In the previous newsletter/post we discussed Why Investigations Matter, we now turn our attention to the issues of having Varied Approaches to Investigations Scattered Across the Organization.
The problem is that organizations do not have a standardized methodology to consistently address investigations across the enterprise. Today’s typical organization struggles with manual, scattered, and ad hoc investigation processes.
Unfortunately, many organizations implementing GRC strategies have seen investigations as a disconnected component and not core to GRC. Organizations often lack consistency, collaboration, and accountability when it comes to managing investigations. They have multiple investigation processes that do not work introducing redundancy and inefficiency.
When investigations are scattered across the organization the organization lacks 360-degree transparency into the negative events impacting the business. No one can see the breadth and depth of issues the organization has. As a result, investigations:
- Suffer from complete lack of universal insight: There is no single authoritative source where investigations are consolidated, maintained, monitored and managed consistently.
- Bound by disparate methodologies: With redundant investigation processes, the organization has not fully embraced a common methodology to consistently manage investigations while allowing for unique subject matter experts to be involved in areas of their specialty.
- Lack enterprise accountability: There is no enterprise assurance into the consistency of investigations and resolution of issues with limited structures of accountability into understanding who took what action, what is being done to prevent future issues, who is responsible for the impact and loss, is there a trend of similar incidents and issues historically, and is the issue documented correctly.
- Deficient lifecycle management: Organizations maintain an ad hoc approach to managing investigations with varied approaches that introduce redundancy and inefficiencies when there is no common system for managing workflow, tasks, documentation, approval, accountability, and escalation processes.
- Fail to integrate with policy systems: Investigations are violations of policy, when the organization has no integration into policy systems and lifecycle management it is handicapped to improve policies to prevent future violations.
- Disengaged from risk management: Investigation processes that are external to risk management processes are unable to provide necessary historical loss information to adequately identify, measure, and manage risk.
- Encumbered by improper technology: Processes are burdened by technology such as spreadsheets and homegrown databases used to document and manage investigations. This approach lacks sufficient audit trails that identify who did what, took what action, and entered notes – providing assurance that they were not modified at a later time to structure a different story or get someone out of trouble.
The organization suffers with ineffective investigation structures, content, coordination, lifecycle management, accessibility, accountability, and communication when this critical GRC process is trapped in silos. There is no 360-degree transparency into the status and impact of all investigations across the enterprise.
How can an organization manage and model risk and compliance without a clear understanding of where issues and events have been in the past? The issues of the past are a critical source of risk intelligence, providing a necessary indicator of where the organization’s future risks lie. Corporate governance, strategic decision-making, and the protection of stakeholder value require an organization to understand where its issues and losses have been.
When the organization is under a microscope, having a detailed document trail of investigations – how they were managed, who was involved, who was implicated, and what actions were taken – provide grounds for defending the organization. Organizations require collaboration and accountability across investigation teams for their ongoing involvement in investigations, the investigation process, evidence management, monitoring incidents, corrective actions, and loss reporting.