Corporate Security

What is the Difference between Activity, Incident, Investigation and Case Management?

Posted July 20, 2012 by Resolver

The essential difference is the management and reporting of single events (one-to-one) versus the project-level management of multiple incidents—including an incident’s associated activities—and investigations that have been linked together to form a case (one-to-many).

What is Activity Tracking?

Activities are typically routine duties where no serious event—an “incident”—has occurred, though what exactly makes an event an “activity” vs. an “incident” is up to individual organizational policies. Activities track who, what, where and when but tend to be more resource-centric than incidents, and usually include tracking of response times, officer logs and total time spent, amongst other details. However, activities in general carry far less detail than what would be in a full incident or investigation report; generally, the Activity Report is the first stage report of an event. While activities can be escalated to incidents, incidents don’t always come from only one activity… or even an activity at all. Proper incident management does require, though, that incidents are linked with any associated activities.

What is Incident Reporting?

When an incident occurs, whatever it may be (theft, assault, accident, etc.), it elicits a response. The response details are tracked as an Activity Report, and after the response the event may require a more detailed Incident Report—a record of the incident’s data, including more extensive detail on who, what, when, where, why, how and how much. We refer to this data collection and reporting process as “documenting the record of events.” At any point, we can refer or add to this record of events to form a complete picture of the incident’s details. Each incident contains its own separate record of events, documenting the who, what, when, where, why, how and how much data for that particular incident only. In Perspective, these details are recorded on individual incident forms:

  • Details (Reported Date, Occurred Date, Classification, Site/Location, etc.).
  • Involvements (Persons, Organizations, Vehicles and Items).
  • Narratives.
  • Attachments.
  • Links.

All this data generally encompasses the initial Incident Report—in essence, the detailed “story” of a single event. Perspective tracks activity details within Incident Reports, and unlike Activity Reports on their own, Incident Reports can include investigation details.

What is Investigation Management?

Many organizations ensure appropriate management of all incidents by employing a tiered or escalated response system. Ground force personnel first respond to the event and provide the initial Incident Report. Depending on the incident, this report may be passed on to an investigations division and the incident escalated into investigation mode. Investigators then collect incident information beyond the initial details originally recorded. While incidents are generally handled by one responding officer with some assistance from others, there may be multiple investigators assigned to an investigation depending on its size. Where the initial Incident Report tells the story of an event, the ensuing investigation aims to “solve the puzzle” by determining who was responsible and why it happened. Investigative data may include:

  • Investigation Start and Closed Dates (may differ from those denoting the incident’s duration).
  • Assigned Investigators.
  • Investigation Metrics (time and dollars spent).
  • Investigation Summaries and Interviews (narratives that do not belong in the general Incident Report).
  • Investigation Logs (task and expense tracking).
  • Investigation Evidence/Property Records (including chain of custody).

In Perspective Premium, investigative data is collected under a separate Investigation tab within each incident record, differentiating the standard Incident Report from an Investigation Report. For added data segregation, you may also specify which users are allowed access to the Investigation tab. Although each incident and investigation has separate data and is handled by different people, what happens when there are similarities between multiple incidents and investigations? As multiple incidents occur throughout an organization, common themes, patterns or links among incidents may be detected. In these instances, it is necessary to link or cross-reference incidents to each other, ensuring their commonalities are not lost amid the data. Therefore, investigation management does not always involve only one investigation of a single incident; it is the monitoring and managing of the investigative details of one or more incidents. This may also be referred to as case management—the management of multiple investigations.

What is Case Management?

Because case management involves overseeing multiple investigations at once, it requires a high degree of project management. Often, a case involves a series of events that are related but not necessarily alike; these events will, nonetheless, be managed and investigated as a single project or case. For example, a case called “Jeff Brown Restraining Order” may be comprised of a series of incidents of varying types, all involving Jeff Brown; all the events are separate incidents with separate investigative details, but they are all managed as a single investigative unit or project. Depending on the case, a case manager may be assigned to oversee the group of investigators and agencies involved in each of the incidents, or the case manager may be tasked with singlehandedly taking over all the investigative work. No matter what responsibilities the case manager is assigned, the case data collected must be continually added to the appropriate records to ensure accurate intelligence is generated. A Perspective Premium case is a compilation of multiple investigations, their associated incidents, and those incidents’ linked activities, if any. When adding a new case, you must give it a name and include relevant details, such as the names of case managers and investigators.


The differential management of activities, incidents, investigations and cases determines not only how data is collected, but what data is collected and what we are able to conclude from our data. Ensuring that multiple data streams from activities, incidents, investigations and cases are properly recorded, tracked and analyzed is crucial to generating the actionable intelligence needed to implement countermeasures and prevent future incidents. Perspective Standard tracks activities and incidents through thoughtful automation, and Perspective Premium is indispensable in documenting the record of events through to capturing investigative details and linking related incidents and investigations to cases for comprehensive review. Data can be viewed (and added) on a one-to-one or one-to-many basis, allowing for complete activity, incident, investigation and case management. 

About the Author