Incident Management and Whistleblowing Conversation with Industry Experts

Effective incident management is all about building a better business. When done properly, incident management programs can drive true change within an organization by keeping businesses aware of incidents and identifying strategic areas of improvement. No one knows this better than Russell (Russ) Griggs and Chris Cazer, two Steele executives with decades of knowledge in compliance and incident management.

Griggs has more than 30 years of experience developing complex business systems, including overseeing the product roadmap and software development right here at Steele. As a Steele Managing Director, Cazer has decades of experience helping businesses address their conflicts of interest policies and procedures.

Recently, we sat down with Griggs and Cazer for a Q&A surrounding incident management risks and best practices. What follows are seven key takeaways all compliance managers should know. Download our recent white paper, A Q&A on Incident Management, to read the interview in full.

1 – Incident Management Means Different Things to Different Organizations 

Not all incident management systems are the same. The process may vary from business to business, but Griggs says they all have the same foundation: to intake allegations about an event or action then be able to take a series of steps in response to that allegation. 

Griggs gives the example of a financial firm and a fast-food business. The financial firm would need an incident management system through which employees can report incidents like insider trading or improper behaviors. On the other hand, the fast-food business may need a more “consumer-oriented” system to process complaints about poor service or food quality. 

“Both examples, however, will also have the same type of due diligence necessary to respond to allegations,” says Griggs. “The company wants to convey that it’s heard the complaint, and then take appropriate steps to investigate and rectify any problems the company finds.”

2 – Automated Incident Management Solutions Create a Repeatable Process

Large organizations attempting to manually manage their incidents can be easily overwhelmed, says Griggs. No matter how organized the spreadsheet, there’s always a high risk for human error. There’s also no way to create a repeatable process. 

“That lack of enforced, repeatable steps can be crucial, because many businesses are audited to assure consistency in how they handle complaints,” says Griggs. “So having incident management done manually, where that consistency can’t be assured, creates a big risk.”

Compliance managers can define a set of steps within an automated system. The system then enforces the process and protects the repeatable steps so you can consistently mitigate the risk of every incident.

 

“An automated system does several things here. First, it can coordinate all necessary steps so that they do get done…That’s really difficult to do manually, especially at large volumes,” Griggs says. “Second, an automated system gives you a full audit trail for every incident…to keep you out of regulatory trouble.”

3 – There are Four Tasks Incident Management Software Should Be Able to Handle

An effective incident management program should be able to handle many issues at once. To do that, Cazer says, your system must be capable of four things: incident acquisition, investigation, scalability and flexibility. 

Incident acquisition involves a broad intake capability. Incident management software that satisfies this requirement should be both easy to use and able to accept reports in a variety of mediums, from email to text messaging to a kiosk on a factory floor. It should also allow anonymous reporters to continue to interact with the process.

“That keeps the reporter involved with you, rather than approaching a regulator or the media because the reporter believes nobody at the company is listening,” Cazer says.

Your system must then be able to follow disciplined workflows so you can consistently investigate every incident. All materials related to the incident should also be attached to a single master case so you can easily locate important details. 

With these processes in place, you’ll then want your incident management technology to be able to automate assignments and more so you can investigate hundreds of incidents at a time. As disciplined as these procedures should be, Cazer says there should still be some room for flexibility. 

“Every company has its own idiosyncrasies…You might have new issues this year thanks to an acquisition or expansion,” Cazer says. “Configurable workflows, from intake through investigation and scalability—that’s the goal.”

4 – Technology Simplifies Audits and External Review

Just about every large company must follow a complex set of industry rules and regulations. One such regulation is that large companies are required by law to have an internal system for reporting of misconduct or other incidents. 

“Companies are required to document what the processes are for incident reporting, and then outside auditors can demand spot-checks where they select numerous cases at random and review how those incidents were handled,” Griggs says.

These audits are often extensive, according to Griggs. Auditors will want information from every step of your process, as well as the documents that go along with them. Compliance managers should be able to produce this information quickly. Since your incident management system should be cataloging all processes and materials from the outset, Griggs says, it can make the audit process a lot less labor intensive.

5 – Data Analytics Is Critical to Effective Incident Management 

The larger the enterprise, the more critical data analytics is to effective incident management. Crazer says this all comes down to proactivity. 

“Analytics provides you with the critical insights so you can proactively address areas of problems before they balloon,” Cazer says. 

Compliance managers can design their own dashboards or source an incident management software solution that offers data visualization out of the box. One example Cazer cites is the ability to measure incident types over time, something that could help companies identify the incidents they most often face. 

6 – A Strong Culture of Compliance Is a Competitive Advantage

Employees are your most important source of information about risk, says Cazer. That’s why management teams should work to ensure that safe communication can happen within their organization. Being aware of and responding to issues as they arise is how organizations can stay one step ahead of their competitors. 

“To that extent, a good incident management system really can be a strategic advantage for a company, because the company can be more aware of, and responsive to, issues that need attention,” Cazer says.

A good culture of compliance and the technology to support it means areas of improvement will present themselves to you. That’s one of the primary advantages of incident management programs, in addition to regulatory compliance. 

7 – Incident Management Software Protects Organizations from Real Disasters

Effective incident management software can be complex. It must be easy for employees to use, flexible enough to allow for a variety of intake methods yet disciplined enough to be repeatable. 

Yet organizations might still face pitfalls if they aren’t utilizing an automated incident management system. Cazer says that without automation, organizations often lose track of where they’re at in an investigation or where they’ve kept the materials for each case.

“If the compliance or legal function can’t scale to manage all that work and supervision, then you’re risking real disaster,” Cazer says. 

Cazer recommends that compliance managers start by training employees on the importance of speaking up.

“Then you need policies around internal reporting, and then comes the technology to help you investigate and remediate in a disciplined, repeatable, scalable way,” Cazer says. 

With that in place, you’ll need data and analytics to help you identify what’s working, what’s not, and what’s the best path forward for your organization.

In Conclusion

Effective incident management systems can be complex. But both Cazer and Griggs argue that getting started doesn’t have to be. Start by instilling in your employees a culture of speaking up. Then stay one step ahead by creating a system to support them when they do. In building that program, Cazer recommends that compliance officers focus in on four key capabilities: intake, investigation, scalability, and flexibility. 

With that in place, Griggs says, your next step should be finding incident management software that can automate your workflows and scale to manage the work needed to make your processes world-class. This is where compliance managers can create a real competitive advantage for their organizations, one that they can continue to build on with a thriving culture of compliance. 

Download our Q&A on Incident Management to read the full interview.