What Makes Incident Management Tick
Last week I had the good fortune to moderate a webinar on incident management programs, and I have to admit — by the end of the hour, I had a much more nuanced appreciation for the things that make an incident management program succeed.
Usually when I think about incident management, my mind immediately goes to matters of technology. I think about how a corporation can manage incidents at scale, since large organizations will routinely have thousands of incidents they’re trying to manage at any one time. How does a compliance officer shepherd all those incidents to their logical resolution, when each one has a unique set of facts to consider?
I promise that we’ll get back to those technology questions later in this post. The speakers on the webinar, however, stressed that the fundamentals of incident management are decidedly not about technology. The fundamentals are still about leadership’s commitment to finding out the truth of whatever allegation arrives on your desk, and then following through with whatever disciplinary or remedial action might be necessary.
If an organization doesn’t have that ethical commitment, the webinar speakers said, all the technology and investigation protocols in the world won’t matter much. Weak commitment to ethical values will reduce your incident management program to mere window dressing.
Upon a moment’s reflection, of course that point makes sense. It’s also a hugely important point for the success of corporate compliance programs. So let’s unpack this idea a bit more, to understand it fully.
The Purpose of Incident Management Programs
The ultimate goal of an incident management program is to find the truth of allegations submitted to the company, so that management can then make decisions about how to respond to those allegations. That is, incident management programs aren’t just administrative devices to help you sort allegations into different categories for neat and nifty reporting. Incident management programs should exist to produce a result: the truth.
In that case, then, the key for a successful incident management program is executive commitment to those ethical values of finding the truth and responding to the matter according to policy — no matter how painful that might be.
As obvious as that point sounds, there’s plenty of evidence to suggest corporations aren’t good at putting it into practice. For example, Ethisphere has published data on why employees don’t report misconduct they see in the workplace, and the top two reasons were fear of retaliation (cited by 54 percent of employees) and a belief that the company wouldn’t take any action to address the employee’s concern (cited by 49 percent).
Those statistics are employees’ way of saying that they don’t believe management is committed to finding the truth of an allegation and then responding accordingly.
So if you, the compliance officer, want an effective incident management system, the single most important thing to do is to make senior leaders understand that inextricable link between their commitment to ethical conduct and the practical systems and procedures the company puts in place to investigate allegations of misconduct.
“We can invest all you want in better incident management policies and tech,” you might say, “but if management is still willing to bury unpleasant allegations under the rug, eventually employees will see that you’re not serious about rooting out problems and they’ll stop helping us.”
Only after that message is heard, understood, and accepted can an incident management program move from window dressing to a true tool that can leverage better performance.
But I did promise more talk about the technology, too. So let’s assume your senior leaders have heard that message, and you have a budget to spend. What then?
Technology Tips
Our webinar did also raise numerous good points about how technology does or doesn’t help your incident management program. Let’s consider two.
Automated workflow can help, but only so much. Given that large organizations will routinely have thousands of individual incidents to track, falling into dozens of major categories, I’d always assumed that data classification and automated workflow are crucial program capabilities. You need technology that can help you quickly triage allegations and then send them down certain prescribed investigation paths: some complaints go to HR, some go to accounting, some go to the audit committee. Right?
Well, the speakers said, yes and no.
Those technology capabilities are important, they said, but correct triage of a report is more important. So you do need to build opportunities for human review into that triage process.
For example, if you have an online submission form for internal complaints, you can design those intake processes to ask certain questions based on the employee’s previous answers. If you have a telephone hotline, you can train call center reps to ask certain questions and elicit more information.
At some point, however, that report has to cross the border from intake to investigation. That would be one point where you could pause, so a committee of some kind can review allegations and confirm that they’re being handled correctly. Of course timely investigation of complaints still matters, so that review process should have a structure: who sits on this committee, how often it meets, how they document decisions, and so forth. But incident management does need to strike a balance between the rigidity of automated workflow and the flexibility to evaluate each incident on its merits.
A word on key performance metrics. Everybody likes to talk about KPIs for incident management, and there are plenty of them: substantiation rates, time to close cases, cases that require escalation to senior executives, and so forth.
One webinar speaker said his favorite metric is time to close — but that metric does need thought and attention, because it can often go awry.
For example, your team might be investigating several low-priority issues when a much more serious allegation arrives. Should that more serious issue take priority? Of course. But you’ll need to pause the clock on those previous issues, so your time-to-close metric isn’t skewed by the more serious allegation that’s delaying work on the others.
That does raise other concerns. For example, I’d recommend that you also try to track how often that happens: that more serious issues require you to put aside pre-existing cases. If it happens a lot, it’s a warning sign that perhaps your incident management program doesn’t have enough staff resources; or that you’re structuring your investigations processes inefficiently — maybe some of those perpetually postponed low-grade offenses could be handled by HR or some other group.
But you won’t be able to answer that question until you know how such delays happen. So a metric along the lines of “issues that need escalated review” might be worth your time.
I could keep going, because the webinar generated plenty of good points. For now we’ll conclude, but if you have your own observations about what good incident management programs entail, drop me a line at [email protected] and we can do a follow-up post another day.