Cliff Lam August 8 2022 Incident response: how to manage investigations and move forward AlixPartners LLP | White Collar Crime - International Cliff Lam White Collar Crime IntroductionKey considerationsCommentIntroductionAn investigation is a fact-finding process that assists companies in understanding the dynamics of a specific incident, such as:what happened;who was involved;when the incident occurred;what triggered the incident; andwhy the incident was not prevented or detected by current controls.Complex investigations often involve:legal and regulatory actions;high-impact incidents;time constraints; andother critical concerns.From choosing an external consultant to implementing changes to the organisation, what are the key considerations that a corporation should make when handling an end-to-end investigation and a remediation process?Establishing these details informs senior management of the vulnerabilities in their existing risk management mechanism and allows them to address any exposure through changes to their business processes, such as risk management activities and system and data infrastructure.Key considerations When planning an investigation and remediation, the below key points should be considered.IndependenceWhen choosing an external consultant for investigation, the consultant's independence is the primary consideration to ensure the investigators are free from conflict in fact and appearance. The independence of the consultants ensures the investigation is conducted free of undue influences and provides unbiased findings.Experience and industry knowledgeExperienced investigators, with adequate experience in risk management and industry knowledge, can navigate through the organisation efficiently and minimise the interruption to the business operations.Incident response groupThe company can set up an incident response group that consists of representatives from relevant business lines and functions (eg, business, finance, operations, IT and human resources). This group will form a trust circle within the company concerning the subject being investigated and will provide valuable inputs to the investigation process. All information concerning the investigation should not go outside this group.Root cause analysisWhile understanding what happened is a core part of an investigation, the investigation should also target the root cause of the incident, not just its consequences. For example, a transaction processing manual sets out the procedures that a reviewer should follow to escalate any red flags when processing a transaction. A failure to follow the procedure is not necessarily a root cause of a risk incident. Recurring failures in the control process may reveal that the root cause is the reliance on manual processes to analyse unstructured data presented in physical documents, the complicated nature of which may produce a higher rate of errors.ReportingThe report format will be dependent on the target audience. The main questions to ask in this regard are:Is the report for internal use only?Will it be shared with regulators?Is the matter potentially subject to litigation?The use of the report will determine the appropriate report format.Reimagine processes and controlsRemedial actions should be designed based on the root causes identified above. Certain remedial actions may take more time and require additional investment. Tactical measures can be implemented to provide an immediate solution to address the risks while the company is working on a long-term solution (eg, an upgrade of IT infrastructure) to address the problem strategically. When designing remedial actions, managers should consider the end-to-end process and think innovatively about how to transform the business process to address the risk effectively and efficiently. An effective control does not automatically mean a sacrifice of customer experience.Risk governanceKey metrics should be designed for risks and controls to monitor the organisation's risk exposure and control effectiveness continuously. The relevant data should be systematically collected, analysed and monitored.CommentAn effective risk governance process will enable a company to move forward from past incidents and focus on its business strategy and operations, knowing that risks are properly managed.For further information on this topic please contact Cliff Lam at AlixPartners by telephone (+852 2236 3500) or email ([email protected]). The AlixPartners website can be accessed at www.alixpartners.com.