Global Voices: Incident Management – Key Component of a Defensible Compliance Program
Back in April, we told you how critical Policy and Procedure Management is when creating a defensible compliance program. This month, I will explain to you why Incident Management is just as important a component to meeting these guidelines.
As you may recall, the United States Federal Sentencing Guidelines for Organizations (FSGO) has provided the basis for American courts to impose harsh penalties upon organizations whose employees or agents have violated federal statutes.
The guidelines are designed to encourage organizations to develop effective compliance and ethics programs to prevent and detect violations of law. There are seven key areas that should be included in building just such an effective governance program:
1 • Written policies and procedures
2 • A designated compliance officer and compliance committee
3 • Effective training and education
4 • Effective lines of communication
5 • Internal monitoring and auditing
6 • Enforcement of standards through well-publicized disciplinary guidelines
7 • Prompt response to detected problems through corrective actions
The role of incident management
A foundational element of any compliance program (especially for satisfying points 5 and 7 above) is Incident Management, a way for employees to alert your compliance professionals of any failure to comply with external regulations, internal policies and procedures, or any other requirements imposed on your organization. Once you are aware of these breakdowns in controls, you want to be able to investigate the details of the incident, identify the root cause and track corrective actions to prevent future recurrences of the same type of incident.
No matter how amazing your incident management system is, it is only effective if your employees are willing and/or able to report to you when things go wrong. How do you design a program that is accessible, effective and easy to use? Here are five points you must keep in mind when selecting or designing your incident management process.
Keep it simple
The best way to ensure that your employees will alert you to these incidents is to make the process of doing so as simple as possible. Initial incident reporting forms should be short and sweet, simply and effectively gathering the basic who, what, when and where of the incident. They should also be intelligent, responsive, and permission-based – if I am reporting an incident of potential bribery by a fellow employee, don’t ask me questions about details around a security breach. Additionally, only show me the section I am responsible for, not the entire form.
Go with the flow
Once those initial details are reported, leave it to the compliance professionals to investigate the incident, filling in the blanks and adding details needed for proper review and analysis of the root cause of the incident. Make sure your solution provides a flexible, configurable workflow engine to send those initial reports to the appropriate investigators based on category or severity, to guide them through the investigation process with dashboard alerts and email notifications, and to ensure timely completion of the investigation with timelines and escalations when deadlines are missed.
Use it or lose it
It’s not enough to just collect the data, you have to do something with it. It may be as simple as viewing a dashboard of high-level analysis of your data, reports and exports to be viewed and analyzed by other compliance professionals, or feeding information through a data warehouse to a business intelligence tool, information is power so use that power for good and make your organization a safer, happier and more compliant place to work.
Just do it
You’re not finished yet! Whether a single investigation requires immediate remediation, or a trend or anomaly in your data shows a more systemic issue that needs to be addressed, your solution must support the creation, assignment, and approval of corrective actions in order to drive prompt responses to detected problems.
Did I mention, keep it simple?
One of the biggest mistakes I see from clients is overcomplicating or over-engineering the incident management process. Whether it is building a form with too many questions, designing a process with too many steps or flooding everyone’s inbox with too many automated notifications of every step of every incident, take my word for it – less is more.