Incident Reporting: Is This Cornerstone of Your Enterprise Security Risk Management Sound?
The most fundamental principle regarding the role of security officers is that “they are there to observe and report.” This is complemented by the adage, “If it is not written down, it did not happen.” Both serve as reminders of the importance of maintaining accurate, thorough, and complete documentation, particularly when it comes to incident reports.
The incident report—the most commonly submitted document by security officers—forms the foundation of an effective reporting system. Just as we assume a door will open when we turn the handle, security managers sometimes overlook the necessity of accurate incident reports.
When completed correctly, these reports provide a wealth of information that leaders can use to make informed decisions, assist in enterprise security risk management (ESRM), and offer valuable insights for addressing follow-up questions. Moreover, they can protect the organization in the event of litigation.
Just as a strong foundation is crucial for a resilient home, a well-functioning incident reporting system increases the likelihood that the structure it supports will withstand the tests of time and scrutiny.
Start at the Beginning
Those familiar with Lean Six Sigma understand the importance of DMAIC: Define, Measure, Analyze, Improve, and Control. More familiar to many of us might be the Plan-Do-Check-Act model. Regardless of the model applied, when creating an incident reporting process we need to define what constitutes an incident.
Incident reports document events identified as unusual or potentially damaging to an organization's people, facilities, equipment, or operations. Different business functions may have various definitions of what constitutes an incident within the same organization. For our purposes, we will focus on incidents that pose a safety or security risk to your organization.
Based on these criteria, we can define an incident as “any event or activity that occurs during a company’s operations that is unsafe, is a violation of policy/procedure, or a violation of the law.”
A well-developed definition of what you consider an incident is crucial for gathering accurate data that can be applied in your analysis. The incident report is the first link in a system that allows you to understand what is occurring within your organization and how to implement mitigation strategies to improve processes effectively.
This definition leads to the next major step: selecting the platform to capture an incident report. The classic platform is a paper form completed by the reporting party. In some instances, this medium may be the best option.
For example, if you have personnel operating in remote locations with limited access to power, the intranet, or have a limited knowledge of how to use modern information technologies, then a paper form may be your best option. The biggest challenge with incident reporting is not the accuracy of the information but its timeliness. The data needs to be communicated as accurately and quickly as possible, so it will likely have to be transitioned into a digital format to gain maximum benefit.
To solve this communication challenge, you can use some scanning technology enhanced with artificial intelligence (AI) or manually enter the data into the database; the latter may induce unintentional human error beyond what may be found in the initial submitted report. In either case, the effect will be a slower availability for notification or analysis, which must be considered when developing distribution lists, response plans, and analysis.
The original report's speed, availability, and fidelity are all advantages when implementing modern information technology. This will enhance the ability to capture critical information necessary for an effective incident reporting form that can be transitioned into a database for efficient and accurate analyses.
To create an effective incident report form, whether in paper or digital format, it is essential to develop a well-structured document tailored to the needs of your organization. A poorly designed form can result in limited value and potentially misleading data.
When completed correctly, these reports provide a wealth of information that leaders can use to make informed decisions.
For example, the incident report format must contain the name and contact information of the person completing the report. More often than not, follow-up questions need to be addressed to the reporting person; in fact, the reporting person is usually the first person any investigator will seek to question regarding the incident report. Furthermore, the incident report should include sufficient space for the writer to provide a thorough event narrative. It is common for the writer to cut a report short because of a lack of space to explain, in their own words, what happened or what they observed.
If the reporting format does not contain the following essential information, it does not meet the minimum criteria of suitable reporting format:
- Name of reporting person
- Address for the reporting person
- Contact information for the reporting person: telephone number and e-mail address
- Location of the incident
- Time of the incident
- Type of incident
- Description of the incident
- Actions taken by the reporting party
One effective approach to ensure a quality incident reporting format is to collaborate with a trusted team to identify both critical information and additional data that would be beneficial. This collaborative process helps adequately analyze and determine the vital information necessary for your incident reporting system. Numerous commercially available products already address many requirements for effective reporting, but there are too many to list here.
As with any project, starting with a clear and detailed list of specifications will help you identify essential, desirable, and optional features for your incident reporting system. It is important to create a form and format that is platform-agnostic and easy for individuals with varying levels of education to use. At a minimum, your incident reporting form should include the items listed in the attached guidelines for security reports.
Implementation of the Form
Once you have created what you believe is the best form for your organization, you are responsible for developing a communication plan to inform employees how to report incidents.
A digital system can offer significant advantages in this area. The form should be located where it is readily accessible to all employees, contractors, and vendors who may need to report information. Often, employees express frustration at being unable to find the reporting format when an incident occurs. Many security professionals have encountered situations where employees were unsure how to file a report and struggled to navigate complex internal company websites.
One effective solution is to request the addition of a clearly labeled “Incident Report” button or link in the banner at the top of the company’s internal Web page. This will make it easier for employees to file reports and encourage them to report incidents promptly. Another option is to have a Web page for the security team that is part of the company’s internal intranet. When an incident occurs, people will often look for the word “security” on a company’s intranet; making sure that the incident report format is prominently featured on your internal security Web page can help ensure employees can find this file location and make reports readily.
After determining where to place the reporting link, it is important to include instructions on filing an incident report in your security awareness training. Involving members of the human resources department in your development team can help navigate the challenges of effective employee communication. Many companies have an internal communications team that produces a regular newsletter. Partnering with these teams can help you disseminate information about how and where to file an incident report.
The first team that should be the focus of your incident reporting training program is that of your security officers. These individuals, whether contract or in-house staff, operate at the “street level” and are typically required by their job duties to submit incident reports. However, this can present a significant challenge, since security guards’ writing abilities can vary greatly. The quality of these reports heavily relies on the training and supervision they receive before being assigned to your site.
Utilizing our knowledge of risk mitigation strategies becomes much more effective when we have relevant data related to business operations.
Incident report writing should be a central component of the ongoing training program to help security officers fulfill their duties and mitigate risks. As previously mentioned, observing and reporting is a core function of all security guards. Utilizing frontline supervisors as primary trainers, security officers need clear instructions on what to report and when to do so. This training should occur regularly and be documented in the training management system.
By implementing an organic training program, you should be able to document improvements in the quality of reports submitted, tracking progress at the individual security officer level. This will help you develop key performance indicators (KPIs) focused on the quality and accuracy of those reports.
The aim is to make security guards the local experts in report filing. This expertise will encourage employees to use the incident reporting system, which will increase the volume of data and streamline the reporting process.
There are varying opinions on this approach but increasing the number of individuals within your organization who can file incident reports is generally beneficial. However, it is essential to have an initial vetting process for these reports, since inaccuracies may sometimes arise.
A good vetting process involves the timely review of the report submitted to determine if the information provided meets the minimum requirements established by policy or procedure. In many systems, the incident report may immediately be circulated to multiple stakeholders as a matter of policy. As most security professionals know all too well, the initial reports, even when submitted by trained security officers, can contain factual or administrative errors. Having the reports vetted by a security team member can help address these errors by quickly advising the stakeholders. Alternatively, if you can complete the vetting before distribution to the stakeholders, it is possible to provide additional context to help the stakeholders better understand the incident and its possible impact.
By ensuring all employees and contractors know how to file an incident report, you can increase the volume of data collected, which can then be screened, vetted, curated, and analyzed. This follow-up analysis is where security professionals can add significant value to the ESRM system. Utilizing our knowledge of risk mitigation strategies becomes much more effective when we have relevant data related to business operations. The best sources for this relevant data are typically the employees or individuals working within the organization who have daily visibility into ongoing activities.
As with all initial reports, there will be a vetting process. Often, the information reported may not be entirely accurate. However, it is preferable to have an abundance of information on incident reports rather than too little.
Once You Have It, What Do You Do With It?
The ultimate goal of your incident reporting system should be analysis and reporting. Many have noted that analyzing and reporting data is as much an art as it is a science. As a security professional, especially with experience in conducting investigations, you can add significant value to the organization when reviewing and analyzing incident reporting data.
When it comes to analysis and reporting, the key element is understanding the audience or consumer of your report. Knowing what they need to make informed decisions about risk should form the foundation of your analysis. Take the time to meet with them and develop specific written information requirements to ensure everything is clear in the reporting process. Once you clearly understand their needs, you can access the database and extract the relevant information.
For example, organizations that operate on a global scale often face challenges related to fraud and corruption. Failing to address these issues can lead to civil or criminal charges from one or more national governments. Utilizing a well-organized incident report database allows you to analyze trends related to fraud, theft, or missing shipments in transit, focusing on patterns such as timing, frequency, and location. This type of analysis can help identify risks and vulnerabilities that can be mitigated through further investigation and process improvements.
By integrating hard data and addressing security risks, you can provide a valuable resource that stakeholders may not realize they possess. We primarily focus on areas of pure risk, often highlighting issues that go unnoticed by most employees but can profoundly impact the organization’s effectiveness if not properly addressed.
With good analysis based on specific objectives, you can position yourself within the ESRM model and become the go-to solution provider for asset owners and stakeholders facing security challenges. One effective way to build this reputation is by producing quarterly reports based on incident reporting data.
As a general guideline, the quarterly report should emphasize the areas of greatest interest to the asset owner and stakeholders because they are the primary recipients of the report. The best source for the content of the quarterly report will be the risks identified during the ESRM process, which can be found in the risk registry. These identified and classified risks will have undergone a collaborative cross-function review process, enhancing the likelihood that the report will be well received. Using the risk register as a reference, you can create a quarterly report that provides insights and suggests potential solutions for stakeholders, transforming the data and the security team into a valuable resource.
Initially, this may seem like a burdensome requirement, but over time, consistent reporting will lead to inquiries from asset owners and stakeholders. When you begin to receive such inquiries, you will have established yourself as a valuable resource.
By ensuring quality data is readily available for analysis and leveraging modern artificial intelligence capabilities, the reporting of that analysis will enhance your ability to help solve the organization’s business challenges.
Ralph “RC” Miles, CPP, is the global director of safety and security for the AIDS Healthcare Foundation. He has more than 25 years of private sector experience in the design, development, and implementation of comprehensive security, investigations, and intelligence strategies in a variety of business climates and organizational cultures. Prior to his civilian career, Miles spent nine years as an officer in the U.S. Army in various assignments around the world. He serves on the board of directors of the CSO Center and is a regular contributor to Security Management.