Can you manage an investigation?

Several organisations are finding themselves embroiled in controversy because of complaints not being dealt with correctly.  Some of these are internal complaints from their own workforce.

Southern Medical Trust have recently been heavily criticised and sanctioned for a series of malpractice incidents. Irrespective of circumstances of the actual incident they were additionally criticised for not investigating these incidents correctly.  Some of this criticism was avoidable, the fact that they attracted significant reputational damage just because they failed to investigate properly would appear to be a serious own goal.

No organisation is immune to exposure of this kind of criticism.

The number of complaints recorded in Universities and High Education establishments, for instance, has grown significantly in recent years.  Complaints regarding the actions and conduct of both students and staff encompass a range of subjects: From cheating and plagiarism, allegations of inadequate teaching and support, as well as a range of serious criminal allegations.

Surrounding opinion of the younger generation and entitled millennia’s aside, it is clear that people are more ready to engage with litigation.  Coupled with this, they also have an improved awareness of the complaints process and improved support from trade organisations and representative bodies and a highly competitive legal system hungry for work.

The Office of the Independent Adjudicator has a statutory role to investigate a number of student complaints. Their 2015 report shows that the trend continues to rise (See Fig 1). An increasing number of which are seen as justified or partly justified (See Fig 2).

 

Figure 1
Figure 2

In the meantime, support and resources for senior managers tasked with investigating these complaints has failed to keep pace with the changes.

So, the question should be: Does my organisation know how to investigate? Have we got systems and policies in place? Do they have people within their organisation who can run or manage an investigation effectively?

Dependent on the organisation, the responsibility to carry out at least the initial investigation, lies with senior managers.  HR departments may take the legwork away from managers but ultimately the buck will stop with them.

Senior managers now find themselves increasingly burdened with this arduous responsibility, often without any formal training or guidance of the investigative processes.

Managers, or their nominees responsible for conducting an investigation, will benefit greatly from having some basic investigative training.  Now more than ever, there is increased scrutiny into the conduct of an enquiry/investigation. Adherence to the legislation, policies and procedure of your organisation is paramount in the process.

Developing knowledge and understanding of the investigation process enables the individual manager, as well as the organisation, to evidence their accountability, proportionality and reasonableness in their dealings with complainants irrespective of whether the initial complaint is upheld or not.

Demonstrating a thorough and ethical approach to your investigation may potentially help you avoid costly civil litigations and mitigate the risk of reputational harm.

Managers need to develop knowledge, understanding of the process of investigations and its key elements.  They also need a detailed understanding of the legislation, policies and procedures that governs an investigation and the significance and impact of non-compliance.

As a minimum, when an investigation is commenced the responsible manager will need to understand his or her role in the process along with all the ethics, principles, legislation, policies and procedures.

Investigators will need to develop the investigation strategy and demonstrate all decisions made as a result.

Anyone involved with the enquiry will need to understand the principles of

  • Securing and preserving evidence
  • Management of written material and associated evidence
  • Skills and techniques in investigative interviewing
  • Recording evidence in statement form
  • Case file preparation
  • Skills to present evidence in formal proceedings

Help is available. The legal experts will be able to supply you with hand books and text books which will tell you what you should and should not do, as well as the penalties for getting it wrong.

What the books will not tell you is how to do them, or not do them. The only people who can assist you in this regard are experienced investigators who have been through the fire of court and tribunal hearings, people who have had their every decision scrutinised and questioned in minute detail.

These people will be able to guide you through investigation strategies by helping organisations to put robust working practices and policies in place, which will protect the individuals and the organisation.  Systems, which can ensure the continuity of evidence so as to avoid the embarrassing questions in the middle of a hearing. Experts who can work with individuals who are managing investigations and give them skills to carry out robust, transparent, and impartial investigations which will stand up to the most rigorous scrutiny.  It’s not enough these days to be fair and impartial, it’s sometimes more important to be seen to be so.  You may inevitably need to prove and justify that you and your investigation have been thorough, impartial, fair, and professional, by producing incontestable facts or evidence to support decisions made and actions taken.  Ask yourself, can you manage an investigation correctly?

The Importance of Managing Risk

Cyber crime is making all the headlines at the moment and it was recently reported[i] that cyber crime and fraud are now the UK’s most common offences. Any company that operates online is exposed to the risk of cyber crime and the bigger and more dependent the organization is on the internet, the greater the damage that may be done. Note the use of the word ‘may’ because that is what a risk is: something that might happen. If and when it does happen it is no longer a risk but an issue…… that needs resolving.

So we can see that risk is the possibility of something (normally bad) happening with consequences that will damage the business. Damage or impact could be financial, reputational or on the people connected with the business. This concept of risk being two dimensional is important to recognise because people will sometimes focus too much on the impact forgetting or ignoring the probability. The fear of flying, for example, is irrational because the likelihood of an incident happening when you are flying is extremely small but the impact/consequences may, of course, be catastrophic.

Human beings have always managed risk: our ancestors use to live in caves to protect themselves from animal attacks; the Romans maintained a well-trained army in case of insurgency: the plimsoll line was created to help prevent ships from sinking when cargo was being loaded. Nothing has changed to this day save for the fact that most organisations nowadays have to actively demonstrate that they are managing risk. In other words, there has been a move has been from implicit/informal to explicit/formal risk management. This move from implicit/informal to explicit/formal risk management has manifested itself in businesses setting up risk registers, appointing Chief Risk Officers and supporting staff and even developing methods to quantify risk exposures as a basis for providing reserves should such risks manifest themselves.

So where do you start if you want to be more explicit with your risk management? The first thing to do is to understand the process of risk management which typically has four phases:

Identification – a subjective exercise in identifying all the risks that might affect the business. These are often grouped into areas such as financial, operations, IT, legal and so on. The aim is to develop a list of risks without ignoring any that are identified.

  1. Assessment – a subjective evaluation of the likelihood of a the risk occurring and the impact that it would have if it were to manifest itself. There are various scales that can be sued for this process and the starting point is to consider these risks as if there were no controls in place (see next step) to mitigate the risk.
  2. Selection – selecting a suitable way in which the likelihood or impact may be reduced. Mitigation techniques are often referred to as the four Ts:
    1. Treat – techniques which implement or improve controls to prevent the risk from occurring;
    2. Transfer – techniques which move the risk out of the business (insurance is the best example of transferring a risk);
    3. Tolerate – accept the risk and choose to do take no further action, may be because the probability is too remote;
    4. Terminate – avoid the risk completely by, for example, deciding not to move into a new business line.
  3. Implementation – the final stage in the process involves re-assessing the likelihood/impact with the mitigation actions in place, implementing the agreed actions and then providing a follow-up/monitoring plan to ensure the risk remains ‘under control’

Risk identification is, by definition, an ongoing process as new risks emerge (such as cyber crime) but that doesn’t mean that the process needs to be done on a daily basis. In fact, once the process has been documented in a suitable risk register[ii] then it is just a question of reviewing the results every 3/6 months to make sure that nothing has changed. Of course, if there is an unexpected external event (such as a terror attack) which may affect your business then a review can take place immediately. In fact, scanning the external environment for new and emerging risks is part and parcel of the risk identification process.

An assessment of the risks facing a business should be broadly based and look at both internal and external risks. Typically the former are easier to control whilst the latter are harder. First aid is one area that should be included in your risk assessment as, not only is it a statutory requirement, it is also good business practice to prepare your business for the types of eventualities where well trained employees are able to react to an emergency in the workplace. More information on first aid risk assessments can be found on the Health and Safety Executive website[iii].

At this point, it is worth pointing out that the negative connotations of risk management thus far described need to be balanced against an organisations requirement to take risks. Any new business is taking risks when it first sets out. Any new venture for an existing business is risk-taking. The very simple message that comes from this is that an organization has to manage risks to protect the business and take risks to grow the business. As always in business, there is a balance to be struck between the two and achieving that balance is down to the directors.

The litany of failures caused by poor management of risks is endless. The consequences of poor risk management can lead to huge financial losses (witness the global financial crisis) or even loss of life (witness the Mid Staff NHS enquiry). Many of these failures hit the Press with headlines that “this should never be allowed to happen again”…….but sadly they do. Such catastrophic events may be confined to larger organisations but smaller businesses are not immune and can protect themselves without creating too much bureaucracy and recognising that good risk management is a necessary part of doing business in today’s complex working environment.

Keith Blacker is director of RPI. He holds a doctorate in Operational Risk Management and co-authored the People Risk Management published by Kogan page in 2015.

[i] http://www.telegraph.co.uk/news/2017/01/19/fraud-cyber-crime-now-countrys-common-offences/

[ii] If you would like a copy of a simple risk register template with instructions on how to use it please contact admin@rpi.co.uk

[iii] http://www.hse.gov.uk/firstaid/needs-assessment.htm