Your people are a critical part of your compliance arrangements and serve the purpose of being your early warning system. In addition to employees, this includes Authorised Representatives, Material Service Providers and anyone acting on your behalf to provide your financial services and general insurance products.
Your compliance arrangements provide a safe place to do business. Your Compliance arrangements are the (1) governance & frameworks, (2) people & culture, (3) processes & procedures & (4) systems & reporting, that collectively operate together and provide a fortress, protecting what matters – the business & its customers, people, partners & stakeholders.
What is an incident
However, stuff happens and things go wrong. Technically, this means there has been a break-down in your control envirronment. When this happens, an incident has escaped from within the safe harbour of your compliance arrangements. The sole purpose of an incident is to cause as much harm and chaos in the shortest time possible. Incidents act stealthily. They lurk in the shadows causing loss, harm and detriment until detected.
An incident may or not not be a breach, however, if left undetected they will exponetially grow until they are so big that they have manifested into a breach of obligations/code or a complaint & become visible to customers and regulators
It is critical to identify incidents as early as possible. An incident, self-identified & reported on day 1, may cost the business $1,000; 4 years later, the same incident may have matured into a breach & cost $xx million + interest + lost management time + reputational impacts + regualtory enforcement action.
Your people as an early warning system
Your compliance arrangements are the first layer of protecting what matters. Your people are the 2nd layer.
Your people vigilantly survey the landscape waiting to identify & self-report when ‘something has happened that shouldn’t have or hasn’t happened that should have’ (the definition of an incident).
In this context, incidents are those being self-identified & reported & not incidents discovered through other mechanisms such as quality assurance monitoring, 2nd line oversight, customer complaints or regulatory activity.
The golden rules of incident management
- The quicker an incident is identified & raised, the less likelihood of harm or detriment being caused
- Provide a safe environment to raise incidents
- Be conservative & raise everything.
- Look at the root cause and review the control environment
Use AIRR
Awareness
Identify
Raise
Report
Awareness
Train your people on what an incident is (identify) and what to do when detected (report). Your training should not focus on the 10,000+ laws & Code that governs our industry.
Provide examples of what an incident in each area of the business looks like – sales, underwriting, claims, finance, broking etc
An incident, something has happened that shouldn’t have, is:
- a pool of water on the staff kitchen floor
- my IT system is down for 30 minutes
- I didn’t send out an FSG or PDS
- I haven’t completed my training
- I think I provided the customer some incorrect information
- I haven’t provided an update to the customer for their insurance claim for more than a month
Identify
You know when something has happened in your role that should not have happened. Focus on what you do each day and take time to reflect
You are best placed to be the frontline defence in protecting your company & its people & customers from harm caused by incidents. That nagging feeling in the pit of your stomach is likely due to an incident occurring.
We’re human and we make mistakes. Be constantly on the watch for โincidents’.
Raise
Once you have identified an incident, it is important to tell someone about it
This enables your company to identify the cause of the incident, stop the incident and rectify any customer harm that may have resulted (& if a breach, consider whether the matter should be reported & if so, to who).
You should inform your team leader/manager of all incidents that you identify.
Raising an incident should be easy irrespective of whether you use a webform, online IT system or email. A compliance specialist can identify a breach or a need to investigate further from 4-5 bits of information.
Don’t make your people complete a 20 field form every time they detect an incident. Their enthusiasm to protect will quickly wane & they will stop raising incidents.
Report
Once raised and reported in the Company’s system (or excel spreadsheet), your compliance specialist, team or in-house lawyer will review the incident(s) and determine whether:
- there is a breach or likely breach; and
- whether the breach must be reported; and if so
- to who; and
- by when.
Creating a safe environment to raise and report incidents
Leaders need to create a safe environment for their team to raise and report incidents. Leaders must accept that we’re human & stuff will go wrong.
Your actions when an incident is reported to you sets the tone for future conduct.
It’s important to distinguish between performance management & making mistakes. Making the same mistake, repeatedly, after additional training is a performance management issue (it is still an incident) and consequence management must be applied fairly & relevent & appropriate to the nature of the conduct.
As a leader embrace incidents as:
- As a source of learning
- Continuous improvement
- Better customer experiences
Incidents foster a culture of continuous improvement
Looking at the root cause of incidents creates opportinuites for continual improvement & better customer experiences.
Your compliance arrangements , including incident management, should evolve with business growth & innovation & changes in the external landscape.