Building a corporate security program might be overwhelming at first. Where to start? What are the differences between activity and investigation management or incident management vs. case management? When each one is imperative to properly reporting and tracking events, how do you, as a security leader, plan for all?
Activity, incident, investigation, and case management are all related to managing and tracking different types of events or actions within an organization. In the context of corporate security, the definitions of activity, incident, investigation, and case management are similar to their general definitions but with a specific focus on security-related events. The essential difference is the management and reporting of single events (one-to-one) versus the project-level management of multiple incidents—including an incident’s associated activities—and investigations that have been linked together to form a case (one-to-many).
What is activity tracking?
Activity tracking (or activity management) in corporate security refers to the process of managing and tracking routine security-related tasks or processes within an organization. These can include things like managing access control systems, monitoring security cameras, conducting regular security audits, and performing employee training on security best practices. The goal of activity management in corporate security is to ensure that security measures are in place and functioning properly to prevent security incidents.
Activities in the context of corporate security are typically routine duties where no serious event — simply an “incident” — has occurred, though what exactly makes an event an “activity” vs. an “incident” is up to individual organizational policies. Activities track who, what, where, and when but tend to be more resource-centric than incidents. Activity tracking usually includes tracking of response times, officer logs, and total time spent, amongst other details.
However, activities typically carry far less detail than what would be in a full incident or investigation report; generally, the activity report is the first stage report of an event. While activities can be escalated to incidents, incidents don’t always come from only one activity… or even an activity at all. Proper incident management does require, though, that incidents are linked with any associated activities.
What is incident reporting?
Incident management in corporate security refers to the process of managing and resolving security-related incidents within an organization. These can include things like physical security breaches, theft or fraud, workplace violence, or other security incidents. Incident management in corporate security is focused on minimizing the impact of the incident and restoring normal operations as quickly as possible. This is best done through data-driven reporting and analysis that’s
When an incident occurs, whatever it may be (theft, assault, accident, etc.), it elicits a response. The response details are tracked as an activity report. After the response, the event may require a more detailed incident report — a record of the incident’s data, including more extensive detail on who, what, when, where, why, how, and how much. We refer to this data collection and reporting process as “documenting the record of events.” At any point, we can refer to or add to this record of events to form a complete picture of the incident’s details. Each incident contains its own separate record of events, documenting the who, what, when, where, why, how, and how much data for that particular incident only. In Resolver, these details are recorded on individual incident forms that can be customized to your organization’s needs. We recommend keeping them simple, so that the likelihood of incidents being filed increases, netting you more incident data over time so you can make informed decisions.
All this data generally encompasses the initial incident report — in essence, the detailed “story” of a single event. Resolver tracks activity details within incident reports, and unlike activity reports on their own, incident reports can include investigation details.
What is investigation management?
Investigations management refers to the process of managing and resolving security-related incidents within an organization. These can include physical security breaches, cyber-attacks, theft or fraud, workplace violence, or other security incidents. Incident management in corporate security is focused on responding quickly and effectively to the incident to minimize its impact and restore normal operations as soon as possible. Incident management is typically a reactive process, responding to unexpected events as they occur.
Many organizations ensure appropriate management of all incidents by employing a tiered or escalated response system. Ground force personnel first respond to the event and provide the initial incident report. Depending on the incident, this report may be passed on to an investigations division and the incident escalated into investigation mode. Investigators then collect incident information beyond the initial details originally recorded. While incidents are generally handled by one responding officer with some assistance from others, there may be multiple investigators assigned to an investigation depending on its size. Where the initial incident report tells the story of an event, the ensuing investigation aims to “solve the puzzle” by determining who was responsible and why it happened.
Investigative data may include:
• Investigation Start and Closed Dates (may differ from those denoting the incident’s duration).
• Assigned Investigators.
• Investigation Metrics (time and dollars spent).
• Investigation Summaries and Interviews (narratives that do not belong in the general Incident Report).
• Investigation Logs (task and expense tracking).
• Investigation Evidence/Property Records (including chain of custody).
In Resolver Core, investigative data is collected under a separate Investigation tab within each incident record, differentiating the standard incident report from an investigation report. For added data segregation, you may also specify which users are allowed access to the Investigation tab. Although each incident and investigation has separate data and is handled by different people, what happens when there are similarities between multiple incidents and investigations?
As multiple incidents occur throughout an organization, common themes, patterns, or links among incidents may be detected. In these instances, it is necessary to link or cross-reference incidents to each other, ensuring their commonalities are not lost amid the data. Therefore, investigation management does not always involve only one investigation of a single incident; it is the monitoring and managing of the investigative details of one or more incidents. This may also be referred to as case management — the management of multiple investigations.
What is case management?
Case management refers to the process of managing an ongoing security-related issue within an organization. These can include things like internal fraud investigations, data breaches, or legal disputes related to security incidents. Case management in corporate security involves tracking the status of the case, assigning tasks to individuals, and ensuring that all relevant information is documented and accessible for legal or regulatory purposes. Case management is typically a proactive process, involving ongoing management of a complex issue over time.
Because case management involves overseeing multiple investigations at once, it requires a high degree of project management. Often, a case involves a series of events that are related but not necessarily alike; these events will, nonetheless, be managed and investigated as a single project or case. For example, a case called “Jeff Brown Restraining Order” may be comprised of a series of incidents of varying types, all involving Jeff Brown; all the events are separate incidents with separate investigative details, but they are all managed as a single investigative unit or project.
Depending on the case, a case manager may be assigned to oversee the group of investigators and agencies involved in each of the incidents or the case manager may be tasked with singlehandedly taking over all the investigative work. No matter what responsibilities the case manager is assigned, the case data collected must be continually added to the appropriate records to ensure accurate intelligence is generated. In Resolver Core, a case is a compilation of multiple investigations, their associated incidents, and those incidents’ linked activities, if any. When adding a new case, you must give it a name and include relevant details, such as the names of case managers and investigators.
Ensure your incident management software meets your needs
Though differently managed, activities, incidents, investigations, and cases determine not only how data is collected, but what data is collected and the conclusions we can draw from them. Ensuring that multiple data streams from activities, incidents, investigations, and cases are properly recorded, tracked, and analyzed is crucial to properly manage current incidents, and prevent more from occurring.
Our incident management platform tracks activities and incidents through thoughtful automation and documenting necessary information – from the record of events to capturing investigative details — while linking related incidents and investigations to cases for a comprehensive review. Data can be viewed and added on a one-to-one or one-to-many basis, allowing for complete activity, incident, investigation, and case management.
Do you want to take control of incidents before they become threats and streamline your security processes? Join an upcoming product showcase and discover how Resolver can transform the way you manage incidents. Get a firsthand look at our innovative platform, see how it works in real time, and learn how it can benefit your organization. Register now to reserve your spot!