In the previous posts we discussed Why Investigations Matter and Varied Approaches to Investigations Scattered Across the Organization, we now turn our attention to the issues of having proper oversight for investigation processes within the organization.
Organizations are developing strategies to consistently manage a growing body of GRC-related processes that have historically been scattered across the organization – the goal is to deepen transparency and collaboration across the organization. Internal investigations are a function of these processes that organizations strive to make more efficient, effective, and agile. GRC works by breaking down functional silos, connecting team members inside and outside the enterprise, and ensuring transparency and accountability for every action.
The goal is to bring the areas of governance, risk, and compliance into harmony. It enables different areas of the business to be accountable where they excel without dominating others: promoting collaboration and information-sharing to achieve a holistic view of GRC across the business. It provides collaboration as well as accountability across GRC-related processes scattered across the business to work together in harmony, delivering increased efficiency, effectiveness, and agility to the business.
A GRC approach to investigation management provides enterprise visibility across investigations processes. It enables investigation teams across the organization to work in harmony in their distributed functions. The goal of a GRC approach to investigations is to provide assurance that investigations will be handled appropriately, consistently, and in a timely manner while providing useful information to other GRC processes such as risk, policy, and audit.
A GRC approach to investigation allows the organization to achieve:
- Agility: Business changes rapidly and requires investigation processes that are quick to react to incidents as they arise. Scattered investigation efforts slow down the business and handicap today’s dynamic business.
- Consistency: Varying investigation teams in the organization need to work together in an integrated methodology and understand how their roles fit into the big picture. When silos are allowed to go their own way the organization loses visibility.
- Efficiency: Leveraging common processes, technology, and information minimizes redundancy and wasted resources. Manual and document-centric processes are inefficient and burden the business.
- Transparency: 360-degree visibility across key incident and loss indicators monitor the organization’s health and avert or mitigate disaster. Without full transparency across issues the organization is taken off guard.
- Accountability: Increasing governance demands require a system of accountability where the status of issues is apparent, and individuals are accountable for resolution. A lack of accountability and ownership of specific issues is a warning sign for regulators or 3rd parties to dig deeper.
GRC in investigation governance is made possible by three key functional capabilities:
- An organized Internal Investigation Committee to govern the oversight and guidance of investigations and ensure investigations are managed consistently across the enterprise.
- An individual assigned to the role of Internal Investigation Manager to assure accountability across the investigation lifecycle to the standards and processes defined by the Investigation Management Committee.
- A well designed Investigation Lifecycle process that delivers efficiency, effectiveness, and agility to the business.
The Internal Investigation Committee (IIC) provides the structure and connective tissue to coordinate and drive consistency across distributed investigation teams and is comprised of team members that represent the best interest and expertise of the different parts of the organization. This committee is comprised of individuals from legal, compliance, audit, fraud, physical security, IT security, quality, health and safety, and other relevant areas of the business with investigative responsibilities.
The IIC carries out its investigation governance responsibilities by leveraging commonly developed and agreed-upon investigation policies, procedures, processes, and technologies that form the Investigation Lifecycle management. The role of the Internal Investigation Manager is to be the champion that sees that the lifecycle is followed.
In the next post we will look at the Investigations Lifecycle in more detail. In the meantime, I would love to hear your thoughts on Establishing Investigations Oversight and corresponding organizations strategies.