Is Your Incident Reporting System Putting Your Organization At Risk?

Thursday, November 11, 2010

Katie Weaver-Johnson


How is your incident reporting system working for you? 

Or perhaps the question should be – Is your incident reporting system working against you?

Lessons learned continue to show that organizations find themselves in ‘reaction mode’ more than they are in ‘prevention mode’. How can this be when most every organization claims to have an incident reporting system in place? 

Are traditional incident reporting systems obsolete?

Multiple surveys reveal that 90% of bystanders who witness a bullying incident DO NOT report the incident. So why aren’t bystanders not reporting incidents? 

Perhaps bystanders are not reporting because of one or more of the following reasons:

  • Scared to get involved
  • Not sure how to report incidents
  • Not comfortable with incident reporting options such as paper, in person, phone or text
  • Lack of anonymity when reporting incidents
  • Bystander does not trust the incident reporting system will work
  • Bystander does not trust the organization will take action
  • And many others…

Victims are also reluctant to use traditional incident reporting systems. Victims want to be heard, but many victims do not trust traditional incident reporting systems due to:

  • They tried using the traditional incident reporting system and nothing happened
  • No anonymous option to report incidents
  • Not knowing who was on the other end of the incident reporting system
  • Afraid their information would not be kept confidential
  • And many others…

Like bullying and cyber bullying, workplace violence incidents seem to be increasing too.  Mounting stress related to economic challenges, job layoffs and mortgage foreclosures continue to affect millions of individuals and families.

And some individuals have taken out their frustration on their bosses, their co-workers or their family members where they work… and many of the incidents could have been prevented based on red flags that were discovered after the incident.

Suicides and bullycides seem to be increasing too. According to statistics from support organizations, 5,000 teenagers commit suicide a year and perhaps as many as 500,000 or more teenagers contemplate suicide or attempt suicide each year. 

What if these 5,000 teenagers had a trusted incident reporting option they could have reached out to for help?

So is your traditional incident reporting system really working for you if bystanders are not reporting incidents, and victims are not reaching out for help?

Red Flags and Prevention

Without red flags, it is nearly impossible for security teams and threat assessment and intervention teams to prevent incidents from happening.  Yet after almost every bullycide or workplace violence incident, people come forward and say they were aware of multiple suspicious incidents and red flags, but did not report the suspicious incidents because they did not know how to or did not understand what suspicious activities should be reported. 

In some cases, people DID report the incidents and unfortunately the organization did not connect the dots. 

Legal Defensibility

In our highly regulated and litigious society, victims and their families are taking organizations to court when they fail to respond as mandated.  Many lawsuits brought against organizations cite “deliberate indifference” or the conscious or reckless disregard of the consequences of one’s acts or omissions.

Deliberate indifference is often the result of:

  • Lack of Awareness – meaning people did not know what to do in different situations even though previous incidents, legal obligations and regulatory mandates exist
  • Lack of Follow Through – meaning people knew about the issues, but did not take immediate actions to end the issue and did not take appropriate actions to eliminate the hostile environment and prevent future incidents
  • Failed efforts based on the situation, state mandates or organizational obligations

Experts seem to be in agreement that reacting to incidents is much more expensive (and embarrassing) than preventing the incidents from happening, but prevention requires a more comprehensive suite of incident reporting tools to ensure:

  • Anonymous or non-anonymous incident reporting tools
  • Threat Assessment and Security Team collaboration tools
  • Secure and confidential information sharing tools
  • Situational awareness tools for all appropriate individuals and team members
  • Accessibility options for anytime access to suite of tools
  • Documentation / Reporting tools of entire process for compliance and legal defensibility
  • And adaptability options as needs and situations continue to change

Is your traditional incident reporting system helping you or working against you?

Cross-posted from Awareity's Lessons Learned Blog by President/CEO, Rick Shaw

Possibly Related Articles:
Legal Security Awareness Incident Response Red Flags
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.