WHI TE PA P ER

Best Practices for

Incident Management
Programs

Incident Management | White Paper

 1.
REMEMBER WHAT INCIDENT
MANAGEMENT IS ALL ABOUT:
THE ABILITY TO HEAR,
INVESTIGATE, AND ACT.
So compliance officers should begin by considering all the
elements within an incident management system—every-
thing from internal reporting hotline, to case management
system, to documentation, to data analytics—and how
those elements fit into one cohesive whole.

The goal is an incident management system that lets the

company be more responsive to problems. That is what
regulators want to see in a compliance program, and it’s
what employees, business partners, and consumers want
to see, too. Never lose sight of that strategic goal.

INTRODUCTION
I n c i d e n t m a n a g e m e n t p ro g r a m s a re t h e
2.
co n n e c t i v e t i s s u e t h a t ke e p s a c u l t u re KNOW YOUR PRIMARY AUDIENCES
o f co m p l i a n ce t o g e t h e r. T h e y a re t h e
s y s t e m t h a t t a ke s a n e m p l o y e e co m -
AND THE ISSUES THEY ARE LIKELY
p l a i n t f ro m s t a r t t o re s o l u t i o n — a n d TO RAISE.
m a n a g e d co r re c t ly, a t s c a l e , t h a t s y s -
t e m c a n p ro v i d e i n v a l u a b l e i n s i g h t These audiences and their needs will vary by industry, lo-
a b o u t co r p o r a t e p e r fo r m a n ce a n d r i s ks cation, and even the purpose each group serves within the
a l o n g t h e w a y. organization. Compliance officers should understand what
incidents each group is likely to encounter and report, so
P u t s i m p ly, i n c i d e n t m a n a g e m e n t you can design the rest of the system appropriately.
s y s t e m s a re n o t o n ly a b o u t s a t i s f y i n g
re g u l a t o r y re q u i re m e n t s fo r a n e f fe c - For example, a broker-dealer firm will want an incident
t i v e co m p l i a n ce p ro g r a m . D e s i g n e d a n d management system for white-collar workers reporting
o p e r a t e d w i s e ly, t h e y c a n a l s o a m p l i f y a allegations of insider trading, improper fees billed to
co m p a n y ’s s t r a t e g i c a d v a n t a g e a g a i n s t clients, or violations of workplace policies. Meanwhile, a
co m p e t i t o r s . manufacturer will need an incident management system
for blue-collar employees to report allegations of forced
W h a t p o i n t s s h o u l d co m p l i a n ce o f f i - labor, theft, or other types of fraud; and it will need a sys-
ce r s ke e p i n m i n d a s t h e y b u i l d i n c i d e n t tem that can process more white-collar issues as well.
m a n a g e m e n t p ro g r a m s ? C o n s i d e r t h e s e
e i g h t b e s t p r a c t i ce s .

WHITE PAPER | Best Practices for Incident Management Programs 2

3. This means compliance officers need to put considerable
thought into how the incident management system should
BUILD FLEXIBLE, USER-FRIENDLY work. Define workflows and data taxonomies; develop
training and communication plans; and in the fullness of
INTAKE MODELS, SUCH AS time, review the performance of the incident management
SELF-GUIDED QUESTIONNAIRES. system to assure that all its processes do achieve that
consistency.
Incidents are the raw material that incident management
systems consume, so your incident management system
should strive for broad “intake capability.” That is, em-
ployees should be able to submit allegations by email,
telephone hotline, website, text messaging, a kiosk on the
5.
factory floor, or even just by talking to their manager— AUTOMATE THE COORDINATION
whatever makes the most sense for each group, given the
operations and culture of the company. OF INVESTIGATIVE STEPS
The intake system should also have an interface that’s
AS MUCH AS POSSIBLE.
easy to use, so the reporter can submit an allegation Versatile intake systems, as discussed above, automate
quickly and easily. Self-guided online questionnaires, for the collection of internal reports. Incident management
example, can start with broad categories (“Do you want to systems also need to automate the investigation of those
report financial misconduct, or workplace bullying?”) and reports to the maximum extent, to achieve scalability.
progress to more specific questions. That alleviates some
of the burden from the reporter, and provides the compli- For example, collection of evidence (payment records, ven-
ance team with valuable data. dor due diligence forms, and so forth) could be automated
and placed into a consolidated case file. Investigation tasks
could be assigned to specific managers, with attendant

4.
deadlines for action and email alerts if a step isn’t done in
a timely manner.

DESIGN CONSISTENT PROCESSES Automation allows investigations to proceed in a uniform

manner at scale, which achieves the consistency men-
FOR EVERY STEP. tioned above. Automation also creates an audit trail for
every incident, which is vital for regulatory examinations or
Consistency is crucial to incident management in several
outside audits of the incident management system. Incon-
ways:
sistent investigations, on the other hand, can create risk of
• F
 or reporters who use the system, consistency helps regulatory enforcement, litigation, poor corporate culture,
them to understand how allegations are handled and, or reputation damage.
over time, lets them develop trust in the system.

• F
 or managers investigating incidents, consistency helps
them understand how to conduct investigations and
what steps to take.

• F
 or senior executives overseeing the entire system,
consistency builds a trove of reliable data about activity
within the organization, which helps them understand
what is or isn’t working well.

WHITE PAPER | Best Practices for Incident Management Programs 3

6.
USE TECHNOLOGY TO SIMPLIFY
SENIOR MANAGERS’ REVIEW
OF CASES.
Some level of manager review is necessary for most
incident reports — and the more sensitive or explosive the
allegation, the more scrutiny it will get from senior exec-
utives. That said, modern corporations will routinely have
hundreds of incidents under review at any single moment.
That’s too many for any manager to review effectively using
manual processes and his or her memory.

Your incident management system, therefore, should use

technology to reduce the background work managers must 7.
do to study and absorb the details of a case. For example,
the system could use automatic summarization of a case,
HAVE A CLEAR TAXONOMY
where software extracts key words and issues in the report OF INCIDENT CATEGORIES,
and boils them into a one- or twoparagraph summary of
the whole. AND HOW EACH CATEGORY
Technology can also create clearly structured reports, so SHOULD BE TREATED.
senior executives can read the summary and then drill
A strong culture of ethics and compliance will generate
down as they like to review attached documents, interview
many reports. That’s a good thing unto itself, but that
notes, audit results, or other evidence. Again, that allows
drives up the importance of classifying incidents quickly
consistent management of incidents at scale, and consis-
and accurately so they receive proper oversight.
tent treatment of reports is crucial to an effective compli-
ance program. For example, allegations of accounting fraud or foreign
bribery should go to the audit committee, general coun-
sel, and chief compliance officer immediately. Complaints
about workplace harassment should go to the HR team,
while reports of employee theft might go to a vice presi-
dent of loss prevention.

To manage that triage of reports at scale, your incident

management system will need three things:

• C
 lear definitions of all the categories of reports that
matter to your organization (financial fraud, procure-
ment fraud, bribery, harassment, theft, and so forth);

• T
 echnology that can identify the nature of reports, such
as the self-guided questionnaires mentioned previously
or artificial intelligence that searches for certain keywords;

• A
 rules-based system of routing reports, so that each
one goes to the proper manager depending on its category.

WHITE PAPER | Best Practices for Incident Management Programs 4

 CONCLUSION
8. T h e co re e l e m e n t s o f a n i n c i d e n t m a n -
LEVERAGE DATA ANALYTICS a g e m e n t s y s t e m a re a f l ex i b l e i n t a ke
p ro ce s s t h a t h e l p s p e o p l e t o s u b m i t
FOR INSIGHT INTO POLICY, co m p l a i n t s ; co n s i s t e n t p ro ce s s e s t h a t
TRAINING, CONTROLS. can automate as many investigative
s t e p s a s p o s s i b l e ; a n d d a t a a n a ly t i cs
The strategic advantage that comes from a technology- capability that helps managers to study
driven incident management system arises from data i s s u e s i n a g g re g a t e , a n d t h e n m a ke
analytics. Automation generates huge amounts of data, i m p ro v e m e n t s t o p o l i c i e s , p ro ce d u re s ,
which compliance officers can then study for insight into a n d co n t ro l s .
corporate culture, employee misconduct, internal control
weaknesses, and much more. A b o v e a l l , h o w e v e r, co m p l i a n ce o f f i ce r s
s h o u l d b u i l d a co m p e l l i n g b u s i n e s s
For example, analytics might find that complaints from c a s e t o i n v e s t i n ro b u s t i n c i d e n t m a n -
female employees are substantiated less often than those agement systems. Such systems don’t
from men. Is that because women are more likely to j u s t s a t i s f y re g u l a t o r y ex p e c t a t i o n s fo r
complain about issues such as harassment, that need a a co m p l i a n ce p ro g r a m ( a l t h o u g h t h e y
different investigative approach? Or do managers handling d e f i n i t e ly a re n e ce s s a r y t o s a t i s f y t h o s e
the complaints need better training? ex p e c t a t i o n s ) . Fu n d a m e n t a l ly, t h e y h e l p
t h e co m p a n y t o m a n a g e a n d re s o lv e i s -
Meanwhile, complaints about bribery in specific geo-
s u e s m o re q u i c k ly, s o exe c u t i v e s w o n ’ t
graphic markets could suggest weak internal controls;
b e d i s t r a c t e d f ro m b u s i n e s s o b j e c t i v e s .
complaints about spam could be a warning sign of poor
network security. I n o t h e r w o rd s , a s t ro n g i n c i d e n t
management system can be a strategic
The questions that might emerge from incident manage-
a d v a n t a g e fo r o rg a n i z a t i o n s . I t’s y e t
ment data are endless. Strong analytics helps a compli-
a n o t h e r w a y t h e co m p l i a n ce p ro g r a m
ance officer to find the right answers. Then they can work
can support the business overall.
with the rest of the enterprise to implement change and
build a stronger organization.

That’s what regulators want to see in a compliance pro-

gram. It’s also what makes a strong compliance program
vital to the company’s business success.

ABOUT STEELE COMPLIANCE SOLUTIONS, INC.

Steele, a Diligent brand, is the global leader in
Ethics & Compliance Management. We partner with
the world’s largest, most respected, companies to
deliver compliance products and services that help
organizations embrace a culture of compliance
while protecting their brand.
Learn more at STEELEGLOBAL.COM