Speak-Up Culture and Why Your Employees Struggle With It

Speak-Up Culture and Why Your Employees Struggle With It

Extensive studies and research in recent years have cemented the notion that having a solid speak-up culture at work generally results in improved outcomes for the organisation in everything from operations to communications and innovation.

However, it seems that the efforts of many organisations to build an effective speak-up culture have been largely unsuccessful with data reporting that most employees still struggle to do so. In fact, a 2020 survey of a group of 6000 employees found that over 60% of them only ever spoke up about a few select issues directly tied to their role and of this number, almost 20% never spoke up at all.

This should be concerning for all employers because the idea of a speak-up culture is not only about employees raising concerns or voicing their dissatisfaction – the employee voice also enables the valuable contribution of their ideas, opinions and thoughts towards forming opportunities for improved efficiency, better work outputs and overall company growth.

A strong speak-up culture is vital to a company's continued growth

To understand what they’re doing wrong in their current approach, employers must first understand the challenges and barriers employees face when speaking up. Doing so will allow the utilisation of targeted strategies that encourage a team environment and employee culture in which workers not only feel they are able to speak comfortably but are encouraged to do so. 

Why you need your employees to speak up

The lack of employee voice in an organisation manifests in a range of consequences and untapped potential that inhibits long-term growth and success.

Some of the detrimental impacts of a limited speak-up culture include:

    • The establishment of a workplace culture doesn’t allow for employee input and contribution. Fear of retribution pushes workers to stay quiet and agree with whatever employers or managers say or decide even if they have better ideas.

    • Unethical workplace decisions foster in a workplace where employees aren’t encouraged to speak-up as problematic behaviour, actions or speech go unquestioned and unchallenged, particularly when it comes from those in positions of higher authority.

    • A lack of employee voice reduces the diversity and creativity of overall input in the workplace and results in team decisions that aren’t always the most optimal approach to the task or process at hand. By choosing to not speak up, employees aren’t able to bring their full potential to the table and the employers miss out on making the most of their talent, experience and knowledge. 

Barriers to a speak-up culture

Understanding the reasons why an employee might choose to stay silent or speak up in a particular context is difficult and rarely attributed to a single reason alone. Research suggests that employees are more likely to speak up and share their thoughts if they believe their contribution will have a beneficial impact on themselves and their organisation. However, if they believe that their opinions or concerns have the potential to put them at risk in some way, such as subjecting them to workplace discrimination, they are far more likely to remain silent.

This concept of the ‘social threat’ of voicing potentially controversial opinions or concerns and then facing the threat of workplace retaliation, is often cited as the greatest barrier to a thriving ‘speak-up’ culture. This is somewhat inevitable because no matter how strong the speak-up culture of a company is, it cannot grant complete psychological safety to employees who depend on it in order to put themselves in the vulnerable position of voicing a potentially contentious opinion.

Whilst some essence of this ‘social threat’ will always remain due to it inherently being a psychological phenomenon, employers can mitigate its impact significantly by one simple, consistent action; validation. Open validation of the opinions and thoughts of employees who are speaking up will slowly reduce the ear that employees may feel over time – this does not mean you always have to agree with the employee speaking up, but rather showcase that you appreciate their input and take it into consideration. 

speak-up culture encourages employees to voice their thoughts freely

The personality vs environment perspective 

Two of the key factors often pitted against each other when examining why employees are remaining silent in a certain workplace are personality vs environment. The perspective of ‘personality’ attributes an employee’s reluctance to speak to their inherent personality traits, such as introversion and shyness. In contrast, the perspective of ‘environment’ suggests that the workplace culture is at fault when an employee feels unable to voice their opinions. The workplace environment is thought to be one where the decision to speak up will result in negative social consequences. 

Both of these factors can play a role in the organisation simultaneously and understanding their effects can allow you to adapt and guide your strategies accordingly. When dealing with personalities who naturally struggle to speak up, employers can try and combat this with additional employee training or recruitment programs that focus on hiring individuals with a more proactive nature. If however, the issue is in the environment itself, the employer must work on changing the corporate culture to one that actively encourages and values the ideas and thoughts of their employees and considers them seriously. 

A study conducted by the Harvard Business Review found that both personality and environment had a significant effect on employees’ tendency to speak up with ideas or concerns.  However, it concluded that a strong culture of speaking up where employees were adequately encouraged and supported in doing so, could actually result in employees who didn’t usually speak-up to do so as a result of the environment. This held especially true if there was actually an expectation at work for employees to speak-up and others around them were openly sharing their thoughts without experiencing any repercussions. 

This is actually great news for employers and suggests that if you want employees to speak up, the work environment and the team’s culture can actually allow you to achieve success regardless of any inherent personality barriers. Encouraging and rewarding speaking up can help overcome an employee’s natural hesitancy to speak-up and in turn encourage those around them to follow suit.

Book a Demo Now

Learn more about how Polonious can help you set up a rigorous, transparent reporting tool to help build a strong speak-up culture.

To conclude, attempting to establish a successful ‘speak-up’ culture is not an easy endeavour for any organisation. However, consistently working towards a workplace environment where opinions and concerns are shared freely allows employers and employees to communicate better, make decisions faster, and build a more tight-knit culture overall.

Understanding the social threats that inhibit the employee voice and combatting them through actively encouraging such behaviour and rewarding workers for it will allow your organisation to find success when attempting to build a strong speak-up culture.

How to store the investigation evidence securely

How to store the investigation evidence securely

the investigation<br />

 After a complaint has been filed that requires further research, the organisation should decide whether an investigation is needed. The investigation should start quickly as the evidence may be jeopardised the longer it takes to start the process. The evidence collected during the investigation should be stored securely after an expert has analysed it carefully. But how can a decision be made on what counts as evidence and what does not? And how can everything be stored safely while still being accessible? These are two important questions every business or investigator should be ready to answer as they affect the success of the investigation. 


Evidence necessary for the investigation

 The most common complaints that require an investigation are allegations of bullying, discrimination, harassment and fraud. While strategies may need to be implemented to lower cases of misconduct, it is impossible to discourage every single culprit. Employees should be encouraged to gather evidence and come forward with their claim as it will improve the overall environment and their experience at work. While data shows that 10% of Australian workers are bullied, the numbers could be higher due to people not feeling comfortable reporting or not having evidence to make a complaint. They may only be verbally attacked without any way to prove it. 

 Employers should educate employees on how to collect evidence if they are the victim of misconduct or they have observed fraud. This will allow the investigator to collect a wider variety and better quality of evidence. As there are many cases, the nature of the evidence may differ. There may be photos, videos, records, contracts, emails and other documents that the investigator will need to protect. 

 To ensure that the evidence stored is more accurate, it needs to be collected quickly and, ideally, at the time of the incident. For example, a photograph of the injury at the time of the accident may be more meaningful than a healed wound. Screenshots of online harassment should be taken on the spot before the accused can delete their messages. So it is important that all relevant evidence is collected before the investigation even starts. 

 Storing evidence begins before the investigation. It is not only up to the investigator to preserve information but to employees as well. 


Preserve evidence for the investigation

 Once the evidence has been collected and the pieces of evidence have been analysed, it should be clear which ones are needed for the investigation. The company must keep both direct and indirect evidence as they have their own advantages and can result in a better outcome. The selected documents should be stored securely during and after the investigation. Some steps to ensure that include:

-Maintaining confidentiality 

-Abiding by policies and procedures

-Training employees

-Choosing a safe place


Maintaining confidentiality

 Maintaining confidentiality relies on the investigator, the company and its employees. One person is not able to protect confidentiality on their own. It should be a group effort to make sure that the investigation is carried out successfully and without issues. What the investigator can do is explain to employees the importance of confidentiality and how it could impact the investigation and their work life if the information was leaked to third parties. They should inform them of the repercussions that may follow and how it will not be beneficial in any way to share information outside of the investigation. Employees should also be informed of the steps the investigator is taking to ensure that their identities are protected and that all evidence is stored safely. 

 Requiring employees to sign a written confirmation of confidentiality increases the likelihood that evidence will be stored securely and they will not be given to third parties. As employees may be the first with access to evidence, it is crucial that they are not tampering with data, trying to delete trails or telling outsiders what is happening within the investigation. The confirmation of confidentiality means that the staff members are aware of the severity of the situation and they are heavily discouraged from making evidence public. 

 One of the most effective strategies to keep the investigation and its evidence confidential is to conduct interviews in a secure place that is not frequented by other employees. This will prevent gossip from arising, witness statements of being influenced and will protect the identities of the parties involved along with the contents of the investigation.

the investigation<br />

Training employees

 It is not required that employees are trained to store evidence securely. However, it is recommended as employees play a big role in the success of the investigation. In many cases, they provide investigators with the majority of information so knowing how to preserve evidence can be essential. When employees are educated on how to handle evidence until the investigation starts, it can lower the probability of information gaps or accidental contradictions. Everyone will have been informed on how to protect themselves and store all relevant information to prevent it from being stolen or accessed by a malicious third party.  

 Evidence-preservation training is not a program that needs to be undertaken regularly but modules should be offered often enough that a risk-aware culture is created. It will also improve the employees’ experience with the investigation as they are aware of what their rights are and what steps they need to follow. In some instances, this kind of training can encourage employees to speak up and report the issue as they feel confident that they have enough to prove that misconduct is taking place. 


Abiding by policies and procedures

 One of the main rules when conducting the investigation is to not use the original evidence during the process. The original document, photograph or video should be stored and a copy of it should be used to conduct interviews or establish credibility. Preserving the original evidence and working with copies has many advantages as it will prevent potential damage or loss of file. Having the original document can allow for more copies to be created but copies do not have as much power. 

 Policies and procedures should make it clear to what extent the company has access over company devices and in the case of deleted information, the IT department should try to find the details that were removed. Establishing clear policies and procedures can minimise the company’s exposure to potential legal consequences as the privacy laws will be taken under consideration. 

 They should also state who should have access to the devices and evidence once the investigation has commenced, as the more parties involved, the more likely it is that evidence will not be stored effectively. It must be highlighted that employees are not allowed to download evidence on their own devices, only on the devices used for the investigation. Taking relevant documents home should be prohibited and all relevant information should be kept in the investigation space or with the investigator. The parties involved should only be allowed to access the information in the case management system chosen by the company.

 It is also wise to develop a record retention policy as it can prevent evidence from being destroyed and will outline what is necessary for them to be retained securely. The retention policy may outline who is responsible for collecting, monitoring and disposing of evidence and for how long the evidence should be kept. It should also include how they will be destroyed once the time period has passed and how the copies will be handled as well. The retention policy must also describe how employee consent will be prioritised to ensure that employees are aware that their records are kept within the company. 


Choosing a safe place

 To store evidence effectively, they need to be in the right form and place. If possible, all evidence should be transformed into an electronic file so it is easily accessible and easy to store. If documents are stored in a paper form, they will require a lot of storage space, it will impact the efficiency of the investigation and it might be more likely for them to end up in the wrong hands.

 Moving all evidence online has its own risks, as the company may be vulnerable to a cyber attack. The device used to upload them should be clean from viruses or malware and regular scans can increase the probability that the device is safe. However, it is not wise to store evidence solely on that device. It should be used to upload evidence online and create copies of the evidence to use during the investigation process. A smart case management system should then be chosen with strong passwords that will make it difficult for outsiders to access it and easier for investigators to carry out the process.

 This is one of the main reasons our clients choose Polonious. As we are ISO 27001 certified, we take information security very seriously and prioritise secure storage of evidence at all stages of the process. All information can be uploaded to our case management system and can be accessed anywhere and anytime by only those involved in the investigation. Investigators can store a wide variety of evidence, including videos, photos and relevant documents. If you are looking for a safe way to preserve your evidence, contact us


Keep in mind

 Storing evidence for investigation securely requires many steps and it is a complicated process. What might apply in one investigation may not apply to another. The company and the investigator must strive to work together to ensure the best possible outcome. 

Book a Demo Now

Learn more about how Polonious can help you improve your business’s workplace investigations.

How to Increase Cybersecurity Awareness in Your Workplace

How to Increase Cybersecurity Awareness in Your Workplace

A report by the Identity Theft Resource Center (ITRC) found that between 2020 and 2021 alone, there was a 68% increase in cyberattacks on companies that had the potential to compromise sensitive data. Such a figure poses major concerns to any employer who understands the importance and impact of strong cybersecurity in the workplace. 

With the lingering impacts of the Covid-19 pandemic and the continually rising popularity of remote work, having employees well-versed in cybersecurity has become paramount in ensuring that your company’s confidential information and intellectual property remain unthreatened and secure.

Taking active measures to ensure your employees are educated and trained to practice cybersecurity within their daily work processes is an important step forward in safeguarding the organisation against potential security threats.

cybersecurity awareness is crucial to the overall security of an organisation's assets

There are many approaches to accomplishing increased cybersecurity awareness and the methods you incorporate will depend on your specific needs, employees, goals and current methods. It’s important to take a holistic approach that covers the varying aspects of digital security to ensure that all employees, contractors and suppliers understand how to prevent, identify and mitigate risks effectively. 

Detailed below are some of the strategies you can incorporate as you work towards a more cyber-aware workforce.

Ways you can increase cybersecurity awareness among employees

1. Be as clear and transparent about cybersecurity as possible

In order for employees to take cybersecurity seriously, they must first understand the importance it holds and how the company’s policies and regulations regarding it.

    Cybersecurity awareness should be included in all relevant aspects of the employee experience. In particular, the employee onboarding process should set the expectation for the policies and processes they must follow to mitigate any security risks that may accompany their role.

    Making sure that you communicate the importance of each individual employee in threat detection and prevention can help encourage them to be more conscious about following cybersecurity protocols. For example, focusing on their personal computer and networks when dealing with external threats focuses the issue onto their individual actions which helps them to relate to the risk on a personal level. 

    Communications surrounding cybersecurity should also be diversified, especially when there is an active threat targeting company systems which employees must know about as quickly as possible. Using methods such as email alone is not only inefficient, but it can also seriously expose the organisation to threats by simply getting lost amidst the abundance of daily correspondence. Combing emails with other methods such as security alerts on systems and verbal communication from managers will help ensure that cybersecurity news is spread quickly and efficiently.

    When communicating with your employees, try to use simplified language in place of technical jargon. This prevents confusion and makes sure all employees are aware of what’s happening as not all of them will be technically included or be familiar with the company’s processes or current situation.

    2.  Keep track of devices with access to company systems 

    With over 60% of employees having access to company data and information through personal devices and 15%  of security breaches resulting from missing or lost devices, having strong cybersecurity awareness and policies in place is necessary for employers.

    All employees should be trained on best practices when accessing company data and systems through either personal or corporate devices and understand the guidelines which govern their usage.

    Some key points to consider when attempting to educate employees on secure device usage include:

        • Having a strong BYOD policy in place which outlines how personal devices may be used in relation to work-related tasks
        • Reminding all employees that authorised usage is confined only to them and letting partners, kids, friends and coworkers use the device can increase exposure to a threat
        • Educating employees on what is considered personal or company relates usage of the device
        • Ensuring employees understand why and how company devices may be monitored for their usage and be subjected to certain restrictions 
        • Making sure that all devices are updated regularly to meet any new security requirements and/or updates
    3. Train employees to identify cybersecurity threats 

    Beyond understanding the importance of cybersecurity, employees should also know how to identify potential threats that could result in a data breach. Training them to pick up on signs of suspicious activity will help them pick up risks earlier and manage them before they cause serious harm to the organisation. 

    When these signs are noticed, they should be reported and investigated as soon as possible so steps can be taken in the scenario the threat poses genuine concern and is serious. Examples of potential threats to watch out for and avoid include:

        • Suspicious emails (unusual content, sense of urgency, grammar and spelling errors, unfamiliar domains)
        • Pop-up or ad alerts that claim the device’s security has been compromised 
        • The device suddenly slows down, lags or stops responding to your mouse or keyboard commands
        • Any offerings of free money, prizes or products
    cybersecurity awareness strategies should extend to all employees, contractors and suppliers
    4. Secure all passwords and digital tools

    Remote work combined with the usage of personal devices can result in employees falling complacent when it comes to following best practices for passwords, which have a strong influence on maintaining strong cybersecurity. Make sure to educate and remind your workers on following password protocols and put in strategies to ensure the integrity of authentication methods you’ve implemented on a regular basis.

    A few ways you can do this include:

        • Ensure that your cybersecurity offboarding process includes changing all relevant passwords when an employee leaves the company
        • Have regular password changes conducted on all organisational tools
        • Implement two-factor authentication for increased cybersecurity 
        • Advise against using one password for multiple purposes
        • Use regular training as an opportunity to educate employees on strong vs weak password practices and their consequences through real cases

    Book a Demo Now

    Learn more about how Polonious can help you improve cybersecurity awareness in your workplace.

    To conclude, employee awareness of best practices for cybersecurity and knowledge about how to address and mitigate risks is growingly important, particularly in an era of remote work and constant online communication.

    As an employer, taking steps to educate and train your employees about workplace cybersecurity allows them to understand the individual role they play in protecting the company against data breaches.  To encourage strong cybersecurity awareness, your approach and message should be consistent, easy to understand and effective in conveying the significance of the issue.

    What’s the difference between indirect and direct evidence?

    What’s the difference between indirect and direct evidence?

    direct evidence<br />

     Workplace investigations will require different types of evidence to be collected. This includes indirect and direct evidence. They are important in workplace investigations as they give proof of whether something happened and will assist the investigator in reaching a conclusion. Some pieces of information may be more relevant than others and may give a clearer picture of what occurred. However, the investigator should try to collect as much evidence as possible to avoid an incomplete or biased conclusion. While a hierarchy of evidence may sometimes be used, it usually depends on the quality of the information. This is where indirect and direct evidence come in. 


    Difference between indirect and direct evidence

     A workplace investigation may require eyewitnesses, CCTV, photos, messages or other online media. It is crucial then that there is a clear link between the evidence and the incident. 


    Direct evidence

     Direct evidence proves a fact, they highlight that something happened. For example, an employee seeing another employee committing fraud is something they directly witnessed themselves. Direct evidence includes observations, CCTV or computer software that can show whether an individual committed misconduct or not. It also includes the statements of the main parties involved.

     Direct evidence proves a fact first-hand and in some cases, there is little room for bias. Witness statements are one of the few instances where evidence may be influenced by bias. Recalls of events can be either orally recorded or written. As time passes, witnesses’ recounts may be influenced by other recollections of the incident which may result in a misleading statement unintentionally. So even though direct evidence can be used to prove an incident happened, sometimes it is not fully trustworthy hence why indirect evidence is needed. 


    Indirect evidence

     Some investigations may not have direct evidence at all. There may be no witnesses or CCTV that links a person to a crime. The investigator may need to make a conclusion based solely on circumstantial evidence. This leaves more room for error which is why it is crucial that the right individual is chosen to conduct the investigation. Indirect evidence can refer to a series of events that lead up to an incident, such as witnesses reporting the behaviour of an individual leading up to an event. Certain reports may have been submitted incomplete or with errors on previous occasions. However, even though they may be used during the investigation, they need to be supported by other sources. 

     This is because indirect evidence can indicate that an event occurred, for example, CCTV showing an individual entering the room at the time of an incident. It does not show that they are guilty of misconduct, but it makes it likely. From indirect evidence, the investigator can understand someone’s involvement in the incident, but cannot draw a conclusion solely from them.



     Indirect and direct evidence need a safe place to be stored during and after the investigation, for as long as necessary. Polonious offers its clients a safe place to store all their documents, CCT, videos, images and other relevant information. Investigators can access interview notes, schedule new interviews and access everything from anywhere, anytime. We are ISO 27001 which reinforces our commitment to secure storage of data during the process and keeping all details confidential. If you want to learn more about what we have to offer request a demo!

    direct evidence<br />

    Where are they similar?

     Direct and indirect evidence may be different in many cases but they are similar in the sense that they follow the same rules. Both indirect and direct evidence need to be of high quality. They need to be reliable and there needs to be sufficient evidence to determine the outcome of an incident. Sufficient information collected from multiple sources can meet the standard of proof, so an incident can come to a certain result rather than a dubious one. 

    As a workplace investigation is usually a civil matter, the ‘balance of probabilities’ applies which means the investigator needs to analyse all evidence carefully and decide whether it is more likely that the accused behaviour or incident occurred than not, rather than proving ‘beyond reasonable doubt’. This makes indirect evidence more useful, though it is also possible to prove a case beyond reasonable doubt with indirect evidence. 

     To come to a conclusion all evidence needs to be consistent. They should all point to the misconduct taking place and the individual accused being responsible for it. There should not be another potential candidate that may have committed the incident. For example, in a discrimination case that happened online, it should be clear that the employee accused was the one sending the messages and not someone pretrending to be them. 

     All evidence, whether direct or indirect, needs to be obtained legally. The company should not breach any laws or regulations to collect evidence and should clearly state how they found it. For example, in some countries or states, the use of audio recordings is not considered legal. Moreover, all evidence should be relevant to the case being investigated and should contribute to the outcome in some way. 


    Something to remember

     Indirect evidence is not less reliable than direct evidence. However, they have to be very strong to prove a fact and help reach a conclusion. An ideal investigation will have a combination of indirect and direct evidence that will help an investigator reach an accurate result. The investigator should assess what evidence is more credible than other evidence and try to spot potential contradictions. Indirect and direct evidence can be both very helpful in the case and should be treated with the same level of importance. This also extends to their storage and collection. All evidence should be stored securely without the possibility of being accessed by third parties. 

     Polonious’s detailed security configuration ensures that all evidence and the confidentiality of those involved are protected. We offer our clients a place where they can upload all relevant data so they can access them from one single place anytime they need to. We can assist in the investigation of internal matters such as bribery and corruption, discrimination and other fraudulent activities. Do you want detailed reporting and no security gaps? Reach out!

    Book a Demo Now

    Learn more about how Polonious can help you improve your business’s workplace investigations.

    The hierarchy of risk control

    The hierarchy of risk control

    risk control<br />

     Risk control can assist in minimising operational disruptions and increasing workplace productivity. It is one of the last steps of risk management. Risk management involves a business estimating the probability of a risk occurring and the impact this risk could have on the business. Mastering risk management is a challenging task. Businesses need to make a risk versus reward assessment to determine which decisions are worth taking and then conduct a risk assessment to understand how to manage the threats. 

     Risk control is implemented to change the impact or likelihood of the risk. It may also slow down the speed to which a threat is progressing. For example, if a financial loss was expected at the end of the year, appropriate risk control measures could be taken to push it to next year and give the company time to prepare. All businesses need effective controls to maximise their growth.


    The hierarchy of risk control

     Risk control has many stages as every threat is different and needs to be handled carefully. One strategy will not work for all risks so employers need to be creative and have great analytical skills. If a strategy worked in the past, it is not guaranteed that it will continue to remain effective. As time passes, risks develop and change in nature. Even though the type of the risk may remain same, its root cause might change, hence requiring different measures to address it. 

    The hierarchy of risk control looks at the following:




    -Engineering Controls

    -Administrative controls

    -Personal Protective Equipment



     The most preferred risk control is to eliminate the risk completely. Most companies wish to manage risks by ensuring that there is no possibility for them to materialise. The most common way of eliminating a risk is either making a different decision or taking steps to ensure higher risk control. For example, cables could be a health and safety hazard. By moving to cordless equipment, cables around the workplace could be restricted to solely be under the desk so they are not a hazard anymore. Removing the risk from the workplace is not always an option. 



     If risk elimination is not feasible, then risk substitution is the next best option for risk control. Risk substitution requires managers to find a safer way to complete a project or a task. Solvent-based ink may be replaced with soy-based ink when possible to prevent print head nozzles from being blocked. While risk substitution is used as a safer alternative, the substitute may have its own risks. The team needs to assess whether the advantages of the replacement outweigh the disadvantages.



     Risk isolation involves employees being shielded from the risk. The threat is kept away from staff members so as to make the working environment safer. For example, closing off an area can separate workers from the hazard. Risk isolation is sometimes not included in the risk control hierarchy as it is similar to engineering controls.

    risk control

    Engineering controls

     Engineering controls also look at how the hazard can be isolated but involves the creation of tools to make this happen. For example, implementing a spam filter is a tool that businesses use often. The spam filter can isolate emails that can be inspected using a different system so they do not end up in an employee’s inbox, which reduces the chances of cyberattacks. Engineering controls do not completely eliminate the risk, they just reduce the possibility of it impacting the employees and business operations. 

     To implement successful controls, the business needs to assess the type of exposure it is facing and how employees are vulnerable to the risk. It can then change aspects of machinery, workflow or software that will contribute towards a safer working environment. 

     For example, automating parts of the organisation’s workflow can reduce the risk of human error. This is one of the main reasons our clients choose Polonious to manage their investigations and risks. Action items for risk treatment are automatically created, along with reminders for reassessments. During many investigations, case reports can be completely automated using data, documents and images added during the investigation process. 


    Administrative controls 

     Administrative controls require the employees to be well-informed about potential risks associated with equipment, projects and everyday tasks. Policies and procedures can support employees with their work to reduce their exposure to risks during certain tasks. The use of signs is a common administrative control as it warns employees of potential danger. 

     Employees need to be trained thoroughly to recognise vulnerabilities and know how to deal with them. This will assist in minimising the impact and likelihood of the risk on their health and well-being. Employees can cooperate with their managers to develop the best strategies possible and then create effective training programs. The training they receive should make it clear what they have to follow to ensure a safer working environment.  For example, instructions on how to use equipment can reduce the likelihood of injuries and performing regular maintenance on machinery can prevent any incidents from occurring. 


    Personal Protective Equipment (PPE)

     PPE is the last option for risk control, with regard to physical risks. If the business has tried to eliminate, substitute and isolate risks and none of those have worked then they focus on protecting employees from the hazard. To create or choose the right equipment the business needs to assess carefully what the risk is and to what extent employees are exposed to it. An example could be ear plugs in a very noisy environment to protect an employee’s hearing. Once chosen, employers should ensure that employees know how to use the PPE correctly and that it is suitable for them. They should emphasise the importance of right size equipment and should encourage employees to ask questions if they are concerned about the use of PPE. 

     In some instances, businesses may require the use of more than one PPE. For example if working with chemicals, employees may need to use protective glasses, gloves and a protective suit. All this equipment should be designed without reducing the effectiveness of the other. PPE should be worn for all tasks found to be a risk to employees. Even if they last for a short period of time. 


    Advantages of effective risk control

     Risk control is essential for all businesses. Risk control can promote growth as business operations are not disrupted and everything is running smoothly. Growth is also realised through efficiency and more informed decision making. By controlling the risks the organisation is facing, workplace safety will increase and injuries or incidents will be prevented. This will then translate to less unnecessary costs for the entity and higher productivity. If employees see that the business cares about them and has strategies in place to protect them, they feel valued and their morale is improved. 

     From a legal perspective, risk control can show that the business has taken every step possible to manage the risk and prevent it from impacting the company and the workers. It can highlight how seriously the organisation takes risk management and if the worst case scenario occurs it will be evident that the business took action to prevent it. The unnecessary costs the business will avoid is not only in the form of employee injuries but law compliance as well. Entities with strong risk control are less likely to pay fines or penalties and less likely to be involved in a lawsuit. 

     Strong risk control is always supported by great communication and regular reviews. Management needs to talk to staff at every stage of the risk management process and ensure they understand what is happening. This will help shape the training of risk control to increase its effectiveness. Monitoring and regular reviews of the risk control measures can enable the business to create a better working environment as current strategies are evaluated. These evaluations may indicate that modifications are necessary to the current strategies or that new measures need to be implemented. They ensure that the business stays up to date with the relevant threats that it is facing and always adapts to the shifting risk environment.

     Note, however, that it’s not possible to eliminate all risks without avoiding an activity entirely, or spending limited resources. It’s important to maintain a priority list of risks and ensure that as many risks as possible are brought within accepted thresholds. e.g. spending all your resources moving a low risk to a minimal/eliminated risk may leave you without resources to reduce a high risk. It’s important to maintain an overall picture of your company’s risks when deciding what controls to put in place and how to spend your resources on any one risk.


    Keep in mind

     One of the most important parts of risk management  involves reminding employees and the company that it is an ongoing process. There have to be multiple discussions on how risks can be handled and input from staff should be greatly encouraged. Having effective risk management requires the business to look at the information they have and analyse it carefully so it can improve. On top of that, risk control could be enhanced if the managers making the final decisions are experienced and knowledgeable. Greater experience of risk management leads to better decisions as the managers have probably faced something similar in the past and are familiar with the threat. 

     Polonious can assist in your company’s risk control by helping you manage all risks from one place. We can help you link multiple assets to relevant risks and automate certain parts of your processes. Polonious allows those involved in risk management to access their data from anywhere, anytime, whether they are online or offline. Do you want reduced administrative effort and a more efficient process? Get in touch

    Book a Demo Now

    Learn more about how Polonious can help you improve your business’s risk management. 

    Differences between an internal v external investigation

    Differences between an internal v external investigation

    external investigation<br />

     When allegations of misconduct surface or when complaints are lodged to the company, managers will look to resolve the issue as fast as possible. In cases where a resolution is not easily reached, the organisation needs to decide whether it needs to conduct an internal or an external investigation. Not all incidents will have the same severity but employers need to act quickly and determine their course of action. Before making the decision on whether an internal or external investigation is required, the managers need to look at the differences between the two and the suitability for the case. 


    Differences between an internal and external investigation

     There are a number of things that influence the decisions managers make. Costs, goals and time restrictions can highly impact whether an organisation chooses an internal or external investigation. The main area they differ are:








     In internal investigations, objectivity is often questioned. The person conducting the investigation is seen as wanting what is best for the company, not the employees. Staff may not feel comfortable talking to someone within the company as they may fear they will land in a worse position than the one they are in. The person in charge of the investigation may be familiar with some employees which could unintentionally influence their behaviour and thoughts. This could lead to a biased process as the investigator may regard one person more highly than the other. 

     In an external investigation, the investigator does not work for the company and even though they are paid to carry out the process, the result does not impact them. Customers usually believe that external investigations are more objective than internal, as there are fewer chances of conflict of interest and the investigator does not know the employees. Independent investigators are usually hired for cases of unfair dismissal for this reason.



     Internal investigations require HR staff to focus temporarily on carrying out the process. However, this takes time away from other tasks and work duties. As a result, some steps of the investigation may be skipped or not given enough importance. HR may not see the pre-planning of the investigation as an essential task and there may be a delay in starting the investigation as other duties are prioritised. The delay could be harmful to the success of the process as witness recounts may be influenced by outsiders and certain events are forgotten. 

     In an external investigation, an independent individual is hired only for the purpose of conducting the investigation. This means that they can focus on this task solely and not be distracted by irrelevant matters. If the company acts quickly, there will not be a delay in initiating the investigation and a clear timeline can be established. 



     Internal investigators are more familiar with workplace policies. They know the procedures they need to follow and what laws they have to comply with. However, they may lack experience in conducting an investigation in general or for a particular incident. They might face issues they do not know how to handle and they might lack knowledge in carrying out every step of the investigation. In some cases, being inexperienced and making mistakes during an investigation can be very expensive for the organisation. It could lead to lawsuits, increased costs and a damaged reputation, all consequences that businesses want to avoid.

     External investigators usually work for a firm and are certified. They have probably conducted numerous investigations in the past and have more experience with the process. They may not be familiar with company policies but since they have worked with different organisations, they most likely know how to follow them while also complying with relevant laws and regulations. This stresses the importance of choosing the right investigator for the job and doing some research before making a decision.  



     An internal and external investigation are used for different kinds of incidents.

     A low-risk incident is usually handled with an internal investigation as the issue is not as serious. These types of investigations tend to be shorter in length and easier to navigate through. Internal investigations are also preferred for low severity allegations due to the lower costs they incur. Businesses may not have time to spend researching for an external investigator or spend money on unnecessary expertise. For example, a one-time harassment issue is something HR managers can look into. 

     External investigations are usually needed for serious misconduct and situations where the business’s commitment to the investigation could be questioned, such as the unfair dismissal case we mentioned. An external investigation is also required if the incident is related to work culture or is very complex. This is because an independent investigator will be able to give a new and fresh perspective on how things work and uncover if something is wrong. 



     Internal investigations tend to attract less publicity as it is less likely information will be released to the media. On the other hand, an external investigation is more likely to be picked up by the media. 

     If both go public the customers will see them differently depending on the result. A poor internal investigation could be seen as biased and as the business not putting enough effort. A poor external investigation could be seen as the business not choosing the right people. 

     A properly done internal investigation highlights that the company takes its working environment seriously and values its employees. A successful external investigation is seen as the company being committed to ensuring procedural fairness and a professional process.

     Publicity of both types heavily depend on how well the business manages the process.

    external investigation

    What they need to have in common

     While there are differences between an internal and external investigation, there are some elements that both must have in common. Those are:


    -Encourage reporting

    -Reinforce policies 



     While the investigation going public is not necessarily a bad thing, the details of the people involved should not be shared with anyone. The company has a duty to protect its employees for as long as necessary. In some situations, the company may be required to release information once the investigation has been completed. However, during the investigation, the managers and investigator should work together to prevent any gossip or rumours from spreading as this could damage the reputation of the employees involved. Their reputation and mental health are very vulnerable during the investigation and details going public could be detrimental to their career.

     Managers should stress the importance of keeping everything private and the consequences that will follow if data is leaked on purpose. If details about the investigation are leaked it could not only affect the process but the team members or co-workers. This is why information should not be discussed with outsiders or anyone else who is not involved. Lack of confidentiality can damage the trust employees have in the organisation and potentially discourage others from speaking up and reporting incidents. 


    Encourage reporting 

     An investigation can show employees that all complaints are taken seriously. It can emphasise how the organisation wants employees to feel safe and comfortable in the environment they work in. To encourage complaint reporting, the business should ensure that the investigation was conducted fairly and made a change in the company if required, or if no misconduct was found they should be able to clearly and fairly explain why. This will tell employees that if they speak up, the problem they are facing will be addressed and corrective action will be taken if wrongdoing has been found. 

     Just like with the investigation, an effective reporting system should be confidential so staff feel more confident. If they are not private, then employees may feel like they will be targeted for reporting something inappropriate. Once a supervisor has looked into the complaint, they can decide how to handle it. In some cases, the employee can be called forward for more information to achieve a better outcome but that only happens if they are willing to. 


    Reinforce policies

     A well-executed investigation can reinforce the importance of policies. Policies exist to protect the workplace and guide procedures like an investigation. By either conducting an internal or external investigation, the company emphasises that compliance is required otherwise repercussions will follow, Organisational values may be reviewed during the process to ensure that they align with the goals the company is trying to achieve.

     Investigations can also be used to strengthen the current policies in place and implement new ones if needed. They can spot weaknesses that can be used to enhance policy compliance and greater coverage of issues. 

     The reinforcement of policies should lead to a healthier work environment and a more positive workplace culture where illegal or unethical behaviour is discouraged and reported.


    Don’t forget

     The health and well-being of employees along with confidentiality are a priority during any investigation. If an organisation fails to protect its employees then negative publicity will follow regardless of the outcome. An internal and external investigation have their own differences but the managers should analyse every complaint separately in order to make the right decision. Just because one type of investigation is appropriate for one problem it does not mean it should be used for the next. 

     Polonious assists businesses with both internal and external investigations. While our clients focus on investigating fraud, bribery and misconduct allegations, we focus on keeping all their information confidential. Polonious provides detailed security configuration that ensures all investigations are highly confidential and we assist our customers to save administration time and costs. Do you want a more productive investigation with faster turnaround times? We are here to help. Reach out!

    Book a Demo Now

    Learn more about how Polonious can help you improve your business’s workplace investigations.

    SIU Insights report 2021How do you compare to other SIUs?

    Check out some interesting results from our SIU management survey. Submit below form to receive the download link and related updates going forward.

    GICOP changes 2021Download the GICOP whitepaper and stay compliant.

    Our whitepaper covers all aspects you need to know to stay compliant with the latest GICOP changes coming into effect in 2021. Submit below form to receive the download link and related updates going forward.