Opinion

UK SRA’s new guidance on internal investigations and legal professional privilege

UK SRA’s new guidance on internal investigations and legal professional privilege
Published Date
Jan 27 2025
Related people

Independence, legal privilege and reporting to internal stakeholders are key areas of focus in the UK Solicitor Regulation Authority’s (SRA) new guidance for in-house internal investigations lawyers published in November 2024. The SRA guidance aims for a gold standard in effective internal investigations. We look at how practical the SRA guidance really is and whether it provides useful pathways through the many pitfalls facing in-house investigators.

What’s new?

In the wake of recent inquiries such as the Post Office, there is increased scrutiny of investigation processes and the role played by lawyers. Attempts to discredit investigations are also a common feature of employment claims.

The SRA guidance is directed at in-house solicitors conducting internal investigations. It does not cover new ground. Nor does it seek to be a comprehensive overview of issues that can arise in this context. And whilst it only represents the SRA’s view on issues it deems to be important (and is not binding), it nonetheless helpfully consolidates some key principles that are the hallmarks of a proper investigation. Its publication is timely given good investigations procedures also feature in the UK Government’s newly-published guidance on the failure to prevent fraud offence (which we cover here).

One of the key tensions facing in-house investigators is navigating relationships with internal stakeholders. The SRA guidance contains some useful pointers to help manage this, particularly regarding independence, legal privilege and reporting. We look at these themes below.

How to persuade your stakeholder that an investigation is needed

In-house lawyers often get asked by their clients whether an investigation is really necessary.

In certain sectors and situations there may of course be regulatory requirements to comply with.

But if it is not this clear-cut, the SRA guidance reminds companies that investigations are ‘an essential aspect of risk management’. It is true that a formal investigation may not be needed in all cases. A balance of risk, resources, sensitivity and seriousness all go into the mix. But failing to identify a concern that requires investigation, or initiate one off the back of this, can expose companies and individuals to ‘significant regulatory, legal, employment, and reputational risks’.

More generally, good corporate governance is a key pillar of UK business legislation as well as regulatory and enforcement activity. For example, principles around establishing procedures to manage risk are encoded in the UK Corporate Governance Code to which many companies, in particular listed ones, must adhere. This is relevant to the existence and effective operation of Board and Risk committees.

Directors too owe statutory and fiduciary duties. For example, they have a duty to act in a good faith way to promote the success of the company. It is arguable that overseeing an effective compliance regime that identifies and mitigates risks (in general terms) or undertaking an investigation (in specific terms) could be examples of discharging this duty.

That sentiment is reflected elsewhere in the SRA guidance. The other key incentive to conduct a proper investigation is to identify ‘lessons learned and promote a culture of transparency and compliance with legal and regulatory obligations’. Those are all factors that are in the long-term interests of a successful business.

How to manage the degree of independence expected for a robust investigation

The SRA guidance majors on independence and objectivity. At its most extreme, it cautions that reporting that fails to provide a ‘clear and objective assessment’ could constitute serious misconduct for concealing or failing to disclose material information, or even a criminal offence of perverting the course of justice. This is a stark reminder of the core ethical values the SRA requires of all lawyers it regulates.

However it is not just about staying compliant with SRA Principles. Subjects of investigations often seek to use ambiguity around independence to disrupt investigation processes. In our experience, the prickliest of subjects look for ways to resist cooperating with an investigation, to undermine its findings as a means of leverage in settlement talks, or to assert claims in an employment tribunal (or all three). An unequivocally independent investigation stands the best chance of neutralising these threats.

The Guidance contains the following tips to manage and preserve independence:

  • Put in place clear terms of reference. Amongst other things, this can set out who will conduct the investigation and delineate roles and responsibilities.
  • Ensure the investigators have no prior knowledge of or involvement in the facts. You could include a statement of independence and impartiality for each investigator to certify compliance with, similar to those used by arbitrators when appointed to a tribunal panel.
  • Ensure the investigators can act free from bias. Matters that impact the investigator as an employee (or even employees they may be close to), or where they may themselves become a witness, should be avoided. Guard against even the possible existence of a perception of bias.
  • Clarify the ‘client group’ for privilege and instructions purposes. This ensures the parameters of legal privilege are better maintained (see below).
  • Implement practical measures like information barriers. This restricts the flow of information and protects confidentiality.
  • Review this on an ongoing basis. Issues can arise as knowledge of the facts evolves, and it may be necessary to pivot.

The SRA guidance goes as far as to say that an in-house lawyer should also anticipate potential future instructions that may come into conflict with existing matters. For example where the organisation has a claim brought against it in relation to the handling of an investigation. In that scenario, the in-house lawyer ‘will be unable to carry out both roles’. Whilst in the most serious of cases that may well be necessary, in practice it is more likely that a judgment call can be made depending on the degree of the lawyer’s prior involvement and provided this is continuously reviewed.

How to navigate conflicts and pressure from internal stakeholders

Independence is also about navigating conflicts, bias and pressure from internal stakeholders.   

The SRA guidance says that in-house lawyers should guard against inappropriate pressure from decision-makers. Pressure could be in the form of not investigating an issue or seeking to influence a particular outcome. Certain stakeholders may also try to misuse the legal privilege label to suppress important information.

But remember that an in-house lawyer’s client is ultimately the organisation itself. It is not necessarily those communicating instructions. Nor is it, as the SRA guidance suggests in some scenarios may be the case, the Board as the governing body of the organisation.

Where the interests of the organisation start to diverge from those individuals who are supposed to be representing it and who are instructing the lawyer, this puts considerable onus on the in-house lawyer to try to navigate this (whilst also abiding by their regulatory responsibilities).

It may not be entirely in the gift of the in-house lawyer to guard against this hopefully rare set of circumstances arising. It also conceivably makes it difficult to provide legally privileged advice, i.e., where the individuals authorised to receive the legal advice (the ‘client group’ for legal privilege purposes) may not be acting in the interests of the organisation (the ‘client’ for the SRA’s regulatory purposes).

The answer to this, according to the SRA guidance, is that lawyers should simply ‘resist being pressured’.

Interpersonal dynamics, strategic considerations, cost measures and job pressure mean in practice it is not likely to be quite that simple. In real terms, perhaps instead this all comes back to adopting the following approaches:

  • Consider any regulatory requirements that add an extra imperative into the mix.
  • Articulate that the long-term benefits for a business are in ensuring a robust and defensible investigation process.
  • Ensure any internal reporting gives a ‘clear and objective assessment’.
  • Be clear as to the limits of legal privilege in a given document or scenario.
  • Document your advice. 

And if that does not work, then – as the SRA guidance encourages – you may need to report inappropriate pressure. A separate SRA guidance piece on what needs to be reported, to whom, and when, is here.

How to best protect legal advice privilege when conducting an internal investigation

It is important that in-house lawyers understand the rules on legal professional privilege. Seemingly in response to concerns around incorrect calls being made, and recognising that protecting privilege in a large organisation can be challenging, the SRA guidance seeks to distil the key principles.

The SRA guidance understandably espouses the most cautious approach. The hand it has been dealt is, after all, the current state of English privilege law, which remains somewhat out of step with modern practicalities.

Commonly asked questions around legal advice privilege in internal investigations include whether a communication is on its face capable of being privileged; and how to collect information from and share legal advice with other parts of the business. We look at some key scenarios below. Given litigation privilege is less likely to be available at the early stages of an internal investigation, the particular focus is on legal advice privilege.

What is protected by legal advice privilege?

  • Legal advice privilege protects from disclosure communications between a lawyer and the client made for the dominant purpose of giving or receiving legal advice. The client or client group comprises those individuals who are authorised to give or receive legal advice on behalf of the organisation.
  • Ever since the concept of the ‘client group’ crystalised, there is ongoing debate as to whether companies are better off keeping a register or list of those authorised to give and receive legal advice.  The SRA guidance says this might be worth considering. The countervailing view is that these can quickly become out of date, may not represent reality and could ultimately be a hostage to fortune. They may be more appropriate for specific investigations. If one is adopted it is essential it is maintained.
  • To benefit from legal advice privilege, a communication needs to be made in a ‘legal context’. Once in that context all communications in the same ‘continuum’ will be protected (so that an individual communication may contain publicly available information and still be privileged).
  • For in-house lawyers the distinction between providing legal advice (i.e. through ‘legal spectacles’) and commercial advice (i.e. a person ‘of business’) is key. It would be unusual for communications (with the client group) about commencing, progressing and completing an investigation to not form part of a continuum of protected communications. As always, separate legal communications from purely commercial ones.

Is information collected from colleagues outside the client group privileged?

  • Ordinarily, a communication will not be privileged where it is with someone who is outside of the client group, e.g. with a person in the business who is not instructing the in-house lawyer and is only communicating with the in-house lawyer to relay facts. A key example of this would be verbatim notes taken by an in-house lawyer of an interview with an employee who is only a witness of fact and not part of the client group. Similar issue can arise when, for example, collecting employment records from HR, mailboxes from IT or data from Finance departments. Communications requesting this information from those individuals will not be privileged, so minimise the level of detail that is shared with them (unless it can be said that they form part of the client group).

What about sharing privileged advice with other parts of the business?

  • Conversely, once privilege is established, English law is relatively benign about it being shared for the purposes of dissemination within the business. The SRA guidance gives the examples of sharing the privileged advice with a company's Board, or with employees if they need the advice for the purpose of their work. This is because, the court accepts, a company should be entitled to apply the legal advice practically or commercially once it has been commissioned. Providing other business functions with relevant findings and recommendations from an investigation, for example to enable those recommendations to be implemented, would usually be protected.
  • However there are limits to this. The cornerstone of legal privilege is confidentiality. Ordinarily, the legal advice will remain privileged so long as its confidence at a wider level is not lost. Therefore, if someone outside the client group needs to receive the legal advice, consider how best to share it with them. One approach (particularly if in doubt) would be to share it on a limited waiver basis, accompanied by a clear warning that it is being shared for a limited purpose and that the recipients should not distribute it further.
  • And, any pure business decisions made off the back of the advice, or replies or questions from the business about the advice, are unlikely to be protected.

What practical protections are best to help maintain privilege?

  • Other techniques such as using passwords, limiting circulation and keeping a contemporaneous record of the intention for providing the information would all help in demonstrating that the sharing was done in a deliberate and controlled way. Whilst they are good examples of document hygiene, none is an absolute requirement.

The SRA guidance is particularly timely given the recent publication of the Government’s guidance on the failure to prevent fraud offence. As companies will increasingly be needing to now grapple with, an effective investigation framework is a key procedure companies can put in place to avail themselves of a defence to this offence. The failure to prevent fraud guidance addresses what this framework should look like, reflecting many of the key SRA principles: ‘Investigations should be independent, clear about their internal client and purpose, appropriately resourced, empowered and scoped (including through legal advice), and legally compliant.’

Overall the SRA guidance is a cautionary reminder about regulatory responsibilities for in-house investigations lawyers in a post-Post Office world. It goes some way in assisting in-house lawyers navigate the many complexities of the role, but potential pitfalls remain. Finding the right path through is no easy task.

This article is focused on the in-house internal investigations and legal professional privilege guidance updated by the SRA in November 2024, part of a suite of guidance published by the SRA to support in-house solicitors, which should be read in the round and can be found here.

Related capabilities