How to handle an online investigation

How to handle an online investigation

online investigation

 An online investigation is becoming more and more popular as technology is taking over. Since times are changing, employees have moved to remote work and many now use their own devices when they come into the office. Nowadays, 75% of employees use their personal mobile phones for work-related purposes. It highlights the big shift from company-provided equipment to staff using their own personal devices for their work tasks. Technology, and employees bringing their own devices to work, have led to the majority of investigations having online elements. This could mean the evidence being stored online, or that the action investigated happened through the internet. 


The complexity of an online investigation

 Whenever we need information, we go online. However, the place that people look to is constantly changing. People used to just Google their questions but now internet users go on YouTube, Instagram or LinkedIn, depending on what they are looking for. For this reason, an online investigation could be very complex. The places investigators will need to look at for evidence are expanding and they need to keep track of emerging social media and spaces where employees interact. 

 BYOD can initially seem beneficial; fewer costs for the employer and less monitoring for the employee. What happens when employees misuse devices? 

 Employees can be bullied at work but outside of work hours or locations. This can still count towards workplace harassment as it is connected to work. If staff complete their job duties outside of the office, they still need to comply with company policies and procedures. Just because they are not at the office, it does not mean that the rules do not apply to them. A lot of companies have developed BYOD policies to protect the organisation and its employees from incidents related to remote work, misuse of the device or situations outside work hours.  

 In an online investigation, the people involved in the incident may be in different locations. This will require interviews to be conducted remotely and evidence gathering can take longer than what is usually required. 

 To assist our clients with their online investigation, Polonious has Simple2Connect integration which allows investigators to schedule and record interviews. Our customers can rewatch the interview if they need to and write down any points they might have missed.  Interviewees are given a link via text and they receive all the necessary details to join the call. Setting up the interview is very easy as the interviewer can set the date, start time, end time and description through Polonious. Once the interview is finished, the file is attached to the relevant case so investigators can access all files from one single place. 


How to approach the online investigation

 An online investigation should be treated as any other investigation. Confidentiality needs to be prioritised and managers need to prevent any information from leaking to external parties. With most components of the investigation taking place online, there are increased risks of compromised emails and outside participants joining private meetings. Some issues are:

-Protecting investigators from hackers

-Managing remote interviews

-Keeping emails safe

-Mitigating risks 


Protecting investigators from hackers

 Cyberattacks are becoming increasingly popular. Many major companies have been victims of cybercrime and this is a reminder that we can never be too relaxed or lenient when it comes to cybersecurity. In an investigation, a lot of sensitive information is gathered by the investigator. As most evidence will be stored online, the investigator needs to be aware of their actions and activities and avoid keeping all copies in one device. 

 They must refrain from using public Wifi, especially if they do not have a strong VPN. One of the biggest mistakes people make is leaving their house with their Wifi setting still on. Hackers usually have public networks in certain places where devices connect automatically since no password is required. While the device is connected, it is vulnerable to being compromised.

 Investigators should ensure that their Wifi is off when leaving their house or work. They should also turn off their data when they are not using them. Using a VPN is highly recommended but investigators should stay away from private or public networks they are not familiar with even when using a VPN. This is because a VPN does not guarantee anonymity, it only offers protection up to a certain level. It is advisable that investigators use different devices for work matters and different devices for personal use. This will not indicate to criminals that they might be an investigator if their internet usage has been exposed. 


Managing remote interviews

 During COVID, instances of third parties joining virtual meetings increased. One way to avoid this incident is to set a password for the interview that only the parties involved know. It is better to share the password verbally rather than in a written format. This decreases the chances of the link and the password falling into the wrong hands. If the program you are using allows it, set the emails that can join the meeting or set that organisation-linked emails can only join. 

 Ensure that the employees join from a quiet place and they have a working camera so the investigator can see their facial expressions and body language. While it is beneficial to record the meeting, the interviewer should seek consent from the interviewee. If it has been decided beforehand that the meeting should not be recorded the interviewer should clearly emphasise to the employee that they are not allowed to record it either. 

 In the case that screen sharing is required, the investigator must not have other information open, only data relevant to that specific interview. Notes from previous interviews or emails should be closed.

online investigation

Keeping emails safe

 Sometimes, an online investigation is the result of a phishing email. Email filters should be implemented to protect the investigation and those involved in it. Recently, a new approach hackers have adopted is to create an email address that is very similar to that of the CEO of the company. They then send emails to employees and telling them to reply as they have an urgent task to give them. In some cases, it asks employees to send money. If there is an investigation underway and people respond to these emails it could lead to sensitive data being leaked to third parties. 

 It is crucial that employees are warned about these kinds of incidents so they are more careful when they receive a suspicious email. They should be trained on how to recognise sophisticated attacks and report them immediately. An additional measure investigators can take is to tell everyone to encrypt the content that is sent through emails. Using a password to protect evidence can make it harder for outsiders to access it. Again, it is advisable that the password is shared verbally rather than in writing. 

 The organisation must make it mandatory that all accounts have two-factor authentication to increase their security. Employers should also emphasise the importance of strong passwords and preferably the use of passwords they are not using for other platforms or services. 


Managing risks

 During an online interview, a lot of the evidence will be social media posts, remote interviews and recordings or email content. On social media, the information can be edited. Plug-ins, extensions and software can be very useful in providing information on when a post was published, when the image was taken and if the post had been edited. The investigator has to find the tools specific to the incident that can assist them in finding previously edited or deleted social media posts. It will prevent people from lying and provide the evidence needed to establish credibility

 While a harassment investigation is underway, communication between the main parties should be terminated to prevent further issues. If it does not have to do with harassment, then it is preferred that any communication is done through written means. This will create an accountable environment where people will not be able to allege that ‘he said, she said’ incidents took place. 

 If it is discovered through the online investigation that there are gaps in company policies concerning investigation procedures, BYOD and handling of complaints, these policies should be updated. This will help the company improve and assist in preventing similar situations or generating better results if another incident occurs. 


A few things to remember 

 Like it was mentioned before, an online investigation should be treated as any other investigation. All evidence must be stored securely and the investigator must conduct a legal, fair and ethical online investigation. It is important that an experienced investigator is chosen who is familiar with online investigations so privacy laws are not breached.

 If employees are uncertain about specific parts of the process, the investigator and the managers are responsible for clearing up any confusion. Overall, an online investigation may be riskier but most information is now stored online so it is a matter of being safe and staying updated with the latest security measures. 

 Polonious takes information security seriously. We are ISO 27001 certified and we undergo regular audits to that check our compliance with the framework and reinforce our commitment to providing a high-quality service. Polonious offers a place for employees to upload all evidence securely without the need for emails. Parties in the investigation only have access to information that is relevant to them and they receive updates on the progress of the case automatically. Do you want to learn more about how we can help you with your online investigation? We are happy to show you

Book a Demo Now

Learn more about how Polonious can help you improve your business’s online investigations.

The role of a compliance officer

The role of a compliance officer

compliance officer

 A compliance officer is responsible for managing compliance within an organisation and ensuring that everyone within the business follows the relevant laws and regulations along with the company policies. An organisation has to comply with internal and external obligations to maximise its growth potential. While some policies may not be mandatory, the business should focus on creating a positive work environment where employees feel heard and compliance is reinforced. A business may choose to comply with additional frameworks like ISO 9001 to highlight its commitment to quality management. 

 Polonious is certified with ISO 9001 and ISO 27001 as we prioritise the quality of the service we provide and the security of our customers’ information. We ensure that the data entrusted to us is in safe hands and we comply with strict standards to prevent any potential leaks. Confidentiality is a big part of our work and during every step of an investigation, we want our customers to focus on their core responsibilities while we provide them with an efficient case management system. 


The role of the compliance officer

 A compliance officer needs to collaborate with employees to understand potential compliance risks that could affect the company. Some common compliance risks include:

-Flawed data management


-Workplace health and safety

-Regulatory uncertainty


Flawed data management 

 If your business works with sensitive information, it is crucial that the compliance officer is aware of the laws and regulations that surround data handling and storage. Sensitive data includes payment details, home addresses and medical records. The company has a duty to their customers and their employees to protect any data that is provided to them. A company with an ineffective data management system is vulnerable to cyber-attacks and privacy breaches. These can be damaging to the organisation’s growth and reputation as a non-compliant company is not seen as trustworthy. 



 Employees need to be aware of the laws, regulations, policies and standards they need to comply with. The compliance officer along with the HR team should ensure that all new employees are made aware of their responsibilities and understand all relevant rules they have to adhere to. Failing to train employees effectively could have severe consequences for the business. If employees are not educated on how to spot risks and avoid them or mitigate them it could lead to increased costs for the company. Recently, Interserve was fined 4.4 million pounds after an employee downloaded a phishing email that allowed hackers to steal the information of 113,000 employees. It left staff vulnerable to identify theft and financial fraud.

 The investigation found that Interserve failed to comply with data protection laws. Their software was outdated and their employees lacked training. The lack of training reduced employee awareness of potential compliance risks and cyberattacks. 

 Undertraining employees could result in them not knowing how to follow a procedure or how to produce a product that follows quality standards. This could carry many disadvantages for the company as it jeopardises the success of the brand and customer loyalty. 


Work health and safety

 A compliance officer needs to ensure that the working environment adheres to the rules of the country the business operates in. If the company provides employees with an unsafe working environment, then staff are left vulnerable to injuries and accidents that may be fatal. The compliance officer has to work with managers and employees to create a hazard-free workplace so employers are not in danger. Non-compliance with these laws not only threatens the physical health of staff, but it also threatens their mental health as they are dealing with uncertainty and higher levels of stress. 

 Another non-compliant action is the refusal to follow laws and policies concerning work behaviour. Employees need to be trained to understand the consequences of harassing or bullying other staff members. It is not only a compliance risk but an ethical issue as well. 


Regulatory uncertainty 

 Regulatory uncertainty occurs when the business is not being updated on law modifications and changes to the external environment. It may be that managers do not fully understand a law that is being passed or how it applies to the company. The compliance officer is responsible for keeping up with new policies and making sure that everyone in the company understands what it means for the business.

 If they are unsuccessful in informing employees, it could lead to misunderstandings between workers and between the business and its customers.

compliance officer

Attributes of a successful compliance officer

 Being a compliance officer is not an easy job. It carries a lot of responsibility and a great idea of what vulnerabilities the business is exposed to. They need to conduct regular risk assessments and oversee internal compliance investigations. They have to assess if every department is compliant with external and internal requirements and assist in the training of employees. 

So what makes someone a great compliance officer? Beyond understanding laws, a compliance officer must have the following:

-Good interpersonal skills 


-Analytical skills and attention to detail

-Problem-solving skills


Good interpersonal skills

 Compliance officers need to connect with people and know how to share information in a way that everyone understands and remembers. It is not enough to just say something. It is necessary that the delivery can be easily remembered by employees so next time they undertake an activity, they know what they can and cannot do. People may not recognise why they cannot take a specific action which is why great communication skills are crucial in explaining the issues involved in greater detail. 

 If they notice an error or a non-compliant action, they need to be careful with how they will approach the situation. The compliance officer needs to be considerate of the person’s feelings – maybe they did something wrong by accident – but at the same time they need to be strict and ensure that the same mistake does not happen again. It is a delicate matter to call someone out on an error so the compliance officer needs to be confident but empathetic. 



 An ethical compliance officer will be less likely to lie and will value honesty. Honesty is an integral part of compliance management as it reduces the possibility of compliance officers joining unlawful activities. Ethical individuals will report wrongdoings to the right person promptly and will come up with strategies to prevent similar behaviour from occurring again. 

 Businesses are more likely to rely on an individual who is ethical as they are more committed to keeping the company safe and enforcing laws and regulations. Managers will be more certain that non-compliant behaviour will not be covered up for personal reasons or biases. 


Analytical skills and attention to detail

 A compliance officer needs to look at numerous situations and risk assessments. Therefore, it is important that they possess analytical skills that will allow them to interpret what they see into clear and concise information. If a new policy has been created, they should know what changes need to be made and where to guarantee that the business remains compliant. 

 Attention to detail is also crucial in analyses as there are many patterns or problem areas that may signify a bigger issue may be the root cause. If small errors go unnoticed, it could leave the business vulnerable and compliance risk will increase. 


Problem-solving skills

 After a compliance officer completes their analysis, they need to decide what the solution will be to the situation they are facing. Good problem-solving skills require an individual to be creative, analytical and innovative. This can lead to them looking at the problem from multiple angles and developing different ideas for the same problem.

  Once a solution has been found, it can be monitored and if it is deemed ineffective, a good compliance officer can then find an alternative idea. It is not certain that everything will work the first time but during critical incidents, strong problem-solving skills are essential as there is little room for error. 


Final note

 A great compliance officer is hard to find. On top of all the skills already mentioned and the different situations they are responsible for, they need to be open to feedback and a strong leader. Not being afraid of constructive criticism can give the compliance officer many opportunities to improve and learn from their mistakes. Excellent knowledge of laws and regulations, policies and documentation are not enough to be successful. Soft skills are also an essential part of the role.

 At Polonious we prioritise compliance for the safety of our customers and employees. Polonious is trusted by multiple businesses worldwide as we are committed to following the highest international standards and delivering a high-quality service. We are chosen for both internal and external investigations as we automate compliance management and save administration time. Polonious makes it easy to receive case updates and upload all relevant information including videos, images and documents to one place. Do you want to learn more about how we can help you with compliance management? Request a demo and we will get back to you as soon as possible.

Book a Demo Now

Learn more about how Polonious can help you improve your business’s compliance. 

Ready to investigate? Avoid these 5 mistakes

Ready to investigate? Avoid these 5 mistakes


 When a company prepares to investigate, it needs to have a plan of what exactly needs to be done and by when. It needs to have a timeline, the resources and choose the right people. Investigations have many stages and therefore many potential pitfalls. Some are more common than others. The nature of the mistakes differs by the allegation, company, industry and parties involved. People may not realise that they are doing something wrong until after hours of interviews when they still do not have a clear understanding of the incident. 


Mistakes to avoid when you investigate

 The complaints companies and government bodies receive are increasing every year. There are different kinds of disputes and misconduct taking place in the workplace. A very high number of complaints could indicate that something is wrong with the company’s culture. It may be toxic and it may be fostering bullying and discriminatory behaviour. 

 Polonious takes complaints seriously and assists its clients with investigation management by providing them with a system that improves productivity while reducing administration costs. On top of that, our customers report cutting administrative time by over 20% and have seen an increase in case throughput by up to 38%. The status and progress of the investigation can be easily monitored from one central point which eliminates the need for meetings and spreadsheets. If you want to learn more about how we can help you, reach out and request a demo!

 During an investigation, the individual who is conducting it is trying to understand what happened, when, who was involved and where it happened. To investigate thoroughly, a number of obligations need to be met as it is a complex process with a lot of room for error. The most common mistakes in an investigation are:

-Not choosing the right person for the job

-Not having a reporting system for complaints

-Not following the plan

-Not preparing for the interview

-Not collecting the appropriate evidence


Not choosing the right person for the job

 Once it has been determined that an investigation is needed to resolve an issue, the first step a business must take is to find the right person to investigate. Managers must assess whether a problem can be internally investigated or if an external party is needed.  Employees may be afraid that an internal investigator will lack objectivity and unconscious bias may influence the process because they are familiar with the employees and work for the company. Organisations usually call a third party to investigate to reduce the number of mistakes or possible conflicts of interest that may arise. 

 Experts usually recommend that an independent third party is hired to avoid scenarios where employees refuse to accept the outcome of the internal investigation or retaliate as they feel unfairly treated. Choosing a person who is transparent and fair is crucial for the success of the investigation as they will be able to investigate in an impartial manner, free of judgements and biases. Managers need to also consider if they have the resources available to conduct an internal investigation. Individuals may have other tasks to complete, increased responsibilities and there may be a lack of experience. 

 It is advisable that thorough research is completed before selecting the right investigator. Word of mouth may not be enough as one person may be better at investigating one topic and lack expertise in another. 


Not having a reporting system for complaints

 An efficient reporting system is important for every organisation. A lot of incidents are underreported, including safety incidents, and one of the main reasons is the quality of the reporting system. Reporting systems are in place for managers to receive complaints from employees about anything, from work culture to non-compliance to harassment. If acted upon, it can be effective in deterring wrongful action and misconduct and can discourage individuals from committing illegal activities at work such as fraud. Outcomes of investigations can also provide learning opportunities to prevent incidents and complaints in the future – particularly in the case of safety incidents.

 A lack of a reporting system or an ineffective reporting system could lead to fewer complaints as employees are afraid of getting in trouble if they speak up. It shows employees that the business is not taking them seriously and that the company is not looking for ways to improve. If a reporting system is in place but no complaints are ever received, it could be an indicator that employees do not know that it exists or do not know how to use it. 

 In most cases, employees lack the confidence to report an incident, especially harassment. A report by the EEOC found that less than 25% of harassment victims formally made a complaint and less than one in three employees talked to a manager. This means that the investigation has failed before it has even started. As the investigation aims to discourage unethical and unlawful behaviour and create a better working environment, a flawed reporting system can lead to the exact opposite. 

 Employees fear retaliation, which may eventually lead to a lower-quality investigation as they are afraid that what they say against the accused may result in a worse situation. Employers must ensure that before, during and after an investigation, retaliation is discouraged from both parties to prevent further problems from occurring in the workplace. 


Not following the plan

 Before starting to investigate, a plan must be created to guide investigators on how to approach this whole process. The investigation process must be outlined in the company policies and an additional plan should be created to address the current issue that the organisation is facing. Failure to do so could result in a disorganised approach to the issue and individuals being confused about who they need to investigate and when. 

 An effective investigation plan should explain what is being investigated and what evidence has to be collected. It should highlight who will investigate and what issues may be present during the process. It should clearly describe the resources that will be used to investigate and the timeline of all the stages. The investigation plan should also state the parties involved and when it is expected that the investigation will be completed.  

 A lack of an investigation plan or failure to follow one could cause negative feelings to arise from the employees involved as it shows a lack of interest in the process. If the investigation does not follow policy guidelines then why should employees comply with the policies and procedures? May also result in issues with procedural fairness and compliance, or the investigation failing to achieve its objectives as they’re not clearly defined. While some steps in the complaint policies may be optional, the overall structure has to be distinctly outlined. An ineffective investigation plan could also lead to a delay in starting the investigation, a longer and more complicated process and hence, longer turnaround times.


Not preparing for the interview

 Interviews are very important for building rapport and establishing credibility. The investigator will speak to various interviewees and it is important to collect as much meaningful information as possible. The most common mistake an investigator makes is not structuring the interview before asking questions. It is crucial that they take things one step at a time and they slowly ease into the interview. Effective questioning requires an investigator to have great listening skills. 

 As a result of the lack of structure, an interviewer might not be asking the right questions. They may not have looked at the case in great detail and they may be asking general questions instead of trying to find the root cause of the problem and understand what really happened. They could also choose to ask close-ended questions that do not encourage individuals to elaborate. Interviewers should let the witness share their side of the story and then follow up with open-ended questions based on what they said. 

 Another mistake investigators make is not keeping their composure during the interview or making assumptions. Even if the interviewer is certain that the person sitting across from them is lying, they need to handle the situation with professionalism and not behave aggressively. They have to be calm and treat them with respect. They should always look for ways to get their interviewees to open up to them and jumping to conclusions can have the opposite effect. People are less likely to talk when they feel judged or feel like they are not being heard. This is why an objective and neutral investigator plays an important role in the success of the investigation. 


Not collecting the appropriate evidence

 Evidence is key in every investigation. It can prove or disprove claims which is why it is necessary that interviews are conducted and physical evidence is gathered. In many cases, investigators may not collect sufficient evidence or they may neglect to collect evidence from both sources. They may only gather physical evidence or they may make decisions based solely on emails, texts and CCTV footage without asking for further information. 

 Gathering evidence before the interview process can lead to more fruitful interviews and better investigation results. However, not using interview notes and physical evidence to spot contradictions or false information could result in misleading conclusions. Failure to obtain sufficient evidence could be the result of a delay in initiating the investigation. Memories may fade and not all relevant evidence may be brought forward. 

 Parties in the investigation might forget to inform the investigator of additional data they have collected or might not remember how an incident occurred. The investigator should enquire about any potential sources of information that may exist including but not limited to direct evidence, circumstantial evidence and documentary evidence. 


The biggest mistake

 It is difficult to warn someone of where they could be wrong because they might investigate numerous allegations throughout their career. Investigators may not recognise their pitfalls and may not receive useful feedback during their investigations.

 However, the biggest mistake an investigator could make is not having a case management system that will assist them during the investigation. Polonious is chosen by many businesses worldwide due to the many benefits that we offer. Our clients enjoy flexible integration, the ability to track cases from anywhere at any time and real-time collaboration are only a small part of what we have to offer. If you want to learn more, we are happy to chat!

Book a Demo Now

Learn more about how Polonious can help you improve your business’s workplace investigations.

Are key risk indicators useful?

Are key risk indicators useful?

key risk indicators<br />

 Key risk indicators (KRIs) can measure the level of risk a business is exposed to. They can quantify the impact and the likelihood a risk could have and how it would affect the company. They are an important part of risk management as they alert managers if the business is surpassing the acceptable level of risk exposure. Key risk indicators are useful tools when it comes to monitoring risk and assisting the business in taking action to mitigate and control threats. Indicators will change as risk changes so they need to be observed carefully so risks can be predicted with better accuracy. 


How useful are key risk indicators?

 Key risk indicators are metrics that can detect flaws within an organisation’s risk management and help a business use its resources efficiently to control risks. If used effectively, key risk indicators can be beneficial in fortifying the business against threats. To develop effective key risk indicators, managers need to have a clear understanding of the company’s objectives and know how to use technology to improve their risk management

 The purpose of key risk indicators is to help in decision-making as the warnings it provides assist in the prioritisation of urgent matters. They can identify the obstacles that could hamper goal achievement and growth as they can detect the risks that apply to each objective.

 Effective key risk indicators can be very useful in risk treatment and improving risk reporting. This is because they establish the risk appetite and exposure the company can handle so they enable leaders to adopt a proactive approach. When a company thinks ahead and is prepared, its response to risk will be better organised and more appropriate to the issue it is facing. 


How to design effective key risk indicators

To develop useful risk indicators the company needs to understand the root cause of the threat. To do this, they will need to examine the internal and external environment to obtain high-quality information. The organisation should try to include data on the processes and technologies that the business uses as well as the employees and any weaknesses the business has. 

The characteristics of effective key risk indicators are:







 Key risk indicators need to be quantifiable. They should be able to be expressed in numbers, ratios and percentages and they should have a limit or a range that they reach before warning the management of an issue. They should be accurately measured and meaningful. For example, a business may use a percentage to measure employee satisfaction with the current work culture or leadership changes. Another example could be the use of ratios such as the value at risk or quick ratio in the finance industry. The value at risk (VaR) focuses on the risk an investment carries while the quick ratio determines an entity’s ability to pay short-term liabilities, more specifically, it looks at its solvency.  



 It is important to remember that risks are dynamic. They are constantly changing and so do the areas that are impacted and the likelihood of risks materialising. Key risk indicators should be able to predict the likelihood of a risk and the impact it could have on the organisation. The metrics used must be able to recognise how much a business can handle and alert the management as quickly as possible. 



Key risk indicators should be comparable over time and easily compared to industry standards. The numbers and percentages used must be simple to use for comparison among competitors. The business can also use them to analyse performance based on previous years’ numbers.



The KRIs must directly associate with the risk they were created for. It should be clear how the information it provides was sourced and should not include data that is irrelevant to objectives. The information obtained should be used so decisions can be made accordingly. The risk tolerance levels must be assessed carefully to ensure that the key risk indicators provide a clear picture of the risk status.

key risk indicators

Once these four characteristics have been established the KRIs can be designed. To create effective KRIs a business must:







 To identify the risks, the probability and the impact the entity may undertake a risk assessment that will prioritise the achievement of the main business objectives. This will assist with the relevancy of the KRIs as they will be created to identify what could prevent these goals from being achieved.



 There is not a specified number of KRIs an entity needs. It varies by organisation and industry and the number of risks a company is dealing with. However, the more key risk indicators a business chooses, the harder it is to track, monitor and review them. The company has to decide how many it can select based on the resources the business has available. Employers need to ensure that the KRIs chosen have all the characteristics that are necessary to be effective. They also need to ensure that the indicator chosen can detect the root cause of the threat. 

 Employers may choose to have key risk indicators for the whole organisation and then departments can choose to select their own for their area of operations. Employees undertaking the selection process need to be well-trained and knowledgeable to set acceptable risk tolerance thresholds and risk triggers. Once reached, these will warn the company of potential vulnerabilities and threats. 



 As highlighted, risks are dynamic. They can change over time due to external and internal factors. This means that the risk exposure of the business is also changing. It could decrease or increase which is why it is crucial to remember that risk management is an ongoing process. It is not enough to identify and select KRIs, employers have to monitor them frequently and review them. Observations should be reported to management as they will help with mitigation and strategic decisions. The business may decide to monitor some areas more closely or they may decide to take action based on thresholds being exceeded. 



 Once the selection process has been finalised and the KRIs are being monitored, the company has to develop a response plan in case risks materialise or reach the KRI limits. Timely action will ensure that there is little business disruption and the business continues to operate normally. For example, the percentage of customers who do not pay their debts to the organisation may increase which leaves the business vulnerable to credit risk. The company should decide the best way to mitigate this risk and implement strategies so it does not happen again in the future. 

 A key part of an appropriate response involves the delegation of responsibilities. Deciding who is responsible for monitoring and reporting KRIs, who is developing an action plan and who is reviewing the KRIs is important as it prevents confusion. Good communication is essential for everyone to understand the severity of the situation and make effective use of the resources available. By assigning tasks to each employee, it is easier to mitigate the risk.


Challenges of key risk indicators

 KRIs can be very useful for the business but they carry challenges. It may be difficult to establish key risk indicators for every risk the company is facing. Management may also struggle to understand the risks fully and the source of the issues. This is because credible and meaningful information may be hard to obtain. There may be more qualitative than quantitative data available which, in some cases, can lead to poorly structured KRIs as the right information is not provided. 

 To have successful key risk indicators the business needs to have a well-organised enterprise risk management in place. This will prevent key risk indicators from being developed based on assumptions or poor data. They may be created to monitor risks but their development also carries a lot of risks and requires a lot of resources. 

 Key risk indicators may sound easy to identify and implement but they need a lot of accuracy to ensure effectiveness. As they are complex, it may be difficult to determine the right thresholds and response plans. Thresholds may be created that are not easy to analyse, measured and compared which makes them ineffective. Some organisations may neglect to track key risk indicators because they may have chosen a greater amount than what their resources can handle. 


KRIs and KPIs

 Key risk indicators are sometimes confused with key performance indicators. There are some differences between the two as well as some interconnection. It is always advisable that KRIs are used together with KPIs as in a scenario where a KPI is not addressed, a KRI may be triggered. 

 KPIs look at past performance data and if the business is achieving the objectives that have been set. They monitor the performance of the organisation and shape decisions based on improving that. So they look at past and current information but they are not looking at the full picture. Company performance may be increasing because of some high-risk behaviour that results in higher returns in the short term but in the long term, it could have severe consequences. 

 KRIs try to predict the future by detecting potential risks. They take into consideration the objectives the business wants to achieve and assess what risks could prevent the company from meeting these objectives. They can warn the entity about current and future threats and as a result, help the company improve its KPIs. 


Are key risk indicators needed in your business?

 Key risk indicators are not suitable for every company. Managers need to evaluate whether they have the necessary resources available to create and implement them. However, there are many more aspects to enterprise risk management. Managers can choose to use different tools to assess uncertainty and protect their businesses. 

 Polonious helps its clients by providing them with a space where they can fill out risk assessments easily, with built-in calculations for risk ratings and colour coding to indicate risk priority. Companies can automate reminders for reassessment based on their chosen intervals and everything is managed through a central hierarchy so risks and treatments can be cross-referenced. If you want to learn more, request a demo!

Book a Demo Now

Learn more about how Polonious can help you improve your business’s risk management. 

The importance of ISO compliance for your business

The importance of ISO compliance for your business

iso compliance

 ISO compliance requires a company to follow the standards set by the International Organization for Standardization (ISO). ISO compliance differs from ISO certification. An organisation is deemed compliant when the standards are met but they may not be certified as it is a long process and costly because it requires an audit. Some frameworks may not offer certification in the first place. ISO compliance can be very beneficial for businesses and it covers different aspects of the company. The standards are updated when necessary to ensure that organisations comply with the most relevant requirements. 

 Polonious is ISO-compliant and certified. We meet the highest international standards by meeting the ISO 27001 and ISO 9001 requirements. We undertake all audits and procedures necessary to ensure that we offer the best quality service to our customers. The audits performed to ensure Polonious achieves ISO compliance cover all parts of the Integrated Management System which concerns all our processes.


ISO Frameworks

The International Organization for Standardization has created different standards to cover a range of business processes. Before deciding to comply with ISO standards, it is important to understand how those apply to your business. There are various frameworks such as:

-ISO 9001

-ISO 27001

-ISO 22301

-ISO 37301

-ISO 31000

-ISO 45001


ISO 9001

 ISO 9001 focuses on quality management which involves the quality of the products and services that a company offers to its customers. ISO compliance ensures that the business is continuously improving and changes its value proposition to meet customer expectations. This framework is followed by businesses in various countries and over a million of them are certified. Companies, like Polonious, that have this certification, prioritise customer satisfaction and consistency in the delivery of their services. 

 This framework was revised a few years ago and the newer version is ISO 9001:2015. The new revision tried to improve the older version based on feedback and includes new terminology and highlights the importance of risk-based thinking and decision making in business processes. To ensure ISO compliance businesses must follow the requirements related to management, leaders and documentation. 


ISO 27001

 Confidentiality is crucial for every business and storing information securely is necessary to protect customers and employees. For example, the recent Optus data breach involved an unsecured API pointing to a production environment – a simple error that could’ve been picked up if that system had been audited against ISO standards. ISO/IEC 27001 sets standards for information security management. By complying with the standards, a business does not only manage its financial information, but also the information provided to and by third parties. The requirements were created by ISO along with the International Electrotechnical Commission (IEC). 

 The framework acts as a guide to show businesses how to handle their data and their customers’ details. Polonious is ISO 27001 certified as confidentiality and secure storage of evidence are crucial during an investigation. Being certified with this framework ensures that only authorised people have access to relevant information and that it is accessible whenever and wherever. 


ISO 22301

 ISO 22301:2019 Security and resilience focuses on operating a business with very few to or not disruptions at all. The framework was recently revised in October 2019,  the standards aim to improve Business Continuity Management Systems and prepare the company for possible threats that may materialise.

 The past few weeks, numerous Australian companies have been hit by cyberattacks. These cause great disruptions for businesses and could damage the relationship they have with their customers. This is what ISO 22301 tries to prevent. It aims to prepare employers to address current and future risks that their organisation may face so damage from those threats can be minimised. 


ISO 37301

 Compliance is crucial for every business and 37301 tries to promote a compliance culture to prevent the negative consequences of businesses not adhering to laws and regulations. ISO 37301 replaced ISO 19600 in April 2001 and companies can now be certified with the new standard. Compliance management is very important as it can be a threat to the success of an entity. It carries both short-term and long-term consequences which is why ISO compliance is crucial in minimising this risk. The standards do not only refer to legal requirements but adaptability to ethical and social values as well. It promotes good governance, integrity and transparency within the organisation. 


ISO 31000

 While ISO frameworks overall focus on preventing threats from affecting the business or being present in the first place, ISO 31000 reinforces the importance of risk management in a workplace. If a company improves its risk management, then it is more likely that it will achieve its objectives and be successful.

 ISO 31000 looks at the probability of events, the factors that influence them and the potential impact they could have on the organisation. Unlike other ISO frameworks, this one cannot be used for certification purposes – though the methodology underpins much of the risk management in other standards, such as 27001. ISO compliance is voluntary and aims to help the business make smarter decisions without being formally recognised beyond seeing better results.  

 ISO 31000 is often compared with the COSO framework but they have many differences that distinguish the two such as a different audience.

iso compliance

ISO 45001

 Workplace health and safety plays an important role in every business. ISO 45001:2018 provides standards for the management systems of occupational health and safety. Compliance with this framework aims to decrease or completely eliminate hazards at the workplace and prevent any injuries or threats to employee wellbeing. It promotes compliance with local laws and regulations concerning employee safety. By following the ISO 45001 standards employers highlight their commitment to providing a better environment for employees to work in. 


Is it worth it to be certified?

The main reason companies get certified is to showcase to their customers that they value quality and ensure that they follow the strictest standards when it comes to business processes. They want to highlight that these organisations are not cutting corners and undertake audits that prove their commitment to risk management and employee safety. As certification is a costly and long process, businesses also show that they are investing in the quality of their product or service. 

 It makes it easier for consumers to trust them as they take steps to ensure they meet customer expectations. Ultimately, it provides the firm with a competitive advantage. 

To become certified a business must:

-Analyse its weaknesses

-Document activities

-Implement standards

-Apply for certification

 The business needs to determine in which areas it is lacking. Not all frameworks will apply to the business so they need to understand which areas need improvement and which areas can follow the standards necessary for certification. 

 Documentation is an important step in the certification process. The company needs to keep track of all the activities and actions it takes to improve its compliance and risk management. It also needs to record how the ISO standards are implemented. It can take a long time for the new policies to be implemented and for managers to ensure that the processes are carried out as required. 

 Internal audits can be performed to measure the effectiveness of the newly introduced controls and they can be followed by external audits. If audits find non-compliance, the business should review its controls and implement new strategies. Once the business is satisfied with its ISO compliance, it can apply for certification of the framework. The amount of time it takes for this process to be completed varies but depending on the success of the company’s plan, it can take between 3 to 6 months. 


Benefits of ISO compliance

 ISO compliance is possible by any company no matter its size or industry. The different frameworks allow businesses to adopt a proactive approach to risks and reduce the possibility of being liable for incidents. ISO compliance reduces operational downtime and increases overall business performance.

 ISO compliance can be attempted without taking on the extra cost of certification, using the standards instead as a guide for business improvement – which is a valuable initiative even without a certificate to show potential clients. However, certification and the external audits that come with it, provide checks and balances to ensure that no gaps are left – and management software will help with compliance regardless of whether certification is required or not.

 Employees feel better about the company as they are valued and protected. Not only against physical hazards but threats such as cyberattacks. Business leadership is improved and resources are better allocated. The business will be able to achieve its objectives easier and it will be able to address concerns and risks faster and more effectively. The organisation as a whole will be more productive as employee morale will improve and costs will be decreased. 

 ISO compliance reduces a company’s liability exposure and allows businesses to grow as they are well-organised to face risks. They become more efficient and are able to take on opportunities and work on their weaknesses.  

 The frameworks provided by ISO set the benchmarks for companies to comply with. Businesses should not limit their activities to ISO compliance. They should go beyond that and ensure that they are taking all measures necessary to protect their companies from threats. They should develop strategies so the entity is facing as few threats as possible. 


Final thoughts

 ISO compliance is not required by law. It is optional but has many advantages for businesses that use the frameworks as a benchmark for their risk management and compliance. ISO frameworks are reviewed every few years and then a new version is released so businesses that comply with the standards can stay up to date with the newest vulnerabilities that threaten the organisation. 

 Polonious maintains its ISO certification by following strict international standards as we want to protect our customers during their investigations. We want to make sure that our customers receive the best quality service and are able to carry out investigations effectively while their information remains confidential. If you want to learn more, request a demo!

Book a Demo Now

Learn more about how Polonious can help you improve your business’s compliance. 

SIU Insights report 2021How do you compare to other SIUs?

Check out some interesting results from our SIU management survey. Submit below form to receive the download link and related updates going forward.

GICOP changes 2021Download the GICOP whitepaper and stay compliant.

Our whitepaper covers all aspects you need to know to stay compliant with the latest GICOP changes coming into effect in 2021. Submit below form to receive the download link and related updates going forward.