Where a business has identified potential breaches of law, regulation or duties owed to third parties, there will be multiple considerations arising and priorities to address.

the following key reminders should be considered when putting together a response plan.

Privilege

1. There have been multiple instances where businesses facing risk issues have generated disclosable documents, often compounding or heightening their problem.
2. While generally, the material will need to be disclosed to other parties (see below), ensuring an investigation is carried out in privileged circumstances will assist the business in keeping control over what is disclosed and to whom. Seeking legal advice at an early stage will assist in establishing a protocol to gain, and retain privilege.
3. Done right, this need not be at the expense of meeting transparency obligations.

Remediation

1. In particular, when it comes to regulatory matters, a key feature the regulator will look at is how a business has reacted to the issue and how it will ensure it is not repeated.
2. Setting out an articulated and achievable remediation plan, and implementing it, should assist in demonstrating that a business understands the issue and can be relied on not to repeat previous mistakes.

Ownership

1. While embarking on a finger-pointing exercise is unlikely to be constructive, it will be important to identify how problems arose, including whether failings are attributable to systems, policies and procedures or collective or individual human failings.
2. Appropriate action will need to be taken to address any particular failings and to ensure they are not repeated. Any potential conflicts of interest between those undertaking an internal investigation and the issue being investigated will require management.

Transparency

1. Regulated businesses owe obligations of transparency and co-operation, and so a strategy will need to be devised to ensure appropriate notifications are made promptly and according to legal and regulatory requirements.
2. The timing and content of those notifications is a key contributor to how the matter will ultimately proceed.

Examine

1. Often a business facing difficulties will quickly acknowledge wrong-doing in the hope that will swiftly resolve matters. However, the question of whether particular breaches are made out is often a nuanced one. It is advisable to closely examine what the relevant requirements are and then analyse those requirements against the facts in question before reaching a determination as to whether any breach should be admitted or not.
2. An accurate and consistent message is also vital – trying to go back on something previously admitted will be an uphill struggle.

Challenge

1. Adopting an aggressive approach with authority is unlikely to be a wise strategy. However, making fair and reasonable challenges on relevant facts and findings is often necessary.
2. Public bodies are required to act fairly and to follow a proper process, and knowing your rights of challenge and deploying them in a constructive manner is often key.

Timing

1. Either taking too long to take relevant action or rushing to conclusions can be fatal in any potential breach scenario. There may be differing views within a business as to the timing imperatives, with some wanting to notify immediately upon identifying the possibility of a breach, and others wanting to delay notification until some key facts have been established, and a clear message can be delivered.
2. Managing these competing demands and developing a strategy on key milestones and associated timing is critical for minimising damage.

Read here https://www.mourant.com/file-library/media—2019/2019—guides/p.r.o.t.e.c.t.pdf