Why project management apps fall short for investigation management

Why project management apps fall short for investigation management

How Polonious compares to project management apps

How Polonious compares to project management apps

Many organisations end up relying on SaaS and other project management apps to handle their case and investigation management.

In the race to collaborate quickly, project managers offer an easy way to start a case management journey, but fall short when it comes to the complexity of properly dealing with investigations.

Let’s take a look at how project management apps fail to offer the features and compliance of an investigation management system.

 

Starting from scratch

If your team is tasked with managing projects that relate to customer case and investigations then SaaS project management apps like Trello and Basecamp look like great starting points.

Teams realise they need something that is online and collaborative, and all members need to work together. They also realise that it is a case management and workflow challenge they are facing, which are often not met by office documents.

Project management apps often have complete to-do lists, the ability to record statuses, and can add participants in an ad-hoc manner: All of which are key attributes you need in an investigation system.

Many also allow you to collect artifacts like images, videos and documents.

SaaS project managers are generally available and people will use them because they require little, if any, procurement process. They are used throughout the business for general things like customer support, which can morph into “case management”.

This is how organisations typically end up using SaaS project managers for case and investigation management.

 

Discovering the drawbacks

While easy to procure, and offer some positives, there are numerous disadvantages with project management apps for investigation management.

What they generally lack is rigour. One of the key things in investigations is understanding how you arrived at the conclusions you make.

At numerous steps along the way key decisions have to be recorded as to whether you proceed or don’t proceed and how you proceed in an investigation. And the people making those decisions and their reasoning have to be auditable.

Project managers generally follow a predefined process, but those processes are not designed to ensure procedural fairness, regulatory compliance or track provenance of evidence collected.

They also lack the detailed compliance requirements and controls which would have to be added into the system and maintained separately.

For example, project managers often enable users to delete comments and documents without having a full audit trail, or the ability to recover those documents.

 

But I’m already using a project manager for investigations…

If you are already using project management apps for investigations then you need to be wary of the pitfalls.

At their core project managers address some of the requirements for investigation management, but they lack the focus of an investigation management tool miss many of the features you would find in a dedicated application.

The reality is there are not many benefits to using a project tool for investigation management as they quickly struggle with the intended purpose and often lack the ability to cross reference entities that are involved in multiple cases.

For example, simple things like sharing documents and applying security often results in you having to apply this to every case which requires a lot more manual work.

 

Moving up to dedicated investigation management

If you find yourself using a project manager for investigations look at moving to a purpose built system to avoid a lot of headache and compliance problems in the future.

A big problem is getting the case data out of the SaaS project management app and then being able to use it for better investigation management, so be wary of that if your team is starting to rely more on project managers.

Another thing to note is separating the cases that have more compliance requirements, these are likely to demand proper investigation management as you grow.

Additional steps to take include:

  • Identify the key risks that need to be managed within the process such as the ID of vulnerable people, protection of whistleblowers, regulatory reporting requirements.
  • If you need to conduct cases within a legislative framework.
  • Getting the right stakeholders. Are the right people in your organisation seeing the case data and what should be deemed an investigation?

It is rare that a project management tool has the ability to share data well outside the project team.

Polonious can share data with all of the participants involved appropriately whether they are working as part of the team; line managers or senior management; or external suppliers and vendors; and even participants in the process such as claimants and customers.

With proper investigation management you can be transparent without exposing restricted data outside those who should have access.

5 Tips for Setting Up an Effective Whistleblower Hotline

5 Tips for Setting Up an Effective Whistleblower Hotline

Whistleblowers are often depicted as controversial figures (as evidenced by the media’s portrayal of Edward Snowden) and some even go as far as to call them traitors. In the workplace however, these groups of individuals should be hailed as heroes, as they are key in preventing internal fraud from occurring and are a huge asset to their company. 

In fact, 49% of serious misconduct is reported by a colleague

Therefore, companies should endeavour to create a safe and effective means for whistleblowers to call out this serious misconduct. This blog will outline (number) tips for setting up a whistleblower hotline that employees will feel comfortable using, and that management can easily create investigation reports with. 

1) Consider Whether An Internal or External Whistleblower Hotline is Appropriate

The first decision any company needs to make regarding their whistleblower hotline is whether it should be run internally or externally. Should it be operated within the company or subcontracted to an external source? Both options have its benefits and downsides, which management must consider before they can start investigating internal fraud reports.

An internal hotline is often run by the company’s HR or internal audit department. The advantages of this strategy are that it eliminates the need for a middle man, so the company can speak directly with the whistleblower and get all the details directly from the source. It also prevents information leaks that could damage the company’s reputation, since all reports are kept within the company. However, conducting the hotline in-house will involve many considerations, such as budget, resources, implementation, training and policies among others. 

On the other hand, an external hotline is developed, implemented and operated by a third party, and avoids many of these considerations. They often offer a 24/7 multilingual service, with quick response times and employees may feel safer knowing they are talking to an independent third party. The downside is that there is some risk some of this information may be leaked to the public since it is not under the direct control of the company. 

2) Have Different Communication Channels

If your company does decide to set up an internal whistleblower hotline, you must then consider how your whistleblowers will communicate to management. Although the term “hotline” implies that employees can only report internal fraud via the phone, whistleblower hotlines can contain a variety of communication channels that will help management become aware of potential concerns. 

In today’s world, there are so many different ways to connect with others, without even speaking to them. Social media has completely changed the way we interact with one another. For the more tech-savvy younger generations, it is rare for them to pick up the phone and talk to someone, unless it is a close friend or family member. In the context of whistleblowing, it is important that companies create a reporting channel that employees are comfortable with using.

Younger employees may feel anxious about making a phone call to report internal fraud. There are many factors that can induce fear and prevent employees from picking up the phone, which can include:

  • Fear of revealing their identity
  • The serious nature of the phone call
  • A hesitation to pick up the phone
  • They are speaking to someone they don’t know

Furthermore, the quality of the investigation report will be highly dependent on the training and skill of the person on the other side of the line. Hence, it is vital that companies implement different communication channels besides a phone-based hotline. 

Companies should include an online platform with a web-based form as part of their whistleblower hotline, which employees can fill in and report any internal fraud that they see. Not only will this allow for easy categorisation of complaints, it will also give the employee the piece of mind that they can express themselves without being put on the spot. 

As alluded to above, there is also no third party who may get the details of the report incorrect, so the company can work directly with the whistleblower. Additionally, an online platform can include an anonymous chat function that the case manager can use to build trust with the employee and ask further questions if necessary. 

For employees who do not wish to remain anonymous, another whistleblower communication channel that companies should include is in-person reporting. Often the chance to speak directly to another person about the matter will help the whistleblower come forward with their information. The main benefit for the company is that they can easily follow up with the employee throughout their investigation for more information or to update them on the status of their investigation. 

 

3) Implement a Case Management System

One critical component of any whistleblower hotline is a case management system to complement it. Once a report has been made, a company must swiftly investigate the issue, determine the appropriate course of action, then implement it within the company. This is where Polonious can help. 

Polonious’ ISO27001 certified security ensures your evidence and case files are stored securely. Our detailed security configuration will also ensure that you can keep whistleblowers fully anonymous, or known only to an external or internal whistleblower team, depending on the level of anonymity requested. We can then help generate an investigation report for you at the click of a button.

Polonious’ configurable workflows ensure a fair, consistent, and compliant process for all internal investigations.

4) Know What Metrics You Are Using

Your company should now have an efficient system of collecting whistleblower reports and investigating them in a timely manner. The next step is the measurement of certain metrics, which allows companies to gain insights into their hotline and make informed decisions to optimise the process over time. Some of the most essential metrics are discussed below.

Cases Over Time

A fundamental metric that any whistleblower hotline should include is cases over time. Although it is a common belief that the less cases of whistleblowing the better, managers should actually be concerned if they receive no reports. It is unrealistic to believe that absolutely no internal fraud is occurring within a company, and whistleblowers are central to uncovering this internal fraud. 

More cases being reported may indicate that the program is working and employees feel comfortable using the communication channel. If there is a downward trend in cases, this may point to employees not embracing a culture of compliance. 

Displaying cases reported over time in a graph will also allow the case manager to easily discern if there is seasonality in cases, or if certain events trigger employees to report cases. 

Cases by Department

Another key measurement is where in the business the cases are being reported from. If a specific department is reporting more cases than others, this may be a signal that there is poor training or a culture of corruption within the department. Management can therefore be agile and make adjustments to the department. 

Cases by Channel

By measuring where cases are sourced, a company will have a better understanding of which channels employees prefer when reporting internal fraud. This metric can be combined with the above two metrics to discover if employees prefer a channel at a certain time, or if one department prefers a certain channel over another. It will reveal insights into which channels are easiest for employees to engage with. 

Anonymous Ratio

A useful metric to keep in mind is the number of anonymous reports compared to non-anonymous reports. If the majority of reports come from anonymous sources, this may suggest that employees are afraid of speaking out and facing retaliation. Although not a direct correlation, this ratio can point to the culture of compliance within the organisation. 

 

5) Ensure Clear Messaging from Management

Once the whistleblower hotline has been successfully implemented within the company, management must then let their employees know about it. The messaging from management should clearly emphasize the importance of speaking up and promote a culture of compliance.

This will motivate employees to use the hotline whenever they see something out of line. The more they use the hotline, the more cases of internal fraud that management can investigate, and the better it is for the company. 

Conclusion

Employees are on the ground floor of an organisation, seeing and hearing things that management can easily miss. It is therefore crucial for management to establish an effective means of listening to their concerns if they spot instances of internal fraud. Key points of consideration include whether a company’s whistleblower hotline should be internal or external, what communication channels it will use, the implementation of a case management system, what metrics it should measure, and what messaging should come from management. With these in mind, companies should be able to create a successful whistleblower hotline.

Whistleblower hotlines are a key asset in preventing internal fraud

Whistleblower hotlines are a key asset in preventing internal fraud.

Making your hotline confidential will ensure employees feel comfortable using it.

Making your hotline confidential will ensure employees feel comfortable using it.

Book a Demo Now

Learn more about how Polonious can help you implement an effective and confidential whistleblower hotline.

Developing an in-house investigation management app? Here are the DIY challenges and risks

Developing an in-house investigation management app? Here are the DIY challenges and risks

How Polonious compares to DIY investigation management apps

How Polonious compares to DIY investigation apps

When enterprise and government organisations develop their own applications it is usually in response to a lack of an off-the-shelf product to meet a business need. Investigation management is a specialised requirement which can lead to many types of custom processes and software – from spreadsheets to Web applications.

In this blog we will take a look at the challenges and risks of going it alone for your investigation management needs.

Starting small looks promising

A typical approach organisations take when it comes to developing in-house investigation applications involves finding someone known, the “spotty nephew”, and asking them how much it would cost to build a simple system to manage investigations.

The developer then finds a database, or existing app, which looks simple to manipulate and starts adding fields and linking them to other pages with more fields. And in the end you’ve got a case management system.

But cobbling together different systems (client system, CRM, projects, etc) and calling it an investigation management system involves a lot of custom code or custom integrations, which is problematic, even in the immediate term.

This is typical of the mid-market where there is often a mature IT team. Their challenge will not be what is required to build an investigations management system, but to prioritise that above the core requirements of the business they service.

The developers could write a great case management system, but if they are supporting the day to day business of an enterprise they will have constant conflict between the project and their core business. When they need to ask “what do we do?” the focus will always be drawn to the main business.

DIY carries challenges and risks

Many organisations have had no end of trouble with custom-developed software and a DIY investigation management system is even more of a challenge.

Some of the challenges and risks of a DIY approach organisations might not consider include:

  • Total cost. It is easy to underestimate the TCO of a custom app, including the initial development cost and support. Including time spent finding the right technology platform that will actually work.
  • Maintenance. The maintainability of the code or system must be considered. For example, what happens when something needs to be upgraded or reaches end of life?
  • Skills. You need to hire the best people to continue to develop and maintain it and good people are hard to find and keep.
  • Security. There is also ongoing effort for security maintenance, including the security implications of poor practice, vulnerabilities, and compromises. You also need to ensure regular penetration tests and certifications are maintained.
  • Compliance. Underestimating the depth and breadth of what is required for compliance with regulations like the General Insurance Code of Practice. Can DIY keep up with a constantly changing regulatory environment? Yes, but it’s very hard and it is continuous.
  • Emerging tech. DIY requires you to update the platform over the years as technology is always changing. The system will need to keep up with emerging technologies, including mobile, IoT and cloud.
  • Knowledge management. Investigators have a wealth of knowledge, but is this being translated into the DIY product? You need to have everyone involved in the process on board with the product at all times.
  • Data integration. A good investigations management system will collate data from multiple sources and this needs to be factored into a DIY app. See this blog for more on Polonious’ integrations journey.
  • Usability and acceptance. You also need to ensure staff are able to use the product and get business value out of it.

Replace customisation with configuration

Polonious helps organisations that might need a customised app or process for a unique requirement by enabling configuration throughout our application.

We avoid code level “customisation” and focus on configuration, which is the ideal middle ground. If you have custom requirements then you can configure Polonious to meet the need without time consuming and expensive code changes.

Polonious has a common code base that services all customers, from which many customers have configured Polonious to meet their specific business requirements. However, Polonious is constantly adding new features, with further configurability, in response to customer demand and can also deploy new code as required.

For example, Polonious uses the SAME methodology to build out the business requirements of each customer, whether it is for insurance, banking, fraud or complaints. All of the processes are broken down into their basic elements and built up to be compliant with the appropriate regulation.

We enable customers to immediately focus on the desired product, whether it’s case reports, briefs of evidence, end of month or year reporting, and ensure that the data required is collected as part of the business process.

In summary, it is not a question of if an organisation can or cannot develop their own investigations system, but the time and materials required and ongoing investment often far outweighs any benefit. Failing to keep up with regulatory requirements is also a continual risk.

This blog has some more information on what you will need to build an investigations management application:

Buy or Build Investigation Management Systems

11 Tips for Better Internal Whistleblower Investigations

11 Tips for Better Internal Whistleblower Investigations

The Parliament of Australia defines whistleblowing as the ‘disclosure by organisation members (former or current) of illegal, immoral or illegitimate practices under the control of their employers, to persons or organisations that may be able to effect action’. Meanwhile the EU Whistleblower Directive defines a whistleblower as someone who reports breaches of Union law that are harmful to public interest.

Internal whistleblowing occurs when an individual reports suspected misconduct up the chain of command at the person’s workplace. Whistleblowers are vital for maintaining an open, transparent, and honest workplace, as they expose misconduct or hidden threats.

Employers are obligated to act when an employee’s actions are disruptive to the workplace, and when their actions prevent others from fulfilling their duties, including whistleblowing. Inadequate handling of these cases can incur serious reputational, legal and civil liability.

Here are important tips and things to consider when handling Internal Whistleblower Cases:

1. Provide Anonymity

Anonymity is critical in internal whistleblowing case management.

According, e.g., to the Australian Treasury Laws Amendment (Enhancing Whistleblower Protections) Act, Whistleblowers have a right to make anonymous disclosures, and to have their identity protected. Many other jurisdictions have similar protections.

Whistleblowers are able to submit reports either in writing via an online system, a mailbox or by post and/or orally via a telephone hotline or answering machine system. Companies are also obliged to offer a personal meeting upon request. 

Regardless of which reporting channel is used, companies must ensure that the identity of the whistleblower is kept confidential.

2. Selecting a person to handle the report

The first step is to determine the “most suitable” person to receive and follow up on reports internally. 

Individuals in a wide range of roles are designated as ‘eligible recipients’ for whistleblowing disclosures. This includes directors, officers, senior managers, actuaries and members of an audit team (both internal and external audit).

According to the EU Whistleblower Directive, this could be a:

  • Compliance officer
  • Head of HR
  • Legal counsel
  • Chief Financial Officer (CFO)
  • Executive board member or management

Companies can also outsource the processing of reports, for example to an external ombudsman.

3. Create a diverse team

A wide scope of matters may be reported. This includes matters that breach the law, as well as any “misconduct or improper state of affairs or circumstances”, including in relation to the tax affairs of the company.

Therefore, it is critical that the team can handle all sorts of cases. ​​It is advisable to have representatives from your Legal, Compliance, HR and Ethics Departments to Corporate and IT Security. 

4. Know your obligations

Individuals in a wide range of roles could be involved in the handling of a whistleblowing case. In order to avoid potential liability, these individuals need to understand their obligations under the law, particularly in relation to protecting the identity of anonymous whistleblowers.

5. Be Responsive

Conducting the investigation in a timely and thorough manner is critical to a whistleblowing case. According to the EU Whistle Blower Protection Directive:

  1. The company is obliged to confirm receipt of the report to the whistleblower within seven days
  2. The whistleblower must be informed of any action taken within three months, the status of the internal investigation, and its outcome.

6. Be Fair and Impartial

Consider all relevant evidence with impartiality, and give the parties the opportunity to respond to any key evidence or documents that arise during the investigation.

It is considered best practice for the decision-maker, with regard to any outcomes, penalties, or so on, to be a different person to the investigator.

7. Practice Open Communication

Communication is critical at all times. At the outset of the investigation, steps and processes should be clearly communicated.

During the investigation, the discloser should receive updates and receive any further information upon request.

After the investigation, the whistleblower should be informed of the outcome including steps taken as a result of the case.

8. Data Storage

All reports received must be kept in a secure location, whether electronic or physical, so that they can be protected from deletion or tampering, and used as evidence where appropriate. 

9. Duty of Information

Companies are required to provide information on their internal reporting process as well as on the reporting channel(s) to relevant regulators. They are also required to provide information on how to access their reporting process to employees as well as suppliers, service providers, and business partners.

10. Refer to laws and guidelines

The investigation must be conducted in alignment with the company’s whistleblowing policy guidelines, as well as federal and state laws. If you operate in multiple jurisdictions there may be minor technical, or substantive, differences in reporting and handling requirements, so make sure you have local expertise available in each jurisdiction.

11. Produce a clear and insightful report

Following the investigation, there investigator should create a report detailing any lessons learned from a whistleblowing incident, as well as documentation of any changes to the compliance management system as a result of the incident. This report is crucial for building trust in the effectiveness of the overall system of whistleblower protection and reduces the likelihood of further risk. 

Ways Forward

Although handling an internal whistleblowing case is a delicate matter, if done properly, it can hold many benefits to individuals and organizations. It can uncover and address dishonesty and dangerous workplace practices which can prevent and protect companies and employees from long-term risk.

How we can help

Security and anonymity are your primary concern when handling whistleblower cases, as opposed to other internal investigations. Polonious’ ISO27001 certified security ensures your evidence and case files are stored securely, while our detailed security configuration ensures you can keep whistleblowers fully anonymous, or known only to an external or internal whistleblower team, depending on the level of anonymity requested. Once you have ensured the anonymity and security of a whistleblower disclosure, it’s important to follow best practice standards of investigation – which we cover in other blogs such as this one on procedural fairness. Polonious’ configurable workflows ensure a fair, consistent, and compliant process for all internal investigations.

There are many legal, ethical and moral considerations to make when handling an internal whistleblower case.

There are many legal, ethical and moral considerations to make when handling an internal whistleblower case.

A fair and thorough investigation can prevent and protect companies and individuals from future risk.

A fair and thorough investigation can prevent and protect companies and individuals from long-term risk.

Book a Demo Now

Want to know how Polonious can help you set up a secure whistleblower disclosure process?

SIU Insights report 2021How do you compare to other SIUs?

Check out some interesting results from our SIU management survey. Submit below form to receive the download link and related updates going forward.

GICOP changes 2021Download the GICOP whitepaper and stay compliant.

Our whitepaper covers all aspects you need to know to stay compliant with the latest GICOP changes coming into effect in 2021. Submit below form to receive the download link and related updates going forward.