HOME arrow INSIGHTS arrow COMPLIANCE MANAGEMENT arrow Internal Incidents

How to effectively manage internal incidents
Print E-mail

Download PDF >>

Companies today have compelling incentives to conduct internal investigations and to self-report ethics, compliance and other violations. Regulations such as the Sarbanes-Oxley Act of 2002 and the Revised International Capital Framework (Basel II) mandate policies and processes to address such incidents.

Organizations that self-report have a distinct advantage in negotiating with regulators and the Department of Justice with respect to penalties. Just as important, organizations with rigorous incident management procedures are in a more favorable position to foster an ethical corporate culture, maintain employee satisfaction and earn a solid reputation in the market. By establishing credibility and earning a reputation for strong ethical standards, companies can help blunt the effects of a potentially negative incident as they will be less likely to be defined by a single problem. Achieving these goals requires moving from a compliance program whose objective is liability protection to a comprehensive process-based approach focusing on the larger objective of strengthening the company’s ethical climate. Such an approach includes having well-defined procedures for managing the three primary types of situations: incidents that might warrant further investigation, cases that a company formally investigates and matters that involve legal counsel and proceedings.

Organizations that manage ethics and compliance incidents effectively focus on five key elements in implementing a process-based approach.

Anticipate incidents in advance and be prepared to respond.

Advance preparation puts a company in the best position to self-report and keep incidents from becoming more serious issues. Leading companies apply three methods to anticipate and prepare for likely incidents:

Risk assessments
Conducting a risk assessment and analyzing past incident data enables managers to understand the types of problems that are most likely to occur in the future.

Scenario planning
Using risk assessments to develop potential scenarios helps the organization think about and formulate responses to potential incidents.

Guiding principles
Establishing a set of guiding principles enables companies to manage incidents consistently, effectively and efficiently. These principles include definitive policies intended to maintain the integrity of an investigation, protect individuals from retaliation and apply consistent corrective action. Specifically, the principles should cover who owns the response process, when it is advisable to involve other parties, how information is gathered across departments or functions and what type of corrective action will be applied.

By taking these steps to anticipate and plan for incidents, organizations are better prepared to respond should an incident arise. Such planning allows them to develop greater clarity on the types of risks they may encounter, as well as the methods by which they will respond consistently to each type of incident.

Advance planning ultimately ensures that the most appropriate corporate function is prepared to take charge of an investigation immediately, before any in-depth fact finding or corrective action takes place.

Provide multiple methods of reporting.

The potential outcome of an incident can change dramatically if a prosecutor identifies a problem before the company has a chance to self-report. Consequently, it is vital to offer mechanisms for employees to bring issues to the company’s attention at an early stage. Web- or telephone-based helplines, intranet sites, ombudsman and open-door policies are some common options companies offer employees to report potential violations. By establishing multiple and anonymous ways for employees to report, organizations can improve their ability to discover potentially serious incidents.

To make these mechanisms effective, however, there must be a culture of trust in which employees feel secure asking for guidance, reporting potential issues and sharing information. Education and communication programs must therefore both encourage employees to report incidents and reassure them they will be protected and the information will be acted on appropriately.

Investigate allegations thoroughly, consistently and in a time-sensitive way.

Following through on an allegation sends a strong signal to employees that the organization is committed to lawful and ethical conduct. However, how the organization manages its investigation – from initial assessment to corrective action – is crucial to its success.

An effective response starts with companies having a set of guiding principles and protocols in place to manage reports of incidents consistently, effectively and quickly. Leading companies establish rules by which they can quickly classify reports based on their nature – financial, personnel, environmental, etc. – and their potential seriousness. The allegations can then be routed to the right channel for investigation, whether this is to the audit committee, the risk and compliance team, human resources or outside counsel.

Particular care should be taken to ensure that all communication during this period is objective, fact based, unambiguous and secure to preserve the integrity of the investigation and to protect the reporting individual from retaliation or other unacceptable risk. Communication plays a vital role in building a culture of trust by eliminating individuals’ fears of “being in the dark” during an investigation. A well-defined communication plan ensures that stakeholders have the information they need when they need it, while protecting the integrity of the investigation with security controls that guide access to and dissemination of information.

After the investigation, prompt corrective or disciplinary action is necessary. Leading organizations apply a predetermined decision protocol to minimize the potential for confirmation bias – i.e., personal impressions developed during an investigation – to enter into the decisionmaking process. Alternatively, organizations assign the responsibility for the two processes – investigation and corrective action – to separate teams in an effort to ensure objectivity. Finally, companies must respond to ethics and compliance violators consistently, applying the same procedures and corrective actions to each individual, regardless of whether the allegations or findings of wrongdoing involve executive or staff-level employees.

Concluding the investigation in a timely manner and taking prompt corrective action enables an organization to minimize resource requirements and interruptions to its business and to remain sensitive to employees involved in the process.

Use the incident data to improve ethics and compliance management.

Compiling and analyzing incident data improves the way a company manages individual investigations over time and provides compliance executives and senior leaders with valuable input that can enhance the overall effectiveness of their ethics and compliance programs.

A well-designed process begins with capturing incident data to assist the fact-finding team in managing its investigation efficiently. For example, the process might include creating a case file directly from the helpline source, organizing investigation activities into a calendar or work plan and documenting the outcome.

Another critical element in a well-designed process is aggregating and sharing information across functions. This can improve the effectiveness and consistency of the company's broader ethics and compliance programs. Sharing this information may lead to implementing a new communication program or enhancing certification processes to reinforce a critical behavior and avoid future problems. For example, following a series of incidents involving improper use of the Internet over company systems, an organization might decide to implement a targeted, issue specific communication program followed by a mandatory education module that demonstrates which behaviors are not permitted and the consequences for engaging in them.

Additionally, sharing incident data allows compliance personnel to look across a history of incidents and examine how similar ones were investigated in the past. While maintaining privacy laws, decision makers can research past cases to ensure that the actions they prescribe are consistent and have precedent, thereby protecting the company’s interests.

Finally, analyzing the data also helps compliance officers and managers examine incident patterns and determine whether there are root causes and what, if any, might be their relationship to the corporate culture. Discovering root causes can help determine if incidents commonly result from a lack of internal controls, inadequate education, perverse intentions or another cause. The results can then help the company implement new strategies to strengthen risk-management processes, improve policies, update education programs or take other appropriate steps.



Incident management guiding principles

Establish clear ownership of the incident response process by having a position that is assigned responsibility for ensuring all parties follow protocols for fact finding, decision making and corrective action.
  • Engage the right resources and define clear roles before conducting in-depth fact finding or taking corrective action.
  • Manage by fact, with objectivity and a presumption of innocence.
  • Consider potential outcomes and consequences when developing a fact-finding plan.
  • Protect employees who report or witness suspected violations from retaliation.
  • Ensure that only those who need to know do know.
  • Communicate in a manner that is objective, fact-based, unambiguous, thorough and secure.
  • Notify those accused of serious misconduct as soon as possible without compromising the integrity of fact finding or exposing employees to unacceptable risks.
  • Investigate thoroughly, and then bring the issue to a timely conclusion to minimize resources requirements and business interruption.
  • Take corrective action in a manner that is consistent with precedent in order to protect company interests.


Turn incidents into learning opportunities.

Ethics and compliance incidents offer important lessons for a company and its employees that can help shape an ethical, self-governing culture.

Depending on the issues, the company may determine that it can enhance its ethics and compliance program by communicating details of actual company incidents and their resolutions. Focusing attention on real incidents helps companies make it clear to employees that they mean what they say. This communication also helps address ethical complacency – the common conception that incidents “don’t happen here.” When incidents do occur, it can be beneficial to explore the topic and resulting steps in company newsletters, discussions and e-mails, concealing any data that is not yet public or may involve privacy issues. This type of immediate learning followed by enhancement of the compliance program to the identified issues helps strengthen the development of an ethical, self-reporting culture. In this way, the company continually encourages employees to understand acceptable behaviors, identify and use reporting channels and recognize the company’s commitment to take necessary actions. In short, while organizations can’t avoid uncertainty, learning from incidents can positively affect both the incident outcome and company culture.

These five elements of an effective incident management program establish a means for investigating, responding and resolving issues quickly and definitively. They enable decision makers to manage objectively and consistently according to facts. They demonstrate to employees, stakeholders, the media and regulators that the company has a commitment to maintaining a strong, ethical corporate culture. And, they enable continuous improvement of the ethics and compliance policies and practices that define that culture.

 
 

APPEARANCES

Watch LRN CEO Dov Seidman discuss HOW on Charlie Rose »


Seidman tells BusinessWeek to out-behave, not outperform »


Good Morning America shares an excerpt from HOW »

NEWS

Dov Seidman on BusinessWeek.com: The Era of Inspiration


LRN Engages the Global Enterprise with New Online, Offline and Experiential Learning Offerings


BusinessWeek.com Debuts New HOW Column by LRN CEO Dov Seidman


LRN and GeneEd Partner for Business Ethics Education Solution

WEBINARS

Sept. 18, 2008
Sustainability, Ethics and Compliance


Oct. 16, 2008
Managing Ethics and Compliance During a Recession

SPEECHES

Sept. 14 - 17, 2008
7th Annual Compliance & Ethics Institute


Sept. 24 - 26, 2008
Ethics and Compliance Officer Association
© 2008 LRN | contact us toll free: 1 (866) 439-3071 | Terms and Conditions | Privacy Statement | Security | Site Map

Proper and ethical corporate governance is a high priority topic. With LRN's compliance program, your business can continue to adhere to the ever changing business code of ethics.

When dealing with compliance in corporate email, remember to focus on the ethical standards laid out by LRN, a leader in compliance management.

Constructing effective safety training courses is an integral task in developing a comprehensive regulatory compliance training program. For ease of mind, consider the safety training standards described by the innovators at LRN.