Incident reporting plays a vital role in strengthening the internal controls necessary for an organization to operate properly. An incident is defined as “[A] nonstandard operation which causes interruption or reduction in quality of service.”1 For an organization to remain competitive, it must address incidents in a timely manner to avoid any negative impact on customers and partners. This ranges from reputational risk (e.g., customer complaints) to a loss of revenue due to an inability to deliver service when systems are down. Enterprises must also be proactive in mitigating risk and minimizing losses that may result from incidents.
Staff must ensure that they act accordingly to address adverse incidents as soon as they are detected. Failure to address customer queries or complaints in a timely matter can lead to serious reputational damage. Risk awareness training should be held so that employees are trained and well versed in incident reporting processes, including its importance and how to detect incidents. Training may include informing employees of their roles and responsibilities regarding incident management. It is especially important for the first line of defense to be thoroughly trained in reporting, as they are the primary group responsible for detecting abnormal events.
In addition, all relevant stakeholders should be informed of incidents for better and faster incident response. To encourage good communication regarding incidents, departments should refrain from working in silos. Failure to address an incident in a timely manner can result in a loss of revenue for the enterprise and/or a disruption to operations. The enterprise must ensure that an incident is reported as soon as it is identified, root cause analysis is undertaken to find the primary cause and remediation efforts are made to minimize future occurrences of a similar nature. Incident reports should be time-bound, and all parties should be held accountable for failing to report incidents.
In response to the COVID-19 pandemic, many organizations opted to allow their staffs to work from home (WFH). Employees are accessing organizations’ data remotely, which underscores the importance of reporting incidents immediately, before organizations are put at risk because of an incident (e.g., inaccessibility of a file server or leaked data to outside parties, mail server unavailability, system power failure). The failure of such mechanisms to operate even for 10 minutes can have a detrimental impact on the business. Revenue that the organization should have been generating during system downtime may be lost and reputational losses may be incurred due to unhappy clients that have been denied the services they seek.
For incident reporting to be effective, the organization must ensure that there are clear processes in place for incident reporting, with the roles of different stakeholders clearly defined. For each incident reported, the reporter must follow up continuously with the person responsible for addressing the risk to ensure that critical issues are made a priority. When submitting incidents to the relevant department or stakeholder, the reporter should also inform the risk team of the incident and ensure that the team provides updates about the progress of the incident’s resolution. Reciprocally, risk professionals must also keep in contact with the reporter to track the closure of an incident and, if they find that issues are not being addressed in a timely manner, bring those to the reporter’s attention. Both the reporter and the risk team are responsible for properly documenting and filing reported incidents. Proper report filing is crucial as it ensures that worst-case incidents are addressed before they can harm the organization and that similar events are avoided in the future. Proper report filing also ensures that no incident falls off the radar and is left unresolved.
An enterprise can never be certain when an incident will arise. To minimize the chance of an incident occurring, organizations must ensure that departmental control and risk owners implement controls that function as intended. Such controls can range from monitoring reports and acting on them when they are due to performing an assessment of controls to detect and remedy any gaps. Efficiently reviewing risk registers, recording newly emerging risk in the registers and implementing the appropriate controls help ensure that risk is addressed, and the organization is well protected against threats.
Endnotes
1 ISACA®, IT Risk Fundamentals Online Course
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Incident Report and Continuous Control Monitoring” episode of the ISACA® Podcast.
Relebohile Kobeli
Is the ebanking risk officer at Lesotho Postbank. She oversees operational risk for the electronic banking department, focusing on risk that may be incurred from mobile and Internet banking. Kobeli has more than 3 years of experience in risk management.