Transcript for Building a Comprehensive Capability in Incident Management
Giovanni “Gio” Gallo: Everybody, welcome to the webinar. We’re just gonna let some people get into the meeting room here and let people load up. So we’ll just pause for a minute or two. So while we’re waiting, let’s take a little bit of a roll call. We see some people loading up in here. Let’s start by just saying where we’re coming in from. I’m here in Charlotte, North Carolina. Matt, where are you?
Matt Kelly: I am here at Radical Compliance world headquarters in Cambridge, Massachusetts, where it is a lovely day, and the fall foliage is just about at its peak, so happy to be here.
Gio: Roger, where are you at?
Roger Frank: I am calling in from the international headquarters of the Gator Nation, Gainesville, Florida, from the University of Florida, where it is a beautiful 90-degree-fall-humid day, like it always is.
Gio: Rub it in, Roger. Rub it in. All right. So we can get started with an intro here. And then, I’ll hand it over to you, Matt.
Welcome to our webinar today, everybody. I’m really excited to talk to you today about building a comprehensive capability and incident management. This is a big topic that we have a lot of angles that we can talk about on. And we have a great panel together for you today.
If you’re familiar with our webinar format, this will be a repeat for you. But listen in anyways. So, you know, we want this to be useful and helpful to you. So we’re not doing this to hear ourselves speak. We hear that all day. We’re doing this to help serve you and your team. So please jump in on the chat and the Q&A and ask us questions as they come up. If we’re talking about something that, you know, you’d like more detail on, or you have a different perspective on, we’ll be monitoring that chat throughout the next hour here. Because we want to and are able to pivot our conversation to cover the things that are most relevant to you.
So feel free to use that as a live way to interact through the screen here. And give us a chance to answer your questions, you know, maybe talk about a perspective that you have or go deeper on something that we’re going over. So with that, I’ll hand it over to you, Matt, and you can take it away.
Matt: Sure. Well, thank you, Gio. And welcome, everybody. We are happy to have you here. As he said, we are here to talk about incident management capabilities. So not just how to handle an incident, but how a large organization is going to manage many, many incidents at the same time, where you could have a thousand different incidents on 80 different common typical subjects, and they’re on a thousand different paths to getting investigated and resolved.
So how will a compliance program have to handle that? How does this intersect with your internal reporting program? How does it intersect with the actual nuts and bolts of an investigation? Which the compliance function might not even do, might be legal, might be audit, might be somebody from outside. How do you brief management on what’s going on? How do you use data analytics to figure out, “We have a lot of incidents over here on this subject. So maybe we should retool our training or procedures over there to reduce incidents in the future.”? We want to cover all of that.
And as Gio said, we definitely hope that everybody will speak up. I know that some compliance subjects can be pretty esoteric and niche, this is not one of them. This is something all organizations have to deal with. So if you have any thoughts or chats, you want to chime in, we would love that. So our speakers are, first, Roger Frank. He is the director of investigations within the Office of Internal Audit at the University of Florida. So, Roger, thank you for joining us here today.
Roger: Thank you, glad to be here.
Matt: And also Gio, the Co-CEO of ComplianceLine. And then, I’m Matt Kelly. I’m just the moderator, and I run the Radical Compliance newsletter that comes out every week. So I’m happy to be here. And I wanted to just dive right in.
So, Roger, since you’re the big guest here, let me put the first question to you. Just give us your view, broadly speaking, of what the capabilities of an incident management program should be. What does a company or an organization want to achieve here?
Because, like I said, you can kind of sketch out how to handle one incident. But when you’ve got a thousand incidents happening at the same time, the organization is going to need a lot of different capabilities to manage all of that. What do you see as the most important capabilities to have?
Roger: I’ve been doing this for over 30 years. And the overall capability, in my opinion, is, quite frankly, the ability to have a process in place. And by process, in our world here, it revolves around a committee of people to review, address, and analyze intakes, incidents, complaints, concerns as they’re received. But you also have to have the independence, whether you’re doing 1, 3, 5, 7, or 10 at a time, you have to have the independence to be able to go where you need to go and speak to the people you need to speak to.
But the primary key in our opinion here is triage. You can’t do it all yourself that regardless whether…in our world, a bulk, anything that is a financial-related concern, conflict of interest, coming with…I have a long list of things I’m responsible for and I have like 12 bosses…conflict of interest, financial-related items, ethics and integrity items, they primarily reside with us.
But most organizations find that a bulk of what they’re receiving oftentimes is related to human resources, human resource concerns. So triage becomes key. Do you have a group of people that have the capability and the independence to perform the reviews of the intakes that come in that have the right background? It literally isn’t a one size fits all. That I don’t do human resources, right? I work with them sometimes, and I’ll partner with them. But human resources, they’re the people who are familiar with the human resource policies. I know the financial policies. And we have issues where we work with the general counsel’s office.
The number one capability really needs to be the universal ability to manage with the right groups. And you have to have the right partners. If the partners don’t have the right skill sets to review the items that are out there, the concerns that come in, then you’re basically setting yourself up for failure.
Matt: And, Gio, I want to get your thoughts on that same question in a moment. But, Roger, I did just want to ask. I’m a little surprised that you didn’t actually cite technology right up at the front, which I think a lot of people might assume that’s got to be in there somewhere.
But really, this is more about, what, putting foundations in place first? About, “Here’s what our process is going to be, here’s who the people are going to be involved regardless of our tech.” I mean, am I reading that right there? Or what do you think?
Roger: You are. Technology is key. I mean, when you’re doing the financial analytics, the financial reviews, and you’re looking at certain retrieving records and emails, there’s technology that revolves around the actual reviews that take place. What we’ve learned is, if you don’t have the right group of people… And there has to be some fluidity, you can’t have such a rigid structure that, you know, there’s always exceptions to every rules.
You have to have the right amount of fluidity. But if you don’t have the right structure and the right organization to handle the incidents as they’re coming in, in many cases, and I’m going to go to, I’m gonna jump right to the key concern that most organizations have, even though they won’t say it out loud, it’s PR. That, at the end of the day, the University of Florida is driven by funding, and it’s driven by reputation. And sometimes, finding the truth doesn’t necessarily is what gets reflected to the outside world because it’s how you have to present it.
The technology is how you get there. But if you don’t have the right foundation, and the right triage to make sure the right people are in the right place looking at the intakes as they come in, you’re setting yourself up for larger problems in the end. Technology is how you get it done when you’re doing the reviews.
But the process to develop the overall practice of how you do it, that capability, to us, is the single most important part. Because if you designate an intake to the wrong group, or you designate an intake, or you misclassify it… You know, we classify things, believe it or not, on a whopping scale of one to three. One is the kind of run-of-the-mill stuff that every organization has. Three is the kind of stuff that goes to the board of trustees.
If you misclassify something and you hand it to the wrong group, next thing you know, you’re behind the curve, and there’s no catching up. And no amount of technology is going to help you get out of the PR damage you’ve done by not giving a concern or an intake the appropriate level of consideration when you receive it.
Matt: All right. So, Gio, let me get your thoughts here, but same original question. What would you see as the big capabilities an organization is going to need to have to be able to handle incidents at scale and handle them skillfully?
Gio: Yeah, so, you know, to touch on that technology piece, listen, I’m a technology guy. I run our software development team. We sell software that handles millions of employees at all our clients around the world. It’s super important. But, you know, I think that if we’re talking about, you know, the overarching thing that you need to do this. You know, I agree with Roger that the technology is something that gets you there, but it doesn’t get you all the way there.
I think the overarching thing is an understanding of people. And I think that there are a bunch of things that nest under that. You need technology. You need process. You need systems. You need policies. But overall, you know, it kind of gets to the point that Roger was bringing up, that you got to kind of understand who your stakeholders are, and the why behind this whole thing. He brought into the PR piece. There’s funding. There’s the mission of the organization. There’s the people you care about.
And ultimately, I think that all of those priorities are driven by people – who’s on your board, who’s your executive, who’s your chief compliance officer, who runs legal? And I think that running this well, it can be such…there can be so many diverse answers to it. And it’s going to be driven by the people who are involved. Who are your stakeholders? You know, how much is this centered around, “We need to just always do the kindest thing to employees, no matter what the cost,” versus, you know, the other end of that spectrum is, “We only care about the board and keeping us out of a big lawsuit that we can’t settle.”? There’s balance in the middle there.
And I think that balance is struck by people in this industry, who I like to describe as people with a big brain and a big heart. These are smart people who care. And we’re going to use our brain to set the processes, set the policies, use our technology, configure it, all of that. And that heart and that emotional intelligence is going to help you understand, “Okay, I need to get some buy-in from this other department,” or, “I’m going to sign it to this team. But also I need to back them up because they may not see the other edge on this.”
And I think that running effective incident management is about balancing those different stakeholders. And I think it takes a care and concern and understanding of people to do it. Now, you know, that’s kind of that esoteric answer, Matt, that you said we’d get away from. But I think that’s the starting point.
You know, I love this golden circles concept. You got to start with why. And I think that why is at the core of, if you have a great incident management process, that you understand your stakeholders and how to balance it. Then you can do the how, and then you can do the what. And then you can get into the diverse things that we’re going to be talking about here.
But I think it’s important to have that foundation of, you know, the goal here is something around your people and your stakeholders, not just this, “You know, I need to get this metric done,” or, “I need to close issues quickly,” or, “I need to avoid lawsuits.” Those are kind of myopic things that are not central to this.
But, you know, we’re gonna get into how those stats, and those analytics, and, you know, how you can evaluate your program to get it better. And, you know, I think that it takes integrating all of that with an understanding of your stakeholders.
Matt: So I wanted to move on and maybe get a little bit more specific about how incident management should work, how it sometimes does not work. And, Roger, let me circle back to you. I spend a lot of time thinking about compliance programs or incident management programs, like at the border of one part to another part.
So let’s say the first border crossing, so to speak, would be between receiving a report and then investigating the issue. Those are separate things that they brought up against each other. And I’m curious how you may have seen that sort of thing go wrong.
For example, managers deciding, “You know, we’re just going to handle this internally, and we’re not going to give it to the formal investigator,” or something as nuts and bolts as, “Oops, we forgot to shield the whistleblower’s identity. And now it’s out.”
And, you know, what have you seen at that sort of border crossing, Roger, where, you know, you would recommend people be careful of it? I don’t know, maybe lessons, you’ve learned the hard way about how these things can go wrong. But what do you think about that?
Roger: Well, it’s funny, there’s actually… I look at it from two different perspectives. And you hit on both of them.
The first one is when you have management that says, “Well, we’ll just handle it internally.” And for what it’s worth, we actually have a policy that says, “No, you won’t.” When there’s an issue, there’s a certain protocol as a university employee you should follow.
Because there are different objectives depending on a manager’s…what a manager’s driver? In some cases, we have incidents where something should definitely have been reported so it could be independently reviewed or unbiasedly reviewed. But the management choose to keep it in-house because they don’t want anyone else to know about it.
By the same token, you have the other side, where they follow the protocols, and you receive… A bulk of our intakes in my office do come through our compliance hotline. But we have multiple other avenues around the university, which are dwindling, and now it’s more and more rolling into a single hotline. So when the incidents come in, our primary concern literally becomes leakage.
For most of the things that we get, if somebody were to talk to a friend or buddy, “Hey, you’re not gonna believe what I just read because I happen to be in a meeting where they talked about this intake.” A majority of them don’t have a significant impact if it gets out. It’s still inappropriate. But you have to maintain a level of confidentiality when items come in through the reporting mechanism, through our hotline.
People are expecting some level of confidentiality. I actually prefer people, and this gets me in trouble, I actually prefer anonymous concerns coming in. And at any given year, I’ll receive between 200 and 300 just to my office.
But what we’ve learned over the years is many times, when Matt puts his name on an allegation, a, it could be because he wants to do the right thing. But oftentimes, Matt has an agenda that we’ve had cases where Matt’s about to get in trouble with his boss. So he files an official complaint or concern. And then when you get in trouble for something unrelated, you go, “Oh, it’s retaliation.” It’s very strange the way that works that I actually prefer the ones that are anonymous, especially if we have an ability that even though Matt filed your concern anonymously, I can still reach out to you through our hotline.
And we have exchanges of information regularly with anonymous complainants, but there’s no real potential for a public agenda for what you want. But you’d be amazed at the number of people that will just treat an intake as being triaged as just another piece of paper. You’ve got to maintain the confidentiality of what comes in.
And again, 9 out of 10, they’re relatively smaller concerns. But if you’re not, if you don’t practice confidentiality on the smaller ones, people forget that you need to have confidentiality on the major ones. And it took me, when we first got, when I first started here 14 years ago, we were receiving maybe 30 intakes on the hotline a year.
So we began advertising. I’m promoting to you, the constituency of the University of Florida, 50,000 students, 36,000 employees, the State of Florida, anybody who does business with the university, that if there’s something that you need to report, you can do it in confidence to us. Literally, it was 30 a year.
Well, now, we’ve got, you know, up between 200 and 300, sometimes 400. We’re promoting it, and that comes with the responsibility. I have to protect the information and the privilege of the data that’s coming in. And our border crossing issues are leakage. People talk about it, because they don’t treat it with the concern that it deserves.
Matt: So right away, I’m thinking about, you must have training about this and messaging about it, like part of making sure the intake works very well and this, the anti-leakage controls. Really, these are soft controls about making sure people remember, “You know, keep your mouth shut. Don’t do this. This is a trustworthy thing.” I mean, tell me a little more about how you drill that message out there like that on a practical basis.
Roger: It’s a fairly small group that works on the initial triage, so we discuss it on a regular basis. And we actually have put into our protocols that were approved by our board of trustees. And every now and then, I’m gonna call it once a year, we will revisit them with the group. And the group of people who should know better. You’re talking about representatives from general counsel’s office, compliance office, Human Resources, COO’s office, audit office.
We understand confidentiality. But it’s so frustrating. When we had a particular…I won’t tell who or what, we had a particular member of this group receive a concern. And on the surface, they go, “Well, this isn’t really a big deal.” So they just shared it with somebody that reported to them.
And I got it, I go, “Wow, this is a fairly significant problem.” And this person, “Well, I’ve already passed it on to the vice president, so don’t worry about it, he’s going to take care of it.”
And the whole group just freezes, going, “I think some retraining is in order.” And as it turns out, this investigation took literally a year to complete. And when it was done, a high-level administrator is unemployed. And we’re talking to the person who received it, “I think, well, you know, in hindsight, when I look at it, I probably shouldn’t have just passed it on to the vice president.”
And we stepped back and go, “Our protocols are, you should never do that. After we discuss it, we can decide who you can talk to about it, but you don’t just do it on your own.” So it’s a constant reminder. Confidentiality matters, privacy matters.
And even people who know it by the basis of their jobs, I’m gonna call it this way, they still make mistakes. And they still have weak moments where I feel like, “You know, I probably should go ahead and just mention this to Gio so he’s aware that somebody is going to be calling him.”
And then by the time we call Gio, he’s already begun to, if he’s involved, which he’s not, because he’s an upstanding citizen. But if you were, the problem becomes, he’s already begun developing his answers to anticipated questions. And the integrity of the work that we do begins to fade. Plus, we don’t have the ability to protect people who are trying to do right by reporting concerns that Gio may find, it’s in his best interest, if they no longer work here.
Matt: So, Gio, let me circle back to you, and I wanted to get your observations on where you have seen, like I said, this border crossing go wrong. I am still struck by how, sometimes, it’s block-and-tackle stuff like the internal reporter’s identity was not shielded, and it’s somehow leaked, especially if the complaint goes into department one, and they say, “Oh, well, this is department two, so just give it to them.” And the identity is included.
Or that, you know, people, to Roger’s point, you know, somebody sees it and says, “Oh, well, this is easy. I can start investigating this right now while we figure out what to do.” But, I mean, where do you see this kind of breakdowns happen? Because you’d like to think, by now, a lot of larger organizations would understand how to go from the intake to investigation, but I’m not sure that’s true.
Gio: Yeah, I think I would put it a little bit differently that, like those mistakes absolutely happen. I think that it ends up being caused, just to give people a little way out here, ends up being caused, “Because we’re juggling a lot, right? Our team is busy.”
You know, if I really sat down and thought through all of the implications of this action, you know, as long as I’m not a sociopath, I probably would figure it out. But we’re moving quickly, and we’re trying to get all this stuff done. So those balls get dropped.
And I think that, you know, for whatever those are, and I’ll kind of go into them in a second, I think, you know, your team needs to kind of look at those and say, “Okay, why was that caused?” It’s probably not just, you know, a lack of character and integrity and, you know, a personality flaw with the person who did it. Is it training? Is it the structure of your system, right? Some of that anonymity can be handled within your case management system and stuff like that.
If we look at the different causes that add up to that, and then, you know, kind of break those down, you know, do a Pareto analysis of, you know, what is the biggest cause of this and then break it down. But, you know, I think I kind of look at this in two dimensions.
You brought up the kind of border crossings or the handoffs through this different process. And I think that’s a really helpful way, you know, we have a framework that we talk to our clients about, and that, you know, we help people drive best practices through their incident management program by looking at these different sections, right?
I think it actually starts before the issue is reported. And, you know, it probably starts with the perception people have of the compliance team. So that’s a cultural problem. That’s a messaging, that’s a… you know, what is the personality of your team? And how do people perceive them?
And then it goes into your awareness and your advertising. And you know, kind of how you train the broad employee base. Because all of that stuff happens before you find out that incident. Right?
So, you know, Roger was talking about, you know, when he came in, they were getting something like 30 reports. And now, it’s like 200 or 300 or something? Well, you know, you don’t have a chance to take action on those if you don’t hear about them. So it starts there.
And, you know, we all know about that concept. But I think the understanding that this is a multifactor equation. And everything that happens at the start of this equation affects everything else.
So people are reporting only a little bit of information because they’re scared of retaliation, that’s going to make it harder for you to investigate. If people, you know, don’t know who to go to for these questions or to report these things, then it may go in the hands of a manager, and then you have another border crossing there of, “Okay, that manager needs to be trained to hand this off,” or whatever it is.
So I think you can break it up into these component pieces of, you know, what people think about the compliance team and this function, how you drive awareness, how you do that intake. There’s a mini border crossing there of, whether it’s a webform or someone sitting across the table from you, or doing a live Zoom interview, or coming into the hotline or whatever.
How that intake happens, again, affects everything else that happens down the line.
If you have a good starting point, and you do good discovery, and you have good elicitation during that interaction, you know, whatever kind of level of technology it is, then that’s going to make it better. So you got to kind of look through the different steps. And then it’s the handoff and the investigation and the approval and the remediation.
And then, you know, I think at the end of all of these borders, right, once you’ve gone all the way across Europe and across these 15 countries, that, you know, at the end is your continuous improvement process. It’s your data and analytics and how you do benchmarking and how you say, “Okay, well, we just finished the quarter, how did that go, guys? Like, what did we miss? Can we do any postmortems on things that didn’t happen?”
I think that’s the end of this process. It’s not when an individual case gets finished, it’s really, you know, this whole thing happens in a loop, and it comes back into what are we going to do on the next case? So I think you’re gonna look at that.
And then, you know, I think it’s interesting to look at, like, how do you leverage your strengths? And/or should you be improving your weaknesses, right?
So you brought up technology earlier. You know, I know there are a lot of people in the compliance industry that they don’t have as strong of tools as, you know, somebody in marketing or somebody in, you know, operations has, or whatever. Part of it is the industry, part of it is the budget and all of that thing.
But, you know, you might have a lot of headroom to say, “Hey, you know what, I should talk to my vendor and see if I can get some better configuration in my tool because technology can be a lot better for us. We might be two or three times as effective if technology is there.” You might have a weakness on that awareness front and things like that.
And/or you might want to leverage your strengths in any of these, you know, countries as you cross borders and say, “Hey, you know what? We have really great awareness. So let’s leverage that and, you know, make sure that we stay strong on that. And then, you know, work on improving our weaknesses somewhere else.”
I think if you look in that framework, then you can start getting down to the next level and say, “Hey, you know what? We’re not getting enough reports. So why is that? Is it people don’t know about it? Is it the classic fear of retaliation? Is it just that, you know, people report and, they’re not afraid of being retaliated against, they’re just disappointed that nothing ever happens.”? And that kind of feeds back into the reputation of compliance.
I think those kinds of things have problems on the front end, then there are the pass-offs or the handoffs of, you know, anonymity. And, you know, did we convey this properly? Do we have good notes? Are we coding this well, so that we know how to focus our attention?
And I think in that middle of the process is where a lot of the complexity is, where technology can help you a lot. And it can also help you not just get the work done, I think this is really important, it can also help you focus your attention, right?
So, you know, Roger was talking about how, you know, they rate these one to three. Well, you know, something that’s a high severity, as we put it, then you can focus more on that. And you can find a bunch of, you know, potential risks to manage.
And I think that in the middle of this process is where it gets really complex, but it’s complexity that you can control. And I think that’s where we have the most control over this process. And you know, that might be a place to look.
Matt: So, Roger, let me ask you a little bit more about things such as trying to scale up or automate some of the steps that go here and going from a good procedure that we’ve written out, and we’re practicing in person to kind of like a workflow. I mean, I’ve always thought that, you know, you could do something like, “We’re going to have the intake system search for certain keywords. And if accounting fraud comes up, then automatically we know that this has to go to the audit committee and outside counsel. If the keyword is rotten food in the company fridge, let’s just route that to HR or a local manager.”
How does it actually work? Like, how would you recommend people try to put some formal structure around that to, I guess, frankly, automate it at scale? Or do you think that is something that has to be done carefully? Or what would you say?
Roger: It has to be done carefully. And also, we’d go with scale. When people hear, “So the University of Florida only received between 200 and 300 incident intakes a year.” The answer is, “Oh, no, we receive several thousand. But they come through multiple avenues.”
So by volume, if the volume is manageable, there are people that I’ve known for a long time that kind of shy away from the automated routing. We did have an incident a few years ago where we used some automated routing, that if certain keywords showed up, I get everything. But then, some would be routed to the vice president of HR, some would be routed to the general counsel’s office, some would be routed to compliance, depending on the key terms.
And it turns out, one of the key terms routed it to a vice president that the complaint was actually about. So, I open it, I look at it, and I’m going, “Oh, so this is about this person. And I’m looking at the words. And it says, “This was routed to this person.” And I think to myself, “Well, that’s inconvenient. That’s a bit of a problem.”
Believe it or not, there is a hesitancy to do it through an automated format, in terms of who gets notified that to maintain control. But now, in this scenario, if we had followed the approach that we have today, she still would have gotten it. Because it comes in, our new system is it goes to the select seven people. And then, we sit down, and we analyze it. Actually, what happens, let’s be honest, I analyze it. And I determine initially, “My initial assessment is based on this incident, it should go to Matt’s team to review.”
But these seven people still get them. And if it was about Matt, and we’re still doing it with our own process, Matt still gets it, unless I call Matt and I say, “Hey, this particular intake is coming in. Do me a favor, don’t look at it.” Well, that doesn’t work very well, either.
The automation pieces that we employ come in after we’ve done the triage and the routing. Then the automation kicks into what are the specific components that are involved in the incident.
If it’s financial, we talked about disbursements, we talked about procurement, are we talking about purchasing card? Is it payroll? The ethics ones, it flows through a system that is referred to as UFOLIO, which is, what has Matt disclosed as just outside activities? What has Gio disclosed his outside activities?
You have to be very careful because by doing it just as a word routing, sometimes, the way that the word is put in isn’t appropriate. The system reads it incorrectly as, “This is what it says, but I meant something else.”
And we’ve had just enough incidents where things got routed to people where we lose the ability… My number one concern is, always, I need to protect the identity of the person who’s doing the report. Because everyone that works at the University of Florida has an expectation that if you see something that is inappropriate, or it’s against policy, or is fraud, you have to report it.
But we also understand that sometimes there are repercussions for doing the right thing. And we really strive to protect the identities of the people that we rely on to bring these things to our attention.
Many organizations like ours, we don’t go looking aggressively for people who are perpetrating fraud or embezzlement because it’s hard to spot without a tip. But if you give us a tip, we can employ the right technological pieces and the right programs, in order to really determine what happened, who did it, what happened, and what weakness allowed it to happen?
But again, I go back to, and I may be a little bit off from other people, for us the technology comes in, in the middle and on the tail end. On the front end, we keep it to more of a personal level or human level to control the flow in the beginning.
Matt: I suppose, you know, I think that the struggle might be, you had mentioned earlier, rigidity versus fluidity. And another way to save rigidity might be a proper structure. And if you have 10,000 complaints, you’re going to need some structure.
And how a large organization can balance, you know, “We’re going to have a proper structure. So we can just get through this work, or else our intake committee is going to just meet 24 hours a day.” Versus, you do need some flexibility, because you’re always going to get at least one weird complaint that didn’t quite fit the structure, and now it needs human eyes or else the workflow is going to send it to Lord knows where.
So I’m just curious how you try to figure that out? I mean, I assume you guys do not meet 24 hours a day to review.
Roger: Oh, no. We could if we wanted to. But, yes, see, I’m the lowest pay grade on the committee. And they all keep telling me they’re busy with more important things.
And I go, “I hear you.” But it’s a fine balance, that it’s come down right now the way that we’re operating is…because of the experience that I have and the contacts that I’ve developed around the campus and my knowledge of the 16 colleges and the 200 medical clinics and the 3 hospitals and the 200 centers and institutes, I have an idea and a knowledge base of the best way that something should be reviewed. But you still have to have a consensus.
So I will manage the process. And then once a week, we’ll sit down and talk about the ones that are fuzzy, shall we say. Many of them are fairly black and white as to where it should go. But some of them, I look at it, and I have one perspective, but the COO may have another.
And you can never get away from the fact, even from the human aspect, my objective is the truth, protect the university, protect the board of trustees… Actually, it’s the truth, protect the university, preserve the assets of the university.
And then, after that, you get to the smaller bunch of spent worrying about the reputation of the university and the trustees. That’s somebody else’s issue. My issue is the truth and solving issues and preventing them from happening in the future.
But I also am not foolish enough to believe that at the much higher pay grades, at the senior administrative level, they have other things that they think about when they’re trying to decide where something goes. And I try not to get into arguments about those things. But you can’t be foolish enough to believe that they don’t play a part in the decision making.
When I, “This is how I see something should be reviewed.” And very seldom is there a debate about it. But every now and then, somebody will come in and go, “We’re doing a case right now that involves a high-level administrator that everybody knew was politically sensitive from the beginning.”
But as often happens, when you receive an incident report, and you begin looking at it, unfortunately, you find other things. And as you’re finding these other things, you can’t just ignore them. So then the politics begin ramping up a little bit, which interferes with the process of doing an investigation.
“I would like to see Matt’s emails,” and then you’re gonna have somebody that high level that goes, “Well, wait a minute. Matt might have some things in his emails that I don’t necessarily want you to see.” Competing or conflicting priorities. We try to stay away from that.
But it’s something that you have to consider, no matter how much concern or human effort we put into it in the beginning of the border crossing piece. As you’re doing the work, political ramifications come up, and you have to pass that information on and hope that the group makes the right decision. But you can never get away from the human elements in this process.
Matt: Gio, what do you want to say here? It looks like you have you wanted to jump in.
Gio: Oh, I mean, there’s so much here. We might go over a couple hours on this webinar, because there’s a lot of great stuff here. But, you know, I just want to highlight, you know, Roger brought up a couple points.
You know, one, he was saying that his effectiveness is, at least in part, driven by his context and his knowledge of these different departments, and, you know, the health system on campus and all of that. And I think that’s really essential here. Because, you know, we can talk a bunch about your technology, and your standard operating procedures, and your training.
But what I think is required to really have a world-class offering and system in incident management is that context that Roger is talking about where, you know, he understands some of the politics here. Hey, you know what, it’s just the nature of this work and compliance and ethics is kind of wrapped around the entire organization. And they’re a bunch of conflicting interests and competing interests.
So that context is, you know, to me, just sounds like leadership. It sounds like the discretion. It sounds like an ability to figure out how to get what is top of mind and top of the list for the compliance and ethics program of, “We want to find out the truth, we want to protect people, we want to preserve this system of people trusting us, and stuff like that.” Well, you need to get that done through or around or in concert with a bunch of other people.
So I think that’s, you know, one way that people can step their leadership up, whether you’re frontline or manager or leading the whole program, is that context outside of your compliance team. It takes some time to build that network and that understanding. But I think it’s really essential. And the other piece, I think…
Gio: “Oh, go ahead, Matt.”
Matt: No, no, go, continue.
Gio: The piece that I think is really interesting to maybe think about, maybe consider where your organization is on the spectrum is just that point about automation and manual, or centralized to the compliance team or going somewhere else.
And, you know, I’ve talked to clients and people in these positions where they say, “Hey, we push a bunch of this stuff to our frontline managers, and we train and trust them to filter it back to us, if it’s too risky or something like that.”
And I know other people who, you know, just the same are running world-class programs, and they say, “Everything comes to our team, and we look at it all, and then we distributed it out.”
And I think the cool thing to think about is not jump on one side of the spectrum, but have an understanding of, “Okay, I have a preference for more centralization. And I have a team and budget to handle that.” or, “I have a preference to kind of push this out to other teams, because most of the stuff is kind of general local stuff. And you know, I can monitor it.”
The cool thing is the ability for technology to not supplant that, but the ability for technology to amplify whatever you’re trying to do there. So if it’s all coming centralized, you can have your system automatically kind of rate some of those things. And you’re going to review the things that the system says is severity three or that your hotline vendor codes as high severity. And, you know, you’re going to look at those first. You’re just going to look at the other ones, but you can get to the important work faster with some technology and process.
And, you know, I think another one of my favorite distinctions like this is, do we want kind of a high scalability, low-cost technology way to do intake? Or do we want a kind of high cost, very personalized, everyone who reports something is going to talk to a trained investigator, you know, face to face?
Well, you don’t really have that decision for everything, right? You want to meet people where they’re at and let them all, you know, kind of report however they’re comfortable because you’d rather hear about it than not.
But technology has some ways that you can kind of, you know, bend that curve and get kind of the best of both worlds if you have a thoughtful adaptive web form, or we have this AI-driven app that acts more like an investigator because it’s been trained by investigators. And it’s a mobile app that’s going to ask those thoughtful questions without just being a dumb webform that has six questions.
Now, I imagine, if it was the same cost, and the same people would report, we’d love for every intake to be in front of a trained investigator face to face with no time limit. But we have those limits on our budget, on our team, on how many issues we can review and fully read through, or whatever.
And I think that technology can help you get a little bit of the best of both worlds. But it’s always going to be in kind of the culture and the setup of your team that’s going to maybe fall on one side of, you know, a little bit more automated or distributed or centralized.
Matt: It’s striking to me that, as much as I would like to talk about automated workflow or automated routing or the importance of strict documentation for whatever reporting you want, really, you know, like to Roger, to your point there, what absolutely matters most is, if the investigation turns into the awkward, by surprise, it’s more that there’s this executive will to say, “Okay, fine, but we are going to keep pursuing the truth.”
And that’s where your investigation, your incident management function is going to live or die, as much as I would like, automated documentation. And I promise I have a question about that.
But I mean, Roger, just give me your feedback on how like, I didn’t necessarily think that that’s what we would talk about is the key to success here.
Roger: So we have a really well-defined documentation process for investigations on my side. And I know that the HR side does as well. But at the end of the day, we will stray from that structure because we accept the fact that the work papers that we produce, the documents that we obtain, the records, the information, the data that we utilize to develop conclusions, which is what we do, we do conclusions based on what we review, it has to meet the needs of the individual investigation.
You know, as we always say, there’s always exceptions to every rule. We have a really good structure, but we will create what’s necessary in order to…defend is the wrong word…in order to produce the appropriate level of support for whatever action the institution chooses to take when something is found.
And we’ve all had experiences where you literally will begin an investigation going, “Well, this will be fairly simple” And then you get halfway through it, and you realize, “Wow, this is anything but simple. It has feeders going out into different areas, I need now to communicate with people that weren’t in the loop before. And I have more of a concern about what happens to the person who did the reporting.”
And you have to put it together in a package. In our perspective, we want to put it together in a package that the average citizen, who has no knowledge of what any of us are talking about, can pick it up, read it, and go, “Ah.” That the average person won’t have any, they won’t have any complex questions after they finish looking at the documentation that we’ve prepared.
So, you know, there are a lot of areas where we work, where the technology – and I don’t want to use term automation, but we’re gonna call it automation for simplicity’s sake – in order to be able to run programs and data analytics that they run by themselves, that would just won’t work for us here. Because there are so many nuances and the University of Florida that so many things. That if we were going to actually have a rigid set of work papers, documentation, or procedures, it would be 10,000 documents. So we have to be able to adjust to what we’re looking at.
And I always go back to, when I get in trouble with this with certain trustees, always for the same thing, to find the truth. Something happened. Somebody felt compelled, when something happened, they felt so compelled that they had to talk about it to somebody. They had to tell the university that this was wrong.
And under that scenario, we have to find the truth. And the truth requires us to be extremely fluid. And we have standards that we follow in terms of documentation. We have standards regarding ethics and bias, but we have to be able to adjust to meet the needs of the individual investigation.
Matt: I still, I do want to circle back to the nerdy stuff, though, about, say, data analytics, for example. What sort of, I don’t know, data fields do you tag complaints or reports with? Or how do you try to study all of this in aggregate? So you can see, we clearly have more of a problem in this field or in this department are at this level of seniority. This is how we’re going to justify the business case for investing in more training or different policies or something.
Like, how does that work? Going from just managing individual incidents to analyzing all the incidents so you can drive better performance? What are you guys trying to do within the university?
Roger: So we actually have broken things down. Our initial process, we broke it down into higher level groups. Again, we primarily apply the analytics to a little bit to HR stuff, but primarily it’s financial-related stuff. You’re going to talk about payroll, disbursements, procurement. So we look at the history of what we’ve done in terms of intakes.
You can break them into certain groups. You have purchasing card, that’s a group unto itself. And then you will have areas where you have payroll, you have research and contracts and grants. And what the data analytics have allowed us to do when we study a series of cases over time is, where does analytics indicate the trends are where we’re having issues, specifically with purchasing?
And sometimes, it’s weird, it breaks it down by what unit within a college traditionally gives us the largest issues of fraudulent purchases, which units within certain colleges give us the highest probability percentages of payroll fraud. And the analytics have been interesting.
We actually have worked extremely closely with our disbursements group and our contracts and grants group and our purchasing card group. And we’ve redesigned and we’ve modified policies on purchasing allowances. We’ve modified review processes for overtime for certain classifications of employees.
We’ve worked very closely with disbursements after Sherry’s [SP] investigations on trends and activities with vendors. Between the time that a vendor comes on board, is recognized as a vendor, to excessive uses by individual departments, or even to the point of excessive uses by individual employees. That we’ve been able to tap historical numbers of investigations and change our purchasing policies on our payroll guidelines to significantly eliminate financial problems through the analytics of what we’ve looked at.
As a matter of fact, our purchasing…I don’t want to say this. I don’t want to get in trouble. Our purchasing card fraud levels are down by 90% over the last, I’m gonna go, five years. And that comes from our early years of looking at all the stuff that people are doing and working with our purchasing card team and their system and using the analytics.
One of the simple things, and this sounds so simple, it’s stupid. Let’s come up with a glossary of terms you should never see in purchasing card activity. I just saw a couple out there: PS2, Guitar Hero, Victoria’s Secret. But as it turns out, you do see Victoria’s Secret in the fine arts department when they’re buying costumes for productions. But still, it gets flagged. Why am I seeing…?
And just for the record, PS2 showed up a bunch of times. We go, “That can’t be right.” Well, it turns out, it was pediatrics that they were putting them in the pediatric clinics. But the analytics caught it. And it goes, “These things, these are problems that you should look at.” And at least it put it out into a report. Yeah, we should never see these words, but just because you see, it doesn’t mean it’s wrong. You still have to put your eyes on it.
When the analytics say these things don’t appear right, you still have to look at it because there are exceptions to the rules. At the University of Florida, we do a lot of weird stuff. You can’t fit all these things into a norm. But the analytics of the after-what-happened perspective of investigations has tremendously changed certain policies and procedures of the university.
Matt: Gio, I want to get your thoughts too, although I just want to chime in quickly. So just listening to you now, Roger, it drives home the importance of documenting evidence in case you do need to drill all the way down into that weird thing that actually was not weird when you look at the specific incident. But also the importance of compliance or audit being able to work well with the businesses.
So the fine arts department can say, “Well, yeah, actually, we do occasionally need this.” And it really is about, at the far end of the analytics, it’s about having a conversation. That’s relationships and that’s being able to show your homework.
But, Gio, back to you. What do you think about and what would you stress, talking about the importance of analyzing all of these things, all of these reports and investigations, so you can drive improvements at the business and better performance overall? You know, what comes to your mind?
Gio: Yeah, I think, this can kind of be a bottomless pit of things that you can track. So this takes some discretion to figure out, “Hey, where are our hotspots? What are the things that would lead us to, you know, kind of discovering something? And what are we going to want to look at in the next quarter the next year?” Well, we have to start collecting that now.
And I think two principles that come to mind is one is garbage in, garbage out, right? So if it’s not getting coded properly, if people aren’t filling in the fields, if the categories aren’t being selected properly, well, then it’s going to make it hard.
To Rogers point, there’s always going to be some noise in it, right? So it’s never going to be perfect. You can’t just completely automate it. And, you know, it’s not like, you’re just going to sit back and watch the whole compliance machine run. That’s why we’re employed. We’re employed for our discretion, not just to make choices on activities, but to make choices about where we focus our time to discover, you know, potential problems and things like that.
So, you know, I think you want to understand that the way that your data is entered is a big driver of whether you’re going to be able to do analysis on it. And then the other piece is, you know, there’s a big piece of, what are you tracking?
And I think there are a lot of the standard things that you’re going to track of, what location did it happen in? You know, what category is it? Maybe you’re stepping up into that first level, probably has, who reported it, if it’s not anonymous, and where did it come from, what their employee level, and things like that.
As you get into the next layer, it’s kind of looking at some deeper things of, “Well, who are the names people in this report? And you know, where do they reside?” Right. So if it’s reported from this location and this person about this other person, location level, and things like that. There’s that next level of things that largely is done upfront and intake.
I think a lot of the next level of this that, you know, kind of can help you get to some of the things that Roger was talking about is tracking data throughout your process. So looking at things of, you know, how many times did an investigator kind of take action on this? How long was this issue open? You know, how many different reviews do we need for this? And is that good or bad? Is that slowing down the process? Are we getting the right eyes on it?
I think, you know, a lot of people, I think are starting to have that, you know, that initial, “Hey, these reports came in, we were tracking these things.” A lot of that next level is looking at, “Okay, after it came in, it’s kind of like, we know how it started. And we know how it ended. Well what happened in between that?”
That can help you understand, “Hey, you know what? This thing ended improperly. We didn’t spend enough time on it.” Or, you know, you can also be tracking things, you know, we offer custom fields and custom directives, and the ability to set up workflows within our case management system. So when this thing happens, then boom, automatically, this needs an escalated review, or whatever it might be.
When you can do those things kind of in that middle of that process, you can start tracking some more of that nuance that Roger was getting at around, “Hey, you know what? This thing went to the wrong place, and it got rerouted.” or, “This has five, you know, coordinators and investigators on it.”
I think those analytics are going to help you do two layers of analysis to help you improve your program and, ultimately, make ethics easier for you when you’re focused on the right things instead of a bunch of administrative work. You’re going to have analysis on the issues, right? Like, “This issue was reported. What happened with it?” “We tracked what happens with remediation and things like that.” And then you’re also going to be able to track how the work gets done.
And that’s really key to getting yourself on a flywheel where we’re doing the work better. We’re being more efficient with it. We’re focusing on the right things. So then we can do more. And you can get into the place where Roger and his team are, where they’re running a world-class compliance operation. And you can say, “Hey, look, we eliminated 90% of this risk over 5 years.”
That’s a huge thing to accomplish. It’s not done on your own. It’s not done in two months. But it’s something that you say, “Hey, this is a problem. We can identify it. We can break it down into its component pieces. And, you know, scale it up through some technology, right, because when you go deeper on something, it’s more work.
And a lot of us are ultimately balancing the amount of work that we could do. If we could have a team that’s 10 times as big and have a technology budget that’s 10 times bigger, we could probably get more work done. But we’re kind of working within the constraints that we have.
And by partnering with good vendors who are partners to you and help enable you, by getting good technology in place, by working with your internal team, and then building that external knowledge, awareness and relationship, you can, you know, essentially build efficiency, where you’re screening more issues, getting deeper on the right things, and ultimately managing more risk and preventing more bad things. It takes kind of that process of looking at the issues that come in and make sure the issues are taken care of.
And then that second layer of analysis of, “Well, how did this work get done? How do we apply our limited resources? And you know, how can we gain some efficiency there?” Then we can handle more to help achieve the mission of our organization or university, whatever it is.
Matt: So, Gio, you kind of touched on a question that I had been lined up to ask Roger. I was just kind of curious, Roger, what are your key performance indicators for the incident management effort itself? Like, you know, Gio had touched on, I don’t know, case closure times or something like that. But what are the sort of KPIs you would think of if you’re looking at this?
Roger: Well, the number one KPI that we have of things to look at is open time. That we have the date that it arrives. And it’s not as easy to manage as people might think, because, believe it or not, we’re a fairly small team.
So we also lose the ability to manage the closure time on the items that we refer, or we designate to other people. So we have our primary KPI is the life of the intake. When did it come in? And when was it closed?
Well, we have a specific monitoring point where we talk about, “We add an insert in the middle of, when did it come in, when did it go live for investigation, and when was it closed?” Because, again, we have a fairly small team and, at any given time, we could all be sitting in a meeting, and something comes in. I’ve got two now where they said, “I don’t care what it is you were working on before. These two things are your priority until they’re done.”
So we will go back, we’ll go, “Oh, our clock on closing these other three is paused. You can’t penalize us for this.” But you also have to monitor the closure time of the things that you designate to other people.
We’ve had incidents where I would forward to Gio, say you are the dean of one of the colleges, and we have an incident that came in that it was decided that it should be addressed by the dean’s office. We have a lot of those where it’s more of an administrative issue. And the dean’s offices are always happy to do that because they would rather handle it themselves and have us showing up.
So we hand it off to the dean’s office. And then you’ll check back in in 10 days and I’ll go, “Hey, Matt, what’s the status of XYZ?” And the dean’s office goes, “I’m not sure what you’re talking about.” We know they received it. Because it’s the modern world, trust me, they received it. And they simply set it aside and didn’t consider that it was important.
So this is where we go back to the whole partnership route. “Look, man, I understand that, you know, you’re the associate dean for Academic Affairs for the College of Liberal Arts and Sciences, the largest college of the University of Florida. But this is a priority. And, you know, we need you to take a look at this because we worry about the time it takes to close. Someone is sitting out there. They filed a concern about this thing. And we determined that you should look at it and you agree that you would look at it. They’re waiting on something to happen.”
And as a one off, the longer that Gio is waiting to see something happen on a concern that was received, if it’s something that’s really important to Gio, if he doesn’t get satisfaction from the process that we have, his next stop is outside of the university. It’s going to be the newspaper. It’s going to be the TV station. And those things happen. And if it’s a slow news day, we all know the local newspaper is going to pick it up and run it. So closure time, open time is key to us.
The other ones, because I had these kind of marked down, we also look at, one of our KPIs is, quite frankly, volume related to research. We worry about, well, we’re monitoring, we’re measuring the performance of changes and aftereffects, specifically with contracts and grants.
Because now, we’re dealing with the federal government. And when the federal government comes back to us, and they say, “Matt, tell us about the times percentages on X and the times percentages on Y.” We’re not forcing people to make reckless decisions. But we want to make sure they understand there is an aftereffect if you don’t take it seriously and address it quickly.
Matt: And now, we only have about one or two minutes left here. I always like to throw out this sort of closing question for everybody. And Roger, I’ll put it to you. And then, Gio, I’ll let you have the last word.
But I do worry that incident management is already a struggle for a lot of firms. And frankly, it’s only going to get worse, because we’re only going to have more third parties come into large enterprises, and they’re all going to be part of this. Things are only going to get more regulated, I suspect. And whistleblowers are going to have more and more avenues to shotgun their concern to Lord knows where.
So, you know, Roger, if we circle back in five years from now to have this webinar again, like, do you think that the state of this will be better? Will it be worse? You know, what’s the one capability you might try to make sure that you have played very strongly over the coming five years? What would you say to that?
Roger: I would say, if we circled back five years from now, I expect our volume to be double what it is today. Because people are becoming more vocal, and people are becoming more willing to report. I think that the overall state is going to be a little bit worse for us, because they’re not going to increase our resources. They’re going to expect us to be able to handle the increase in concerns.
So I think the net effect on us is going to be worse, but the priority remains the same. Triage, priority cases first, and then, as quickly as you can, handle the cases that aren’t classified as a priority. Confidentiality remains critical.
But I think, again, I’ve been doing this for a long time. I’ve seen my struggles increase over the last five years of staying with the volume. And I think that it’s going to exponentially get worse as time goes forward, until the organizations recognize how critical it is, that while this is quite a minor player in their operations, it can have a significant ramification if it isn’t done professionally.
Matt: All right. And, Gio, I’ll put the same kind of big picture question to you and then let you wrap things up. But you know, what do you see is the future of these challenges?
Gio: Yeah, I think Roger is on the right track with a lot of that stuff. I think volume of reporting is going to increase, I think. You know, we’re already seeing a lot of upgrades becoming available to compliance to handle some more of that volume. But that increased volume doesn’t just mean more work. It means more noise.
So I think the organizations, over the next five years, who are led by ethics experts, who have a plan in place to build out their compliance program and say, “Hey, I need to cast a vision for this because this is the tidal wave that’s coming to us.” That, you know, leverage this movement for ESG or just this understanding in the, you know, in the marketplace that employees are speaking up more, when you can advocate for that to, you know, to your leadership and get some more of those resources.
Listen, it’s going to get tighter, to Roger’s point, it’s going to get tight until your organization becomes one that says, “Hey, you know what? This ethics team is really on point. You know what? They can really help us with this thing that now, you know, PR cares about, and execs care about, and the trustees care about and things like that.”
If and as you can advocate that for that up, you know, kind of get that tone at the top right, I think that that combined with technology is going to enable us to handle some more of this. But, you know, I think we all agree regulation is going to increase. Speaking out is going to increase. And we need to advance with the times.
And you know, I think, as part of that, we need to be figuring out how we personally, we as leaders of our team and we as leaders of our program, the technology, our vendors and all of that, what we can do to stay ahead of that curve and get more value and ROI from our spend, more budget from the broader team, more involvement and cooperation from the people around us. I think that this is going to keep advancing around that.
But I’m hopeful that, you know, we, as an industry and a profession, have been preparing for this. I think that, you know, we generally take this stuff very seriously and work really hard at it. And as our leaders and organizations come around to understanding how well prepared we are, how professional we are, and how ready we are to take on the next challenge, I’m hopeful that that you know that confluence of buy-in, budget, and excellence is going to allow us to not just get the work done more, but also take better care of our employees, our students, and all of our other stakeholders.
Matt: All right. Well, Roger Frank from the University of Florida, you gave us plenty to think about here, and we appreciate your time. And, Gio, as always, thank you for your ComplianceLine posting this webinar. And thank you to everybody who’s joined us today. You know, we got a lot out of this. And I appreciate everybody’s feedback and comments. Thank you.
Gio: Yeah, it’s been a pleasure.
Roger: Thank you.
Gio: Thank you everyone for joining us.
Roger: Have a good afternoon.