Introduction
Key considerations
Comment
An investigation is a fact-finding process that assists companies in understanding the dynamics of a specific incident, such as:
- what happened;
- who was involved;
- when the incident occurred;
- what triggered the incident; and
- why the incident was not prevented or detected by current controls.
Complex investigations often involve:
- legal and regulatory actions;
- high-impact incidents;
- time constraints; and
- other critical concerns.
From choosing an external consultant to implementing changes to the organisation, what are the key considerations that a corporation should make when handling an end-to-end investigation and a remediation process?
Establishing these details informs senior management of the vulnerabilities in their existing risk management mechanism and allows them to address any exposure through changes to their business processes, such as risk management activities and system and data infrastructure.
When planning an investigation and remediation, the below key points should be considered.
Independence
When choosing an external consultant for investigation, the consultant's independence is the primary consideration to ensure the investigators are free from conflict in fact and appearance. The independence of the consultants ensures the investigation is conducted free of undue influences and provides unbiased findings.
Experience and industry knowledge
Experienced investigators, with adequate experience in risk management and industry knowledge, can navigate through the organisation efficiently and minimise the interruption to the business operations.
Incident response group
The company can set up an incident response group that consists of representatives from relevant business lines and functions (eg, business, finance, operations, IT and human resources). This group will form a trust circle within the company concerning the subject being investigated and will provide valuable inputs to the investigation process. All information concerning the investigation should not go outside this group.
Root cause analysis
While understanding what happened is a core part of an investigation, the investigation should also target the root cause of the incident, not just its consequences. For example, a transaction processing manual sets out the procedures that a reviewer should follow to escalate any red flags when processing a transaction. A failure to follow the procedure is not necessarily a root cause of a risk incident. Recurring failures in the control process may reveal that the root cause is the reliance on manual processes to analyse unstructured data presented in physical documents, the complicated nature of which may produce a higher rate of errors.
Reporting
The report format will be dependent on the target audience. The main questions to ask in this regard are:
- Is the report for internal use only?
- Will it be shared with regulators?
- Is the matter potentially subject to litigation?
The use of the report will determine the appropriate report format.
Reimagine processes and controls
Remedial actions should be designed based on the root causes identified above. Certain remedial actions may take more time and require additional investment. Tactical measures can be implemented to provide an immediate solution to address the risks while the company is working on a long-term solution (eg, an upgrade of IT infrastructure) to address the problem strategically. When designing remedial actions, managers should consider the end-to-end process and think innovatively about how to transform the business process to address the risk effectively and efficiently. An effective control does not automatically mean a sacrifice of customer experience.
Risk governance
Key metrics should be designed for risks and controls to monitor the organisation's risk exposure and control effectiveness continuously. The relevant data should be systematically collected, analysed and monitored.
An effective risk governance process will enable a company to move forward from past incidents and focus on its business strategy and operations, knowing that risks are properly managed.
For further information on this topic please contact Cliff Lam at AlixPartners by telephone (+852 2236 3500) or email ([email protected]). The AlixPartners website can be accessed at www.alixpartners.com.