How to store the investigation evidence securely

How to store the investigation evidence securely

the investigation<br />

 After a complaint has been filed that requires further research, the organisation should decide whether an investigation is needed. The investigation should start quickly as the evidence may be jeopardised the longer it takes to start the process. The evidence collected during the investigation should be stored securely after an expert has analysed it carefully. But how can a decision be made on what counts as evidence and what does not? And how can everything be stored safely while still being accessible? These are two important questions every business or investigator should be ready to answer as they affect the success of the investigation. 


Evidence necessary for the investigation

 The most common complaints that require an investigation are allegations of bullying, discrimination, harassment and fraud. While strategies may need to be implemented to lower cases of misconduct, it is impossible to discourage every single culprit. Employees should be encouraged to gather evidence and come forward with their claim as it will improve the overall environment and their experience at work. While data shows that 10% of Australian workers are bullied, the numbers could be higher due to people not feeling comfortable reporting or not having evidence to make a complaint. They may only be verbally attacked without any way to prove it. 

 Employers should educate employees on how to collect evidence if they are the victim of misconduct or they have observed fraud. This will allow the investigator to collect a wider variety and better quality of evidence. As there are many cases, the nature of the evidence may differ. There may be photos, videos, records, contracts, emails and other documents that the investigator will need to protect. 

 To ensure that the evidence stored is more accurate, it needs to be collected quickly and, ideally, at the time of the incident. For example, a photograph of the injury at the time of the accident may be more meaningful than a healed wound. Screenshots of online harassment should be taken on the spot before the accused can delete their messages. So it is important that all relevant evidence is collected before the investigation even starts. 

 Storing evidence begins before the investigation. It is not only up to the investigator to preserve information but to employees as well. 


Preserve evidence for the investigation

 Once the evidence has been collected and the pieces of evidence have been analysed, it should be clear which ones are needed for the investigation. The company must keep both direct and indirect evidence as they have their own advantages and can result in a better outcome. The selected documents should be stored securely during and after the investigation. Some steps to ensure that include:

-Maintaining confidentiality 

-Abiding by policies and procedures

-Training employees

-Choosing a safe place


Maintaining confidentiality

 Maintaining confidentiality relies on the investigator, the company and its employees. One person is not able to protect confidentiality on their own. It should be a group effort to make sure that the investigation is carried out successfully and without issues. What the investigator can do is explain to employees the importance of confidentiality and how it could impact the investigation and their work life if the information was leaked to third parties. They should inform them of the repercussions that may follow and how it will not be beneficial in any way to share information outside of the investigation. Employees should also be informed of the steps the investigator is taking to ensure that their identities are protected and that all evidence is stored safely. 

 Requiring employees to sign a written confirmation of confidentiality increases the likelihood that evidence will be stored securely and they will not be given to third parties. As employees may be the first with access to evidence, it is crucial that they are not tampering with data, trying to delete trails or telling outsiders what is happening within the investigation. The confirmation of confidentiality means that the staff members are aware of the severity of the situation and they are heavily discouraged from making evidence public. 

 One of the most effective strategies to keep the investigation and its evidence confidential is to conduct interviews in a secure place that is not frequented by other employees. This will prevent gossip from arising, witness statements of being influenced and will protect the identities of the parties involved along with the contents of the investigation.

the investigation<br />

Training employees

 It is not required that employees are trained to store evidence securely. However, it is recommended as employees play a big role in the success of the investigation. In many cases, they provide investigators with the majority of information so knowing how to preserve evidence can be essential. When employees are educated on how to handle evidence until the investigation starts, it can lower the probability of information gaps or accidental contradictions. Everyone will have been informed on how to protect themselves and store all relevant information to prevent it from being stolen or accessed by a malicious third party.  

 Evidence-preservation training is not a program that needs to be undertaken regularly but modules should be offered often enough that a risk-aware culture is created. It will also improve the employees’ experience with the investigation as they are aware of what their rights are and what steps they need to follow. In some instances, this kind of training can encourage employees to speak up and report the issue as they feel confident that they have enough to prove that misconduct is taking place. 


Abiding by policies and procedures

 One of the main rules when conducting the investigation is to not use the original evidence during the process. The original document, photograph or video should be stored and a copy of it should be used to conduct interviews or establish credibility. Preserving the original evidence and working with copies has many advantages as it will prevent potential damage or loss of file. Having the original document can allow for more copies to be created but copies do not have as much power. 

 Policies and procedures should make it clear to what extent the company has access over company devices and in the case of deleted information, the IT department should try to find the details that were removed. Establishing clear policies and procedures can minimise the company’s exposure to potential legal consequences as the privacy laws will be taken under consideration. 

 They should also state who should have access to the devices and evidence once the investigation has commenced, as the more parties involved, the more likely it is that evidence will not be stored effectively. It must be highlighted that employees are not allowed to download evidence on their own devices, only on the devices used for the investigation. Taking relevant documents home should be prohibited and all relevant information should be kept in the investigation space or with the investigator. The parties involved should only be allowed to access the information in the case management system chosen by the company.

 It is also wise to develop a record retention policy as it can prevent evidence from being destroyed and will outline what is necessary for them to be retained securely. The retention policy may outline who is responsible for collecting, monitoring and disposing of evidence and for how long the evidence should be kept. It should also include how they will be destroyed once the time period has passed and how the copies will be handled as well. The retention policy must also describe how employee consent will be prioritised to ensure that employees are aware that their records are kept within the company. 


Choosing a safe place

 To store evidence effectively, they need to be in the right form and place. If possible, all evidence should be transformed into an electronic file so it is easily accessible and easy to store. If documents are stored in a paper form, they will require a lot of storage space, it will impact the efficiency of the investigation and it might be more likely for them to end up in the wrong hands.

 Moving all evidence online has its own risks, as the company may be vulnerable to a cyber attack. The device used to upload them should be clean from viruses or malware and regular scans can increase the probability that the device is safe. However, it is not wise to store evidence solely on that device. It should be used to upload evidence online and create copies of the evidence to use during the investigation process. A smart case management system should then be chosen with strong passwords that will make it difficult for outsiders to access it and easier for investigators to carry out the process.

 This is one of the main reasons our clients choose Polonious. As we are ISO 27001 certified, we take information security very seriously and prioritise secure storage of evidence at all stages of the process. All information can be uploaded to our case management system and can be accessed anywhere and anytime by only those involved in the investigation. Investigators can store a wide variety of evidence, including videos, photos and relevant documents. If you are looking for a safe way to preserve your evidence, contact us


Keep in mind

 Storing evidence for investigation securely requires many steps and it is a complicated process. What might apply in one investigation may not apply to another. The company and the investigator must strive to work together to ensure the best possible outcome. 

Book a Demo Now

Learn more about how Polonious can help you improve your business’s workplace investigations.

What’s the difference between indirect and direct evidence?

What’s the difference between indirect and direct evidence?

direct evidence<br />

 Workplace investigations will require different types of evidence to be collected. This includes indirect and direct evidence. They are important in workplace investigations as they give proof of whether something happened and will assist the investigator in reaching a conclusion. Some pieces of information may be more relevant than others and may give a clearer picture of what occurred. However, the investigator should try to collect as much evidence as possible to avoid an incomplete or biased conclusion. While a hierarchy of evidence may sometimes be used, it usually depends on the quality of the information. This is where indirect and direct evidence come in. 


Difference between indirect and direct evidence

 A workplace investigation may require eyewitnesses, CCTV, photos, messages or other online media. It is crucial then that there is a clear link between the evidence and the incident. 


Direct evidence

 Direct evidence proves a fact, they highlight that something happened. For example, an employee seeing another employee committing fraud is something they directly witnessed themselves. Direct evidence includes observations, CCTV or computer software that can show whether an individual committed misconduct or not. It also includes the statements of the main parties involved.

 Direct evidence proves a fact first-hand and in some cases, there is little room for bias. Witness statements are one of the few instances where evidence may be influenced by bias. Recalls of events can be either orally recorded or written. As time passes, witnesses’ recounts may be influenced by other recollections of the incident which may result in a misleading statement unintentionally. So even though direct evidence can be used to prove an incident happened, sometimes it is not fully trustworthy hence why indirect evidence is needed. 


Indirect evidence

 Some investigations may not have direct evidence at all. There may be no witnesses or CCTV that links a person to a crime. The investigator may need to make a conclusion based solely on circumstantial evidence. This leaves more room for error which is why it is crucial that the right individual is chosen to conduct the investigation. Indirect evidence can refer to a series of events that lead up to an incident, such as witnesses reporting the behaviour of an individual leading up to an event. Certain reports may have been submitted incomplete or with errors on previous occasions. However, even though they may be used during the investigation, they need to be supported by other sources. 

 This is because indirect evidence can indicate that an event occurred, for example, CCTV showing an individual entering the room at the time of an incident. It does not show that they are guilty of misconduct, but it makes it likely. From indirect evidence, the investigator can understand someone’s involvement in the incident, but cannot draw a conclusion solely from them.



 Indirect and direct evidence need a safe place to be stored during and after the investigation, for as long as necessary. Polonious offers its clients a safe place to store all their documents, CCT, videos, images and other relevant information. Investigators can access interview notes, schedule new interviews and access everything from anywhere, anytime. We are ISO 27001 which reinforces our commitment to secure storage of data during the process and keeping all details confidential. If you want to learn more about what we have to offer request a demo!

direct evidence<br />

Where are they similar?

 Direct and indirect evidence may be different in many cases but they are similar in the sense that they follow the same rules. Both indirect and direct evidence need to be of high quality. They need to be reliable and there needs to be sufficient evidence to determine the outcome of an incident. Sufficient information collected from multiple sources can meet the standard of proof, so an incident can come to a certain result rather than a dubious one. 

As a workplace investigation is usually a civil matter, the ‘balance of probabilities’ applies which means the investigator needs to analyse all evidence carefully and decide whether it is more likely that the accused behaviour or incident occurred than not, rather than proving ‘beyond reasonable doubt’. This makes indirect evidence more useful, though it is also possible to prove a case beyond reasonable doubt with indirect evidence. 

 To come to a conclusion all evidence needs to be consistent. They should all point to the misconduct taking place and the individual accused being responsible for it. There should not be another potential candidate that may have committed the incident. For example, in a discrimination case that happened online, it should be clear that the employee accused was the one sending the messages and not someone pretrending to be them. 

 All evidence, whether direct or indirect, needs to be obtained legally. The company should not breach any laws or regulations to collect evidence and should clearly state how they found it. For example, in some countries or states, the use of audio recordings is not considered legal. Moreover, all evidence should be relevant to the case being investigated and should contribute to the outcome in some way. 


Something to remember

 Indirect evidence is not less reliable than direct evidence. However, they have to be very strong to prove a fact and help reach a conclusion. An ideal investigation will have a combination of indirect and direct evidence that will help an investigator reach an accurate result. The investigator should assess what evidence is more credible than other evidence and try to spot potential contradictions. Indirect and direct evidence can be both very helpful in the case and should be treated with the same level of importance. This also extends to their storage and collection. All evidence should be stored securely without the possibility of being accessed by third parties. 

 Polonious’s detailed security configuration ensures that all evidence and the confidentiality of those involved are protected. We offer our clients a place where they can upload all relevant data so they can access them from one single place anytime they need to. We can assist in the investigation of internal matters such as bribery and corruption, discrimination and other fraudulent activities. Do you want detailed reporting and no security gaps? Reach out!

Book a Demo Now

Learn more about how Polonious can help you improve your business’s workplace investigations.

The hierarchy of risk control

The hierarchy of risk control

risk control<br />

 Risk control can assist in minimising operational disruptions and increasing workplace productivity. It is one of the last steps of risk management. Risk management involves a business estimating the probability of a risk occurring and the impact this risk could have on the business. Mastering risk management is a challenging task. Businesses need to make a risk versus reward assessment to determine which decisions are worth taking and then conduct a risk assessment to understand how to manage the threats. 

 Risk control is implemented to change the impact or likelihood of the risk. It may also slow down the speed to which a threat is progressing. For example, if a financial loss was expected at the end of the year, appropriate risk control measures could be taken to push it to next year and give the company time to prepare. All businesses need effective controls to maximise their growth.


The hierarchy of risk control

 Risk control has many stages as every threat is different and needs to be handled carefully. One strategy will not work for all risks so employers need to be creative and have great analytical skills. If a strategy worked in the past, it is not guaranteed that it will continue to remain effective. As time passes, risks develop and change in nature. Even though the type of the risk may remain same, its root cause might change, hence requiring different measures to address it. 

The hierarchy of risk control looks at the following:




-Engineering Controls

-Administrative controls

-Personal Protective Equipment



 The most preferred risk control is to eliminate the risk completely. Most companies wish to manage risks by ensuring that there is no possibility for them to materialise. The most common way of eliminating a risk is either making a different decision or taking steps to ensure higher risk control. For example, cables could be a health and safety hazard. By moving to cordless equipment, cables around the workplace could be restricted to solely be under the desk so they are not a hazard anymore. Removing the risk from the workplace is not always an option. 



 If risk elimination is not feasible, then risk substitution is the next best option for risk control. Risk substitution requires managers to find a safer way to complete a project or a task. Solvent-based ink may be replaced with soy-based ink when possible to prevent print head nozzles from being blocked. While risk substitution is used as a safer alternative, the substitute may have its own risks. The team needs to assess whether the advantages of the replacement outweigh the disadvantages.



 Risk isolation involves employees being shielded from the risk. The threat is kept away from staff members so as to make the working environment safer. For example, closing off an area can separate workers from the hazard. Risk isolation is sometimes not included in the risk control hierarchy as it is similar to engineering controls.

risk control

Engineering controls

 Engineering controls also look at how the hazard can be isolated but involves the creation of tools to make this happen. For example, implementing a spam filter is a tool that businesses use often. The spam filter can isolate emails that can be inspected using a different system so they do not end up in an employee’s inbox, which reduces the chances of cyberattacks. Engineering controls do not completely eliminate the risk, they just reduce the possibility of it impacting the employees and business operations. 

 To implement successful controls, the business needs to assess the type of exposure it is facing and how employees are vulnerable to the risk. It can then change aspects of machinery, workflow or software that will contribute towards a safer working environment. 

 For example, automating parts of the organisation’s workflow can reduce the risk of human error. This is one of the main reasons our clients choose Polonious to manage their investigations and risks. Action items for risk treatment are automatically created, along with reminders for reassessments. During many investigations, case reports can be completely automated using data, documents and images added during the investigation process. 


Administrative controls 

 Administrative controls require the employees to be well-informed about potential risks associated with equipment, projects and everyday tasks. Policies and procedures can support employees with their work to reduce their exposure to risks during certain tasks. The use of signs is a common administrative control as it warns employees of potential danger. 

 Employees need to be trained thoroughly to recognise vulnerabilities and know how to deal with them. This will assist in minimising the impact and likelihood of the risk on their health and well-being. Employees can cooperate with their managers to develop the best strategies possible and then create effective training programs. The training they receive should make it clear what they have to follow to ensure a safer working environment.  For example, instructions on how to use equipment can reduce the likelihood of injuries and performing regular maintenance on machinery can prevent any incidents from occurring. 


Personal Protective Equipment (PPE)

 PPE is the last option for risk control, with regard to physical risks. If the business has tried to eliminate, substitute and isolate risks and none of those have worked then they focus on protecting employees from the hazard. To create or choose the right equipment the business needs to assess carefully what the risk is and to what extent employees are exposed to it. An example could be ear plugs in a very noisy environment to protect an employee’s hearing. Once chosen, employers should ensure that employees know how to use the PPE correctly and that it is suitable for them. They should emphasise the importance of right size equipment and should encourage employees to ask questions if they are concerned about the use of PPE. 

 In some instances, businesses may require the use of more than one PPE. For example if working with chemicals, employees may need to use protective glasses, gloves and a protective suit. All this equipment should be designed without reducing the effectiveness of the other. PPE should be worn for all tasks found to be a risk to employees. Even if they last for a short period of time. 


Advantages of effective risk control

 Risk control is essential for all businesses. Risk control can promote growth as business operations are not disrupted and everything is running smoothly. Growth is also realised through efficiency and more informed decision making. By controlling the risks the organisation is facing, workplace safety will increase and injuries or incidents will be prevented. This will then translate to less unnecessary costs for the entity and higher productivity. If employees see that the business cares about them and has strategies in place to protect them, they feel valued and their morale is improved. 

 From a legal perspective, risk control can show that the business has taken every step possible to manage the risk and prevent it from impacting the company and the workers. It can highlight how seriously the organisation takes risk management and if the worst case scenario occurs it will be evident that the business took action to prevent it. The unnecessary costs the business will avoid is not only in the form of employee injuries but law compliance as well. Entities with strong risk control are less likely to pay fines or penalties and less likely to be involved in a lawsuit. 

 Strong risk control is always supported by great communication and regular reviews. Management needs to talk to staff at every stage of the risk management process and ensure they understand what is happening. This will help shape the training of risk control to increase its effectiveness. Monitoring and regular reviews of the risk control measures can enable the business to create a better working environment as current strategies are evaluated. These evaluations may indicate that modifications are necessary to the current strategies or that new measures need to be implemented. They ensure that the business stays up to date with the relevant threats that it is facing and always adapts to the shifting risk environment.

 Note, however, that it’s not possible to eliminate all risks without avoiding an activity entirely, or spending limited resources. It’s important to maintain a priority list of risks and ensure that as many risks as possible are brought within accepted thresholds. e.g. spending all your resources moving a low risk to a minimal/eliminated risk may leave you without resources to reduce a high risk. It’s important to maintain an overall picture of your company’s risks when deciding what controls to put in place and how to spend your resources on any one risk.


Keep in mind

 One of the most important parts of risk management  involves reminding employees and the company that it is an ongoing process. There have to be multiple discussions on how risks can be handled and input from staff should be greatly encouraged. Having effective risk management requires the business to look at the information they have and analyse it carefully so it can improve. On top of that, risk control could be enhanced if the managers making the final decisions are experienced and knowledgeable. Greater experience of risk management leads to better decisions as the managers have probably faced something similar in the past and are familiar with the threat. 

 Polonious can assist in your company’s risk control by helping you manage all risks from one place. We can help you link multiple assets to relevant risks and automate certain parts of your processes. Polonious allows those involved in risk management to access their data from anywhere, anytime, whether they are online or offline. Do you want reduced administrative effort and a more efficient process? Get in touch

Book a Demo Now

Learn more about how Polonious can help you improve your business’s risk management. 

Differences between an internal v external investigation

Differences between an internal v external investigation

external investigation<br />

 When allegations of misconduct surface or when complaints are lodged to the company, managers will look to resolve the issue as fast as possible. In cases where a resolution is not easily reached, the organisation needs to decide whether it needs to conduct an internal or an external investigation. Not all incidents will have the same severity but employers need to act quickly and determine their course of action. Before making the decision on whether an internal or external investigation is required, the managers need to look at the differences between the two and the suitability for the case. 


Differences between an internal and external investigation

 There are a number of things that influence the decisions managers make. Costs, goals and time restrictions can highly impact whether an organisation chooses an internal or external investigation. The main area they differ are:








 In internal investigations, objectivity is often questioned. The person conducting the investigation is seen as wanting what is best for the company, not the employees. Staff may not feel comfortable talking to someone within the company as they may fear they will land in a worse position than the one they are in. The person in charge of the investigation may be familiar with some employees which could unintentionally influence their behaviour and thoughts. This could lead to a biased process as the investigator may regard one person more highly than the other. 

 In an external investigation, the investigator does not work for the company and even though they are paid to carry out the process, the result does not impact them. Customers usually believe that external investigations are more objective than internal, as there are fewer chances of conflict of interest and the investigator does not know the employees. Independent investigators are usually hired for cases of unfair dismissal for this reason.



 Internal investigations require HR staff to focus temporarily on carrying out the process. However, this takes time away from other tasks and work duties. As a result, some steps of the investigation may be skipped or not given enough importance. HR may not see the pre-planning of the investigation as an essential task and there may be a delay in starting the investigation as other duties are prioritised. The delay could be harmful to the success of the process as witness recounts may be influenced by outsiders and certain events are forgotten. 

 In an external investigation, an independent individual is hired only for the purpose of conducting the investigation. This means that they can focus on this task solely and not be distracted by irrelevant matters. If the company acts quickly, there will not be a delay in initiating the investigation and a clear timeline can be established. 



 Internal investigators are more familiar with workplace policies. They know the procedures they need to follow and what laws they have to comply with. However, they may lack experience in conducting an investigation in general or for a particular incident. They might face issues they do not know how to handle and they might lack knowledge in carrying out every step of the investigation. In some cases, being inexperienced and making mistakes during an investigation can be very expensive for the organisation. It could lead to lawsuits, increased costs and a damaged reputation, all consequences that businesses want to avoid.

 External investigators usually work for a firm and are certified. They have probably conducted numerous investigations in the past and have more experience with the process. They may not be familiar with company policies but since they have worked with different organisations, they most likely know how to follow them while also complying with relevant laws and regulations. This stresses the importance of choosing the right investigator for the job and doing some research before making a decision.  



 An internal and external investigation are used for different kinds of incidents.

 A low-risk incident is usually handled with an internal investigation as the issue is not as serious. These types of investigations tend to be shorter in length and easier to navigate through. Internal investigations are also preferred for low severity allegations due to the lower costs they incur. Businesses may not have time to spend researching for an external investigator or spend money on unnecessary expertise. For example, a one-time harassment issue is something HR managers can look into. 

 External investigations are usually needed for serious misconduct and situations where the business’s commitment to the investigation could be questioned, such as the unfair dismissal case we mentioned. An external investigation is also required if the incident is related to work culture or is very complex. This is because an independent investigator will be able to give a new and fresh perspective on how things work and uncover if something is wrong. 



 Internal investigations tend to attract less publicity as it is less likely information will be released to the media. On the other hand, an external investigation is more likely to be picked up by the media. 

 If both go public the customers will see them differently depending on the result. A poor internal investigation could be seen as biased and as the business not putting enough effort. A poor external investigation could be seen as the business not choosing the right people. 

 A properly done internal investigation highlights that the company takes its working environment seriously and values its employees. A successful external investigation is seen as the company being committed to ensuring procedural fairness and a professional process.

 Publicity of both types heavily depend on how well the business manages the process.

external investigation

What they need to have in common

 While there are differences between an internal and external investigation, there are some elements that both must have in common. Those are:


-Encourage reporting

-Reinforce policies 



 While the investigation going public is not necessarily a bad thing, the details of the people involved should not be shared with anyone. The company has a duty to protect its employees for as long as necessary. In some situations, the company may be required to release information once the investigation has been completed. However, during the investigation, the managers and investigator should work together to prevent any gossip or rumours from spreading as this could damage the reputation of the employees involved. Their reputation and mental health are very vulnerable during the investigation and details going public could be detrimental to their career.

 Managers should stress the importance of keeping everything private and the consequences that will follow if data is leaked on purpose. If details about the investigation are leaked it could not only affect the process but the team members or co-workers. This is why information should not be discussed with outsiders or anyone else who is not involved. Lack of confidentiality can damage the trust employees have in the organisation and potentially discourage others from speaking up and reporting incidents. 


Encourage reporting 

 An investigation can show employees that all complaints are taken seriously. It can emphasise how the organisation wants employees to feel safe and comfortable in the environment they work in. To encourage complaint reporting, the business should ensure that the investigation was conducted fairly and made a change in the company if required, or if no misconduct was found they should be able to clearly and fairly explain why. This will tell employees that if they speak up, the problem they are facing will be addressed and corrective action will be taken if wrongdoing has been found. 

 Just like with the investigation, an effective reporting system should be confidential so staff feel more confident. If they are not private, then employees may feel like they will be targeted for reporting something inappropriate. Once a supervisor has looked into the complaint, they can decide how to handle it. In some cases, the employee can be called forward for more information to achieve a better outcome but that only happens if they are willing to. 


Reinforce policies

 A well-executed investigation can reinforce the importance of policies. Policies exist to protect the workplace and guide procedures like an investigation. By either conducting an internal or external investigation, the company emphasises that compliance is required otherwise repercussions will follow, Organisational values may be reviewed during the process to ensure that they align with the goals the company is trying to achieve.

 Investigations can also be used to strengthen the current policies in place and implement new ones if needed. They can spot weaknesses that can be used to enhance policy compliance and greater coverage of issues. 

 The reinforcement of policies should lead to a healthier work environment and a more positive workplace culture where illegal or unethical behaviour is discouraged and reported.


Don’t forget

 The health and well-being of employees along with confidentiality are a priority during any investigation. If an organisation fails to protect its employees then negative publicity will follow regardless of the outcome. An internal and external investigation have their own differences but the managers should analyse every complaint separately in order to make the right decision. Just because one type of investigation is appropriate for one problem it does not mean it should be used for the next. 

 Polonious assists businesses with both internal and external investigations. While our clients focus on investigating fraud, bribery and misconduct allegations, we focus on keeping all their information confidential. Polonious provides detailed security configuration that ensures all investigations are highly confidential and we assist our customers to save administration time and costs. Do you want a more productive investigation with faster turnaround times? We are here to help. Reach out!

Book a Demo Now

Learn more about how Polonious can help you improve your business’s workplace investigations.

Managing risk to promote growth

Managing risk to promote growth

Managing risk

 Managing risk is critical for maximising growth. A well-prepared business is in a better position to make informed decisions and take advantage of opportunities. Many risks could threaten the success of the business. Social, economic, technological and regulatory risks could restrict your company’s potential growth and result in higher opportunity costs. 

 Managing risk allows your organisation to adapt to the rapidly changing business environment and gain a competitive advantage. Companies are always competing to innovate the next big hit or update current services to attract new customers. However, every single activity involved in growing your business comes with risk. The risk comes either from the opportunity not having a positive outcome or other elements associated with it, such as the risk of cyber-attacks when operating online. 


 Managing risk is not simple

 When growing, managing risk becomes more complicated. The risk management process needs to be adapted to technological changes, increasing profits and increasing staff demand to enable growth. Risk management focuses on identifying, assessing and mitigating threats. Managing risk to promote growth could include:

-Keeping track of costs

-Managing expansion

-Staying up to date with technology

-Monitoring fraud

-Evaluating risk appetite

-Meeting customer demands


Keeping track of costs 

 When growing, it is likely that revenue will increase and the business will look to expand or invest more money into certain areas. Managing risk during this period can be more complicated. Managers may underestimate the costs related to those decisions or they might focus less on reducing costs. Even with high revenue, cost control is essential to achieve the maximised profit. The inability to reduce costs could potentially lead to slower growth and missed opportunities. To manage this risk, businesses should prioritise cost reduction and control even during periods of increased revenue. 

 A cost-benefit analysis is important when deciding whether or not an investment is worth it. A cost-benefit analysis looks at all the benefits associated with a decision against the costs required to implement that decision. A cost analysis, along with effective budgeting and forecasting can prevent an overly positive outlook. Instead, the company will have a realistic idea of how its costs impact its profit and can develop strategies to minimise them. Just because the business is doing well now, it does not mean it will continue to grow at the same rate in the future so management needs to be prepared. 


Managing expansion

 Expansions need a lot of planning and collaboration. Many things within the business will change which could potentially leave the company vulnerable. Tasks and budgets have to be created after speaking to employees to encourage better solutions and gain a clearer idea of what details need to be addressed. New policies may need to be created and individuals could potentially change positions within the company to ensure that the right person is chosen for the job. 

 Growth could impact work culture which is why employers need to prioritise how the staff are being treated during the whole process. Are they feeling heard? Are they satisfied with their work or are they overwhelmed? Management must listen so the objectives developed during the growth period are taking staff into consideration. 

 As a business is growing, more staff may be needed. Understaffed companies are at risk for a lower quality service and flawed production of goods as there are not enough employees to complete every time by the deadline. Managing risk during expansion involves identifying areas where more staff members are needed and which departments need updated infrastructure. This will ensure that all operations are running smoothly and efficiently and not stalling growth. 


Staying up to date with technology

 Technological trends are one of the main drivers of business change. If the business fails to keep up with technological advances then they are more likely to lose a percentage of their customers and reduce workplace efficiency. Customers are always looking for the next best thing and what is the most affordable and innovative product or service. If the organisation adopts the latest technology, it will be more efficient in daily tasks and research and development. 

 The company should look at what technology the competitors are using and assess the risks associated with not upgrading. Why are new devices needed? How can they promote growth? Every change should be implemented carefully to ensure that it aligns with organisational objectives. 

 If new equipment is not seen as necessary, then training the employees is an effective way to implement new knowledge into decision-making. This is a step companies neglect but the commitment to training and development can be beneficial not only in the short term but the long term as well. It can lead to sustainable growth and greater performance management. This will also minimise the risk of high employee turnover as employees are given opportunities to advance their careers. 

 It is important to remember that staying up to date with technology has its own risks. Management may not plan appropriately the implementation of new technology, which can lead to unrealistic goals and disorganised training. Staff need to be given enough notice and the skills necessary to manage the technological advancements. Risk assessments need to be conducted to detect any potential risks with adopting new technology and strategies need to be prepared to ensure that everything is rolled out smoothly. If the new technology is not properly implemented, then the staff may accidentally misuse it or management may become complacent, even though it is a task that requires continuous improvement.

Managing risk

Monitoring fraud

 The most difficult part of managing risk in an organisation involves monitoring various departments, conducting risk assessments and audits that can detect fraud or other illegal activities. Growth leaves the business more vulnerable to fraud as many things emerge that require attention. As resources are focused towards sustaining the increasing business success and more employees are hired, there are many gaps that criminals can take advantage of. 

 All companies can be victims of fraud, no matter their size. When an organisation grows, higher invoices are expected, more money is allocated towards different services but in the worst case scenario, the business never receives what it pays for. Instead, the money goes to the employee. As Apple was growing between 2011 and 2018, an employee defrauded it of more than $17 million USD. This case highlights how no one is really safe. It might seem impossible for someone in your company to act with ill intent but it is more common than one might think. 

 Managing risk, especially fraud, can be complicated. Even when expanding, the organisation should have a clear strategy on how to handle fraudulent activities and high fraud awareness. It should have systems in place to detect illegal actions and a team dedicated to uncovering such activities. A whistleblower line is encouraged as employees may not feel confident enough to report misconduct directly to a manager. 


Meeting customer demands

 Increased sales of a certain product or service may give the business the illusion that customers will keep buying the product without them needing to modify anything. However, the opposite is usually what happens. During growth, the business is managing old and new customers. For many individuals, this stage will be the first time they interact with the company. Not emphasising customer service and neglecting to monitor customer behaviour, sentiment and expectations could be detrimental for the entity. The business needs to listen to customers and have them as a priority as they are the ones who are enabling them to grow.

 Managing risk hugely involves managing customers. What customers say about the business, what they want from the product or service and what is necessary to retain them are three key areas the company should focus on. Growth does not mean that the company should relax and or let its guard down. There is always the risk of a customer having a bad experience. When customers have a positive experience, usually 1 or 2 people will hear about it. When a customer has a negative experience, they will share it with at least 5 people and discourage them from trying out a brand. As a result, a lot of the market share is lost to competitors. 


Evaluating risk appetite

 To achieve continuous improvement, the managers should assess both the external and internal environment for risks. Managing risk requires the company to know what its risk appetite is. Risk appetite refers to the amount of risk that a company is ready to accept to achieve its objectives. Risk is not something that can be avoided when operating a business. Every decision carries some level of risk and businesses should not let low risks deter them from pursuing growth. Therefore, analysing the risk appetite is important in order to make better and well informed strategic decisions. 

 Stakeholders should be involved in discussing risk as usually employees are the ones that see the impact threats have on the company. When explaining risk appetite, management should try to simplify terminology so everyone can understand what is being said. A collaborative approach can assist the business in determining how risk appetite can affect its goals and growth and contribute to a better long-term strategy. Higher risk appetite means that the organisation will be able to take riskier opportunities as they have the ability to do. A low risk appetite indicates that the company should limit riskier opportunities which could potentially slow down its growth. 


Please note

 Managing risk to enable greater growth is easier said than done. There are many areas that will require a lot of attention and the business will need a lot of resources to manage its success in a sustainable way. Every business will need to retain its productivity levels and increase them while minimising costs. 

 At Polonious we understand the stresses that come with operating a business. That is why we offer our customers a high-quality service that allows them to fill out online risk assessments to save time and money. Our clients manage all risks in one place and can link all relevant assets or details to a specific case so they can keep track of it easier. Polonious can simplify your processes and automate certain procedures so you can focus on your core responsibilities. If you want to know more about how we can help you grow while managing risk, reach out to us

Book a Demo Now

Learn more about how Polonious can help you improve your business’s risk management. 

SIU Insights report 2021How do you compare to other SIUs?

Check out some interesting results from our SIU management survey. Submit below form to receive the download link and related updates going forward.

GICOP changes 2021Download the GICOP whitepaper and stay compliant.

Our whitepaper covers all aspects you need to know to stay compliant with the latest GICOP changes coming into effect in 2021. Submit below form to receive the download link and related updates going forward.