Protection of Assets: Leveraging Investigative Results
This is an excerpt from the upcoming release of the revised Protection of Assets (POA) Investigations volume from ASIS International. Learn more about the POA here.
Although the natural conclusion of an investigation is typically the assembly of all relevant facts, documentation of findings, and disposition of disciplinary action or restitution, that should not, in general, be the end of the story.
Investigations almost always reveal valuable information. Among other things, they might uncover a condition or weakness that allowed a crime to be perpetrated, afforded unauthorized access, created an opportunity for malicious activity, produced inadvertent hazards, or enabled some other anomaly to occur. Even background investigations can be subject to trend analysis to identify possible changes in typical “red flag” activity or indicators of unsuitability, and how those might relate to adjudication standards, and the possible need to update them.
This information represents an extremely valuable output from investigative activity and should not be squandered. In other words, the organization needs to have mechanisms in place to leverage any and all investigative findings for process improvement. Potential benefits can be derived by pursuing two complementary objectives:
- To improve the investigative processes or capabilities of the organization, and
- To improve the security and safety posture of the organization and its ability to manage current and future risk.
Improving the Investigative Process
According to an article by software provider Forensic Notes, “Once the workplace investigation has completed, then it is time for HR and the organization to analyze the investigation to see if changes need to be made for future investigations. You should also discuss what could have been handled more appropriately in the future. Consider: Do policies need updating? Is further training required?”
Some additional questions might be:
- Did we make efficient use of our people and investigative resources for this investigation? How can we improve?
- Did we make efficient and effective use of outsourced or external resources for this investigation? How can we improve?
- Were there any tools or capabilities needed for this investigation that were not available to us? Do we need to acquire or budget for any new equipment, services, or capabilities?
- Did we interface well with other departments within the organization (legal, HR, CIO, finance, facilities, etc.)?
- Was information effectively shared with the proper organizational elements and at the proper times?
- Did the investigation result in any new opportunities for liaison (internal or external) or identify any new contacts?
- Were there any actual or potential security breaches of sensitive information during the investigation and, if so, how can we prevent them in the future?
Improving the Organization’s Security and Safety Posture
The second objective is to improve processes by which the organization manages security and safety risk overall. The strategy is summarized in the forthcoming ASIS Information Asset Protection guideline.
Findings or results of investigative activity that reveal a condition, policy, practice, or vulnerability that places assets at risk should be documented and addressed, including those issues that could cause or exacerbate reputational or brand risk. Using this strategy will provide continuous improvement to protection and risk management practices while mitigating known threats and vulnerabilities.
Investigative reports—whether prepared internally or provided by outside agencies—should periodically be culled for useful information regarding security vulnerabilities; safety hazards; methods of attack; adversary capabilities, intent, and targeting; insider threats; and criminal intelligence. The resulting information can be used to update business policies and practices and improve security procedures. In addition, they may lead to opening new investigations on matters that have not otherwise surfaced.
Another excellent practice in many situations is to conduct a post-investigation review on specific cases, which will essentially extend into a root cause analysis (if that information is not already included in the investigative report). A root cause is defined by the American Society for Quality (ASQ) as a factor responsible for a nonconformance that is the core issue setting in motion the entire cause-and-effect reaction that ultimately leads to the problem (or set of problems). The root cause is often something that required an investigation to be conducted.
Root cause analysis uses approaches, tools, and techniques—ranging from informal to sophisticated—to uncover the true (root) cause of a problem. One way to do this is to conduct research into exactly what change occurred and when, and how it led to an action (which may have been a crime, security violation, safety incident, or other loss event). Timelines are a useful tool for this type of analysis. The change may be in people, equipment, a vendor, a procedure, a facility, or some other variable. Another tool, barrier analysis, focuses on what controls are in place (and may have failed) to prevent or detect a problem.
While an investigation determines what happened and how, root cause analysis can be useful in determining exactly why it happened and how recurrence can be prevented. The information gleaned from such an analysis can lead to:
- Improvements in physical, personnel, information, and cybersecurity programs;
- More effective implementation of enterprise security risk management (ESRM);
- Better-informed business decision making; and
- Improvements in business and operational practices themselves.
Investigative results can help organizations address issues such as how they might repair employee morale after a high-profile incident and answer questions from employees, the public, and other stakeholders in the aftermath. There will also likely be questions about what corrective actions the organization will be taking and how that will affect operations.
The bottom line is to be sure to correct any faults that are uncovered. Anything discovered during a workplace investigation will now be a matter of record and must be handled appropriately. Failing to correct issues could result in future legal action if the same mistakes are made.
Kevin Peterson, CPP, CIPM II, founded Innovative Protection Solutions as a risk management consulting practice in 2000 following a career in the U.S. Air Force as a criminal investigator and counterintelligence analyst. In addition to consulting, he teaches in Webster University’s Business & Organizational Security Management program and currently serves as the program lead. Peterson has contributed to numerous books and publications on security risk management, investigations management, and information assets protection. He resides in Northern Virginia.
The Protection of Assets (POA) books were updated, written, and edited by a team of security experts.