Investigation Lifecycle Management (ILM) enables organizations to manage the lifecycle of investigations, resulting in investigations that are handled consistently with collaboration across investigation roles and accountability into how the investigation is conducted and resolved.
Organizations benefit from consistent investigation documentation and process while maintaining data integrity and confidentiality. ILM is the process of managing and maintaining investigations throughout the organization for all categories of investigations (e.g. retaliation, abuse, fraud, privacy, theft, vandalism). The goal of the ILM approach is to document accountabilities, provide audit trails, coordinate with internal and external resources, specify monitoring activities, and provide a consistent process and investigation case review cycle.
The lifecycle is defined in five primary stages: 1 — Something Happened! Something has happened and the organization is faced with the question — should we investigate? The organization needs a clear guide to determine when an investigation should be conducted. An investigation should not be taken lightly, and should be clearly documented. Every organization requires the capability to identify, prioritize, investigate, and resolve issues. Structures (e.g., management, technology, process) should be embedded within the organization to help identify potential inappropriate activity. Drivers to conduct investigations include: employee reports or comments to management, risk indicator thresholds being exceeded, hotline reports, survey feedback results, recognition that controls have been circumvented, and others. An active monitoring process is implemented to identify when an investigation needs to be conducted, this includes:
- Hotline: The ability to provide anonymous reporting of actual or perceived misconduct and issues (e.g., anonymous web or call center reporting).
- Audits/assessments: Identifies issues to investigate through interviews, data or other testing, surveys, and assessment responses.
- Exit interviews: Interviews at employee exit may expose issues that the soon to be former employee is aware of.
- Corporate chatter: There is often some truth in rumor, what is the word on the street, around the coffee station, and in the lunch cafeteria?
- Social media: Facebook, Twitter and other social media sites are increasingly being used for venting and disclosure of malfeasance.
- Reporting to management: Written or verbal disclosures to management, direct reports or otherwise should not be overlooked or taken lightly; management needs to be held accountable to properly record what has been reported to them directly.
2 — Categorize and Assign. After the intake of a potential incident it is critical to understand what happened, who may have been involved, date of occurrence, and initiate the investigation. This involves:
- Issue filtering: There may be duplicate reports, misguided reports, and just noise that need to be consolidated or set aside. The goal is to have a quick triage process to identify what is relevant to investigate.
- Investigation categorization: The organization is to have established and predetermined categories of issues and response plans to engage appropriate resources and establish the security levels within the process. This categorization creates predetermined activity assignments and identification of information that must be gathered throughout the investigation.
- Investigation assignment: Determine what area, investigation lead, and subject matter expertise based on the categorization is the next part of the process. Here, the organization determines competence and independence (e.g., is attorney client privilege needed, should an external party be engaged). Often these business decisions can be predetermined based upon the category or suspects associated with the investigation.
- Policies and templates for response: Prepare and plan for what steps are to be taken before you have to respond. When the organization appears to be scrambling and going in different directions investigations fall apart. The organization needs clearly defined policies and process templates defined ahead of time for the various investigation categories it has defined.
3 — Investigate. After classification and assignment the organization next moves into the formal investigation process. Investigation activities can be predetermined to a certain extent and by doing so, critical instructions, considerations and guidance should all be readily available and enforced. Critical components of managing the investigation include:
- Evidence handling: Based on the classification of the investigation the organization needs the right capabilities to manage and handle the collection, preservation, and retention of evidence.
- Subject matter experts: Specific subject matter experts need to be engaged for the twists and turns an investigation may take. This may include experts in interview/interrogation, documentation, written statements/ depositions, physical and cyber forensics, as well as other areas.
- Documentation: Success of an investigation hinges on the correct documentation of how the investigation was conducted, who was involved, and what steps/actions were taken.
- Collaboration: A critical component of an investigation is the ability to collaborate between parties. This includes investigation personnel inside and outside the organization, parties involved in performing the investigation, those that reported it, as well as management responsible for overseeing the investigation. Communicating, securing and providing access to need-to-know information maintains the correct lev
el of understanding on status, outcomes, unresolved questions, and actions regarding the matter.
- Escalation procedures: During the course of an investigation, it may be necessary to escalate issues to another team and get involvement of higher levels of management or even law enforcement and regulators. Predetermining the criteria necessary to make this decision with the advance approval of company leadership will enable the investigation to continue the course approved by the company without jeopardizing the integrity of the investigation or increasing the risk to the resources involved.
4 — Resolve. The process of concluding an investigation is established to organize, preserve, and direct concluding activities according to established investigation procedures:
- Final documentation: The final form of the investigation notes and documentation needs to be complete, addressing the who, what, when, where, why and how in the cause of the matter. This includes documentation of all investigation activities, involved parties, dates, time frames and other relevant information to complete the historical record of how the investigation was conducted and what was found.
- Disclosure, restitution, and discipline: The organization needs to follow through with the proper resolution activities to wrap up response. This includes what public or private disclosure, restitution to injured parties, disciplinary actions, or sanctions placed upon companies, groups or individuals have been taken. These actions are to be commensurate with the offense, company policy, and law. Handling these acts with consistency will protect the organization from claims of prejudice and favoritism.
- Loss reporting: Losses resulting from incidents and issues that have been investigated are to be documented. This includes calculating the business impact of the issue including tangible loss from: internal and external investigation cost, litigation costs, fines, penalties, judgments, impairment of assets, market cap reduction, workforce turnover, customer turnover, and business interruption. The organization should also put some numbers estimating intangible loss metrics to reputation damage and negative media.
- Incident metrics: The organization is to track metrics on each incident including incident type/category, loss, and time for the investigation. Other necessary metrics include date of incident, when it was detected, when it was reported, when and how long it was investigated, and when it was resolved. The goal is to understand the lag between incident and resolution and reduce the window of exposure and loss to the organization.
- Lessons learned: A final lessons learned should be documented for incorporating into future risk evaluations and business decision processes which provide historical information relevant to decision making for the today and the future.
5 — GRC Integration. Investigations should not operate as an island disconnected from other GRC processes. The information gathered from investigations is critical to refining and improving other GRC related processes. Organizations are to develop and integrate a GRC information and process architecture that feeds investigation metrics into:
- Policy & training: Incidents and issues are violations of policies. Violations that have been investigated are to be communicated and integrated into the policy life cycle management process to initiate policy review activities and drive continuous improvement.
- Risk models and assessments: Use of loss information and details of what occurred from the investigation provides valuable information necessary to drive risk models and identify target risk areas. This enables the organization to identify and avert future incidents and loss to the organization.
- Remediation of control weaknesses, vulnerability, and exposure: Establish actions items to prevent and or detect similar violations in the future. The critical component is the hand off and monitoring of the remediation activities and the capture of relevant action information with the investigation closure.
In the previous articles we discussed Why Investigations Matter, Varied Approaches to Investigations Scattered Across the Organization, and Establishing Investigations Oversight. In the meantime, I would love to hear your thoughts on Investigation Lifecycle Management and corresponding GRC strategies.