Incident response: how to manage an investigation and move forward

Complex investigations often involve legal and regulatory actions, high-impact incidents, time-pressure situations, and other critical concerns. What are the key considerations a corporation should make when handling an end-to-end investigation and remediation process, from choosing an external consultant to implementing changes to the organization?

An investigation is a fact-finding process that assists companies in understanding what happened in the specific incident, who was involved, when happened, what triggered the incident, and why the incident was not prevented or detected by the current controls. This information informs senior management of the vulnerabilities in its existing risk management mechanism.

Looking at these vulnerabilities, what should a company do to address its exposure through changes to the business process, risk management activities, and system and data infrastructure, amongst other things?

When planning for an investigation and remediation, consider the following:

1. Independence: When choosing an external consultant for investigation, the consultant’s independence is the primary consideration to ensure the investigators are free from conflict in fact and appearance. The independence of the consultants ensures the investigation is conducted free of undue influences and provides unbiased findings.
2. Experience and industry knowledge: Experienced investigators, with adequate experience in risk management and industry knowledge, can navigate through the organization efficiently and minimize the interruption to the business operations.
3. Incident response group: The company can set up an incident response group that consists of representatives from relevant business lines and functions (e.g. business, finance, operations, IT, HR, etc.). This group will form a trust circle within the company concerning the subject being investigated, and provide valuable inputs to the investigation process. All information concerning the investigation should not go outside this group.
4. Root cause analysis: While understanding what happened is a core part of an investigation, the investigation should also target the root cause of the incident, not just its symptoms. For example, a transaction processing manual sets out the procedures that a reviewer should follow to escalate any red flags when processing a transaction. A failure to follow the procedure is not necessarily a root cause of a risk incident. Recurring failures in the control process may reveal that the root cause is the reliance on manual processes to analyze unstructured data presented in physical documents, and the manual and complicated review process is prone to a higher rate of errors.
5. Reporting: The report format will be dependent on the target audience. Is the report for internal use only? Will it be shared with regulators? Is the matter potentially subject to litigation? The use of the report will determine the appropriate report format.
6. Re-imagine processes and controls: Remedial actions should be designed based on the root causes identified above. Certain remedial actions may take more time and require additional investment. Tactical measures can be implemented to provide an immediate solution to address the risks while the company is working on a long-term solution (e.g. upgrade of IT infrastructure) to address the problem strategically. When designing remedial actions, managers should consider the end-to-end process and think innovatively about how to transform the business process to address the risk effectively and efficiently. An effective control does not automatically mean a sacrifice of customer experience.
7. Risk governance: Key metrics should be designed for risks and controls to monitor the organization's risk exposure and control effectiveness continuously. The relevant data should be systematically collected, analyzed, and monitored.

An effective risk governance process will enable the company to move forward from the past incidents and focus on its business strategy and operations, knowing that risks are properly managed.