- Corporate Security
- Governance, Risk & Compliance
- Information Security
By Joe Crampton Posted March 26, 2021
Have you ever stopped to think – what is the difference between a security incident and an HR incident? What about Legal vs Compliance? When is an incident a complaint? Even further, isn’t an incident a risk that has actually happened?
Categorizing these events can be difficult. Most have vague definitions, one event often leads to another, and there can be multiple teams involved in each incident. However accurately tracking these events is necessary to manage liability, comply with regulations and drive improvements across the organization.
Before we dive in, let’s look at some commonly used definitions for each category.
Incident – An event (typically negative) that occurs at a specific date and time. It often follows the pattern of someone did something on this date at this time at this place.
Complaint – A complaint is typically not defined by the event, but rather by the fact that someone has complained. It is the act itself that makes something a complaint rather than the subject of the complaint.
Risk – There has been a lot of work done by ISO 31000, COSO, RIMS, OCEG and others to define what a risk is, but in its simplest form a risk references an event and its potential impact on something important.
Unfortunately, there isn’t a straightforward guide on how to apply a category type to an event. Risk and security events aren’t one size fits all and the way that they’re categorized can depend on a variety of things such as company size and industry, how serious the event is and especially the knowledge of the person recording the event.
To break this down, let’s look at few examples of events and think about how a business might categorize them.
You can see from these examples that events are incidents, complaints and risks all at the same time. Each of these examples highlights the subjectivity of the decision by the person who is reporting the event.
On a recent call a customer who is responsible for Business Continuity, Risk, Security, Facilities, InfoSec and Vendor Risk expressed this idea in perhaps the most succinct way I’ve heard to date:
“Incidents are Incidents. Most of the information you collect is the same”
One thing that you may have noticed in both categories and the examples above is the concept of time. Considers whether the event has already happened or if it might happen in the future.
Here’s how one of our event examples might play out over time:
Which of these is the incident? When does the complaint happen? Which ones are risks?
You can see in this scenario that as we progress through time, individual events compound to become bigger risks, but there isn’t a specific line as to when that happens.
Still, incidents and complaints are typically about something that has happened or is currently happening. Whereas risks are more focused on what might happen in the future and what the potential impact could be.
However, just because an incident happened in the past, what’s to say it won’t happen again? Wouldn’t the fact that it happened once increase the probability of it occurring again? In this context, what do you call it? A potential incident? A risk event? What if the incident almost happened but was narrowly avoided? Those are typically referred to as “near-misses” but do they get consistently logged?
One further complication is to define and understand which team or individual owns the event based on the category selected. If we reflect on each of our scenarios above, can we pinpoint whether they are security incidents? HR? Safety? Finance? Customer Service? Many incidents involve two or three teams in different ways. This added layer further complicates the reporting process. If an employee wants to report something, they not only have to identify the event type, but also have to think about who the event should be reported to.
Ok, now that we’ve painted the picture, you can see that it’s complicated, and we haven’t even discussed the various technology involved.
Most organizations have multiple systems each with their own use. They might have an incident, case, risk and complaint system. They span different topics and teams and produce separate reports. They cover both what happened already and what may happen in the future.
Incidents and complaints are the data shows what actually happened. Risks tell us what might happen. If these systems are disjointed, it’s nearly impossible for teams to make data- driven decisions and risk assessments. It is similarly difficult to understand potential downstream risks when looking at a single incident. Without a single integrated Incident and Risk Management system there is very little visibility to see the whole picture.
Don’t make employees or customers guess at what they are reporting. To ensure that people continue to submit their concerns, make it simple. Provide multiple intake channels to a single repository that connects incidents with risks across the enterprise. Once you have the information, routing the event to the right team can be easily done with an intelligent triage process.
Resolver offers a simple but powerful system that allows organizations to capture incidents, complaints and risks all in one place. Once an event has been logged it is tagged and categorized using our AI-based Intelligent Triage process and routed to the right team. Since information is easily linked together Incident, Complaint and Risk Managers can see the whole picture and move rapidly to respond to and recover from the event preempting incremental loses.