The Network GRC Blog

On the Case for Investigations & Incident Management

March 08 2013

by Jimmy Lin, VP, Product Management and Corporate Development, The Network

On the Case for Investigations & Incident Management

When an incident occurs in your organization, you have to react. Just how you react is critical to whether or not you can resolve the issue and prevent a future occurrence. A vital part of investigation and incident management comes in the information-gathering phase, whether that data comes from the upfront report regarding the incident or the subsequent interviews that must take place. It’s all in how prepared and thorough you are.

This week I was privileged to sit in on a panel discussion with two of the predominant legal experts when it comes to labor and employment law, Kathy Franklin and Tahl Tyson of the Littler Mendelson law firm. This OCEG webinar focused on the best practices required for proper and effective global HR investigations. Kathy and Tahl strongly believe that every organization must be prepared to act if and when incidents occur – emphasis on the ‘when.’ We also all agreed that, especially in mid to large organizations, and most particularly if they are global, a central repository or “funnel” for investigative data is very high on the list of must-haves. (You can view the recorded webinar on the OCEG website.)

Investigations aren’t always a cut-and-dried matter. Getting you legal, HR and investigative teams together on the same page before an investigation is warranted can pay huge returns when the time comes. The legal function within the organization can help analyze the risks posed by reported concerns, and your compliance team can help make sure future issues are mitigated. HR might lead the investigation, but collaboration is big. Everyone must be aware of what’s involved and agree on an approach that best defends the organization while remediating and resolving the issues.

We asked participants on the webinar if they had a written investigation and incident management protocol, and I was somewhat amazed to find that only about half of the respondents did have such a guide. A third of the respondents did not, and that is cause for some concern. Without some formal system in place, investigations won’t teach you anything, and resolution is often just reactionary.

We also talked a bit about the need for proper triage of incidents, including follow-up and any remediation activities that are necessary. Three in five of our webinar participants said they had an effective triage process in place, but about half of those respondents said the process could be better. It’s a big mistake if you don’t take an issue seriously. You don’t know what or who is involved until you dig deep, and if you assume it’s a superficial issue and do not perform proper investigation steps you might never uncover the root cause. You want consistent investigations, every time, across your entire enterprise.