Incident and event notification systems foster real time communication among key business stakeholders when an incident or event occurs. Aside from the primary purpose surrounding event notification, these systems also address a company’s compliance, regulatory or contractual obligations concerning event notification, data (breach) protection, ethics violations, investigations and information protection.
Secondarily to the event notification tool, a case management or incident tracking mechanism is required. Incident tracking tools are a centralized data repository used to record the details of the incident, track the ongoing investigation, results and event conclusion. This varies from pieces of paper to Excel spreadsheets to sophisticated multiuser databases in which the information from the case or event is stored, analyzed and recorded for future record.
Incident tracking tools are subject to the same rules of record retention as any other technology based system, document or paper file. Meaning, if your company’s records retention standard is seven years, you should retain the case/incident information contained in the database for the same period of time before purging the data at the end of the records retention period.
Like any building, controlling access to the database is imperative because it contains sensitive, private, proprietary, employment, human resources and legal information. Privacy concerns are paramount and the database should be controlled on a strict “need to know” basis. The two major considerations are: who should be granted access and what level of access should they have? Information can usually be compartmentalized, allowing individuals with access to view all or parts of the sections they need. Most systems also distinguish between read/write ability and can be secured appropriately.
The access “test” is the human resources test. Who in your company would you allow to view information contained in an employee’s human resources file? Those are the same individuals who are given complete access to the case and event database. Remember, not everyone who thinks they need access to the database should have it.
Business units must be able to articulate the need and have processes in place to ensure the confidentiality of the records. Access to the database should be given to select individual(s) from the fraud, investigations, security, compliance, audit, human resources and legal departments.
Aside from serving as a standards event repository, a centralized event database also provides authorized departments with a sophisticated analytic tool designed to perform fraud trending and annual reporting, while reviewing fraud patterns occurring throughout the cases, events and incidents inputted into the database.
Recently, I heard about a new player in the case management vertical, Scout. I’m always evaluating new technological tools for deployment in the corporate environment and am familiar with many case management systems: (i-Sight, PPM 2000, ISO. So, I decided to take a product demo and find out more about Scout’s platform.
Unlike many case management providers who sell their platform as pre-packaged enterprise software, Scout is a web-based, “software as a service” (SaaS) model, and there’s been significant movement from providers of enterprise software into the SaaS arena. This model also makes the product more competitive in the market than buying the equivalent enterprise software being sold elsewhere. Detractors from enterprise software usually include: hard costs, licensing fees, training costs and support costs in addition to being hosted, implemented, maintained and secured by your IT department on a dedicated server.
Many of the case management tools I’ve seen in the past have “hard coded” data input fields making it very difficult to make your company’s information fit into the categories and sub-categories they provide you. Hard coded data entry fields aren’t very fluid, kind of like trying to fit a square peg into a round hole.
However, I found Scout’s data entry feature to be user friendly, allowing customization of the data input fields so that the information and data you add in your case management system matches the priorities your company places on it. This is an important feature and vastly different from the hard coded, “take it or leave it” attitude many providers seem to have.
Flexibility is another significant feature for this tool as it provides secure and easy (permissions based) access points for approved customers, vendors, investigators, compliance, audit, legal, security and HR personnel where there’s a need.
One of the features I’d like to see Scout add is a functional, task-oriented time tracking tool for case management purposes as government agencies and corporations are being asked more often to produce loss estimates in court (civil and criminal). A significant piece of that, besides actual hard costs, is employees’ time. Apparently, that’s on the drawing board.
Overall, however, I was impressed with Scout’s functionality and the robust, streamlined and customizable nature of the product. This should make for a positive user experience, something that is paramount in effective corporate case management systems.
Case management and event notification tools are integral parts of the corporate compliance, audit, human resource, legal, investigations, ethics and security equation. I’ve previously written about the value of utilizing a holistic approach to the issues your company faces. These tools are often at the core of operational effectiveness and success in a holistically driven approach.
Once notified of an event, key senior management personnel can be given access to the case management tool to ensure that they have access to critical investigations and events that could have significant corporate impact or need to be reported to the audit committee, the CEO or the board in real time.
Whatever the case, whether you look at one of the new case management tools like Scout or any of the other players in the case management space, evaluate your case management and event notification tools to ensure that they are working properly for your business applications and needs. Even if they appear to be working correctly at the moment, continual evaluation and testing are always necessary in the ever-changing, global world of compliance, fraud and risk mitigation.
About the Author
Daniel W. Draz is the principal of Fraud Solutions, an international fraud consulting firm. He has 26 years of successful fraud investigation, fraud training, fraud prevention, fraud management, risk (management and investigation), audit, regulatory and compliance experience exclusively in the financial services sector.
In his previous role, he was the corporate investigations manager at TransUnion LLC, where he over saw the Corporate Investigations Department, also serving as the global anti-fraud liaison to TransUnion’s operations in 25 foreign countries on six continents. Additionally, his responsibilities included oversight for all internal employee investigations involving violations of ethics, code of business conduct, hotline and acceptable technology usage policies and procedures. Daniel’s staff also investigated all customer interfacing matters and violations, violations of customer contract agreements, violations of federal rules and regulations governing permissible purpose, access of consumer credit information and cases with federal law enforcement agencies involving rings, organized criminal activity and national security matters.
Prior to joining TransUnion, Daniel was a fraud investigator in the Special Investigations Unit at Standard Insurance Company in Portland, Oregon. In that capacity, he conducted sophisticated insurance (life, health and disability) investigations (civil and criminal) into questionable/fraudulent claims; referred insurance fraud investigations to local, state and federal law enforcement agencies nationwide for prosecution consideration; coordinated investigations with law enforcement agencies and prosecutors; and advised counsel, senior management and business units on fraud issues/problems/solutions. Additionally, he was also responsible for development and delivery of anti-fraud training programs and training on red flags/fraud avoidance/investigation procedures/methods to minimize exposure to financial loss.
Previously, Daniel owned and operated an investigative and fraud consulting agency in California, providing specialized fraud consulting, investigative and litigation consulting services to businesses and corporations, insurance companies, self-insureds, financial services firms, large law firms, government agencies, telecom carriers and select individual clients nationally.
Daniel has been a Certified Fraud Examiner (CFE) since 1996 and is a member of the American Society for Industrial Security’s (ASIS) Economic Crime Council. He has an M.S. in Economic Crime Management from Utica College (2005) and a B.S. in Criminal Justice from Arizona State University (1985). He currently holds adjunct professorships at four colleges, where he teaches a variety of graduate and undergraduate classes involving various forms of fraud, economic crime, white collar crime and criminal justice. He also has extensive experience teaching both in the classroom and online, and with developing unique academic curriculum.
Daniel is a former member of the International Association of Special Investigation Units (IASIU) and a frequent speaker at national industry conferences. He is formerly associate editor, fraud investigations for PI (Private Investigator) Magazine, where he wrote on a variety of fraud-related topics. Daniel also created the first insurance fraud column for FRAUD Magazine, the official publication of the Association of Certified Fraud Examiners and is an occasional contributor to SIU Today, the official publication of the International Association of Special Investigations Units. He has been published over 40 times in industry and trade publications over the years and frequently mentors other investigators and fraud professionals around the country.
To contact Daniel, email him at email@example.com.
Daniel writes a regular column, Fraud Flashpoints, for Corporate Compliance Insights.