Fraud-related crises create overlapping pressures that rarely lend themselves to a single toolkit. Suspicions or allegations trigger hard legal and regulatory questions and, at the same time, unsettle trust inside and outside the organisation.

At a recent event, When Fraud Strikes: navigating investigations, scrutiny, and reputation risk, DRD Partner Lawrence Dore joined a cross disciplinary panel with investigator Steve Holt (Grant Thornton), barrister Vittoria Trigilio (7BR), and solicitor Barry Coffey (Mishcon de Reya). The panel explored how companies should handle situations where fraud features as a potential factor in a crisis.

The discussion was framed around two types of scenarios. In one, the company identifies an issue itself and still controls the pace at which it informs, investigates and escalates. In the other, the first sign of trouble is an external inquiry from a journalist, NGO, regulator or other third party, and the organisation is on the back foot from day one.

The panel’s experience was that the first type of situation can all too easily drift into the second if early handling is hesitant or fragmented. What happens in the first weeks often determines whether a difficult issue remains manageable or escalates into a drawn-out regulatory and reputational crisis.

Below are some of the key themes that emerged from the discussion.

1. How concerns first surface

Unless the company is hit with a well-researched allegation from outside, concerns tend to emerge in fragments. This may start with a pattern in procurement data that does not quite make sense, an uncomfortable question from internal audit, a detailed email from a whistleblower.

The challenge is often human rather than technical. Fraud is uncomfortable to raise. People are busy, they may assume someone else is dealing with it, and they may be reluctant to escalate something that might turn out to be nothing. As Steve Holt put it:

“The organisations that handle this stage well do not panic, but they also do not dismiss the signal. They escalate with care, consult the right people early, and treat it as a risk worth containing even before they know if it is fraud.”

This is where organisational culture and systems make all the difference. There is a clear distinction between companies where concerns are allowed to circulate informally, and those where there is a predictable route into a defined channel – risk, legal, internal audit – and a basic instinct to preserve evidence early. In the latter, senior leadership is given a single, coherent picture to work with. In the former, pieces of the story sit in different corners of the business until a regulator, auditor or journalist forces them together, at which point the company has already lost control.

2. Launching an investigation

Once the decision is taken to investigate, the damage you avoid often depends on how narrowly and intelligently you define the parameters. Those first structural choices tend to lock in your options with regulators, courts and staff.

The panel’s view was that many mistakes come from failings in basic mapping at the outset. According to barrister Vittoria Trigilio,

“You need to know very early who your client is, who may need separate representation, where the data is held and which laws apply. Those may seem at first like admin details, but they shape everything that follows.”

Those answers drive privilege, scope and who needs to be sitting on which side of the table.

On the investigative side, Steve Holt argued for disciplined focus rather than sheer scale. Start with the specific red flags you already have, test them properly with data and interviews, and only widen the scope when the evidence forces you to. At the same time, as Barry Coffey noted, someone, usually the general counsel, has to choreograph the different tracks: employment steps, regulatory engagement, potential criminal exposure, civil litigation risk. Left alone, each will follow its own timetable and logic.

From a communications perspective, this is also the moment to set ground rules and develop positioning. Staff will notice interviews, data collection and the presence of external lawyers long before the company is ready to announce anything. If there is no plan for who is told what, and when, an unofficial version of the investigation will emerge in rumour and speculation. That version is hard to correct later, and it is often the one that leaks.

3. When scrutiny moves into the open

The shift from internal handling to external scrutiny is often abrupt. One day the questions sit within a tight internal group. The next, there is a detailed right-of-reply email from a journalist that may arrive before the board has a settled view of the facts.

In the more controlled cases, the organisation has already done the hard work. It knows what is being investigated, has preserved evidence and has a coherent internal picture. External interest is uncomfortable, but it does not derail the fact-finding process. In the harder ones, outside pressure lands while the internal investigation is still forming. A leak, a raid or a well-informed media inquiry can turn a working hypothesis into a public story overnight.

This is where the integration of legal, investigative and communications strategies is tested in real time. Allegations aired in public attract further scrutiny and can trigger hurried responses. Regulators start widening their questions and asking for more material. Journalists test corporate statements against documents, ex-employees and counterparties. Staff compare what they are told internally with what they can see in the press.

For Lawrence Dore, that changes the bar for any external line:

“If your explanation only works in the room you’re in, it isn’t a crisis line. It has to stand up in front of regulators, journalists and your own staff, or it will come back to bite you.”

In practice, that means treating communications as part of the investigative architecture. Someone has to own the overall story and decide what merits a response, and through which channel. The existing public record (past statements, reports, confident claims about culture or governance) needs to be reviewed before anyone goes on the record, because that is what critics will mine. And the internal landscape matters: disaffected teams or vocal staff groups can quickly become sources of open letters and leaks if they are ignored.

4. After the headlines

By the time the investigation is over, most companies feel they have done the hard work. In reality, the question stakeholders ask has shifted from “what happened?” to “what is different now – and will it last?”

At this stage, boards may be tempted to move quickly to visible action: departures, restructurings, a refreshed set of values. Those steps may be necessary, but they are not sufficient on their own. As Barry Coffey put it: “The key is a governance response that stands up over time, not just finding someone to sack. You need to be able to show how oversight has fundamentally changed.”

That means being able to point to concrete shifts in controls, reporting lines, incentives and board behaviour, and being willing to have those shifts tested by outsiders.

From a communications perspective, the safest principle is simple: only claim what you can show. If a sceptical regulator, journalist or employee could not recognise in reality what the company is saying in public, trust may be further eroded. Instead, the path to recovery lies through a series of clear decisions made by the right people at the right moment, following an agreed plan based on sound knowledge and insight.