Businesses have a duty to respond, address or investigate a workplace incident to avoid legal consequences. However, some businesses fail to do that in a number of ways. 

What is a bad incident response?

An incident can refer to many occurrences including harassment, bullying, a security breach, an accident or a near miss. Companies should take complaints and reports from employees seriously as they could indicate that something is wrong within the business. A bad incident response can be:

  • An employer not following up on an incident complaint
  • Not reading through an incident report carefully 
  • Failing to act promptly
  • Failing to conduct an investigation when it’s needed
  • Not doing enough research for the right investigator (bias, not adequate experience, legal trouble, unprofessional behaviour)
  • Lack of a clear process
  • Not abiding by legislation 
  • Not involving HR when necessary
  • Poor risk management (confidentiality, reputation, information leaking)
  • Poor evidence collection and management
  • Relying solely on manual case management systems

There are more ways or scenarios that can count as a bad incident response. 

Legal consequences of a bad incident response

Legal consequences should not be the main driver for employers taking action. Employers should respond to incidents quickly and adequately because it is ethical to do so. Unfortunately, we don’t live in an ideal world. Legal consequences could apply to instances of a bad response to an employee complaint or an ignored incident report.

  • Heavy fines
  • Compensation
  • Lawsuit costs
  • Government conflict
  • Imprisonment

Heavy fines

In the event of a security breach or other data-related incidents, companies are held accountable for any personal or sensitive information that falls into the wrong hands. If any laws were breached during a bad incident response, then the fines could be greater. Depending on the type of incident, the company may need to pay some initial fines and may be found liable for more damages down the line. 


If a company’s incident response plan is inadequate or poorly executed, they may be required to pay compensation to affected parties. This could be in the form of refunds for a defective product, or money for an employee injury. If an employee reported a near miss, and the company failed to take adequate safety measures, then they will be liable for paying compensation for doctor visits, medical bills and money lost from not being able to return to work. 

Lawsuit costs

As a result of the incident, and the response that followed, the company may be involved in one or more lawsuits. The lawsuits could be initiated from different parties including employees, investors, the government or perhaps, a competitor. Lawsuits are time-consuming. This means that they are expensive in the literal sense (costs associated with going to court) but also expensive in the sense that time is money. If employees have to focus away from their core tasks to provide details and evidence for a lawsuit defence, this can slow down business operations, affect the well-being of employees and decrease customer satisfaction. This is a major reason why avoiding a bad incident response should be the main goal when planning.

Government conflict

Governments have a lot of laws on employee safety, data privacy and fraud. Depending on the type of incident, size and who it affects, companies may need to report it. Except for the government, companies may need to inform those who are affected by the incident (for example, a data breach or an equipment fault). Failure to do so could result in more legal consequences such as penalties as well as investigations and issues with the government. A bad incident response by the business may also trigger a legal review, to ensure that people are protected from large corporations and poor handling of serious risks. An example of this is the Optus data breach that occurred in 2022. 


Imprisonment is one of the extreme legal consequences, usually following a very bad incident response with a lot of parties affected. Imprisonment is a consequence reserved for criminal offences where care and diligence were ignored and the directors of the company acted in a malicious manner. A bad incident response could then lead to up to 15 years of jail time for the individuals involved in the incident. This could vary by country but an example could be a health hazard that killed many employees or other stakeholders. 

legal consequences

How to prevent a bad incident response

Avoiding a bad incident response can prevent any related legal consequences. Being prepared to address any type of risk is crucial for ensuring that the worst-case scenario is prevented or managed and controlled. Businesses can:

Perform a risk assessment

Performing a thorough risk assessment can help businesses avoid a bad incident response as they are not aware of the threats their organisation is facing. A risk assessment can assist in determining the impact an incident could have, the legal consequences that it carries and how likely it is to happen. Every company needs to know what risks they are exposed to as it assists in preparing a more appropriate response.

Look at the current response plan

Most businesses have an established process for responding to incidents. A good way to improve and develop a strong response plan is to look at how effective the current process is. Knowing the threats the business is facing, is the plan strong or quick enough to address them? Are there any potential weaknesses or steps missed? This will allow the business to determine whether it is vulnerable to any legal consequences at the moment.

Evaluate resources

Once potential areas for improvement have been identified, businesses should look at their resources to determine how they can effectively strengthen their incident responses. Resources could include staff, funds or other assets such as space and expertise. 

Learn from past mistakes

Companies could benefit from looking at competitors’ incident responses along with their own incident responses in the past. Reviewing them could assist in finding strategies to avoid the same mistakes that were made and the legal consequences that followed. 

Are you looking to improve your incident response?

Businesses should aim to address each issue appropriately to prevent legal consequences. Polonious can provide your company with detailed and efficient workflows that will assist with faster and more thorough incident response. Polonious offers automated communications which includes automated progress updates and reminders, making it easier for the employees to complete tasks and focus on their core business tasks. Our system also provides our clients with a full audit trail, helping them detect any issues early. Do you want to know more? Book a demo!