Once an incident is discovered by ongoing monitoring, hotline reporting or periodic evaluation, an organization should deliberately manage the resolution process. Incidents should be confirmed for validity and investigated to understand all facts. Occasionally, an incident may require more sophisticated investigation. Root cause should be determined.
Principles
> Integrate the management system for multiple sources of information
> Confidentiality
> Consistent processing
> Confirm validity of incident
> Provide feedback to reporter
> Root cause
Business Objectives
-
To ensure that stakeholders have a means to anonymously report suspected misconduct and that those charged with oversight are made aware of the reports in a timely manner
-
To ensure timely receipt, processing, resolution and documentation of all reported issues
-
To ensure that incident reports and procedures incorporate and comply with all applicable legislative mandates and requirements and federal guidelines
-
To ensure that required or voluntary reports to regulatory bodies are made in a timely and accurate manner
Considerations
-
A third-party external hotline may, in some cases, provide the best option for protecting the anonymity and confidentiality of the reporters and reported information. In other cases, an internally-operated hotline will be sufficient
-
Report intake must take into consideration the native language and geographic location of the potential reporters, including the demographics and communication profile of employees and individuals who will utilize the system
-
Protection of the confidentiality and anonymity of the reported information should be considered when communicating sensitive information -- especially via fax, email, and postal services
Critical Success Factors
-
Timely receipt and review of reported information
-
Reporting structure and procedure must mirror risk factors
-
Communication of the availability and confidentiality of the reporting method (e.g., hotline)