Risk & Compliance Incidents - Comprehensive User Guide

Purpose & Scope

The Risk & Compliance Incidents module is designed to capture, assess, investigate, and resolve incidents that impact organizational operations, compliance, or risk posture. It serves as a comprehensive incident management system that integrates with other Battleground Live modules.

Key Features

End-to-end incident lifecycle management from logging to closure
AI-powered assistance through Radar for quality improvement and response suggestions
Automatic integration with resilience and business continuity modules
Comprehensive audit trail with locked assessment data
Flexible workflow adaptable to different organizational structures
Rich reporting capabilities with dynamic filtering and pivot tables

Module Positioning

Located under Risk Intelligence in the main navigation
Renamed from “Incidents” to “Risk and Compliance Incidents” to distinguish from “Resilience Incidents”
Operates on the same licensing model as other Risk Intelligence features (organizational site basis)

User Roles & Permissions

Risk Manager Role

Full access to all incident management functions
Can complete all workflow steps from logging to closure
Access to all reporting and configuration options
Can perform post-closure reviews

Risk User Role (Standard)

Conditional access based on involvement in incidents
Can access incidents where they are:
- Named as logger, assessor, owner, or coordinator
- Owner of connected records (processes, policies, etc.)
- Added to the incident response team
Cannot perform post-closure reviews (second-line reviews)

Access Philosophy

Transparency by default: Everyone can see all incidents for organizational learning
Involvement-based permissions: Users get edit access when they have a role
Audit trail protection: Initial assessments are locked to preserve integrity

Detailed Workflow Walkthrough

Phase 1: Incident Logging

Initial Setup Screen

Navigation: Risk Intelligence → Risk and Compliance Incidents → Create New

Mandatory Fields:

Incident Name: Concise title describing the event
- Example: “Failure to send letters for interest rate changes”
Description: Comprehensive details including:
- What happened
- When it occurred
- Duration of the incident
- Who or what was affected
- Any known impacts
- Avoid assumptions, personal opinions, or confidential information
Date Logged: Auto-populated with current date
Assessor Selection: Choose who will evaluate the incident impact

AI Enhancement with RAiDAR

Purpose: Improve initial incident quality without rewriting content
Process:
1. Enter your description
2. Click “Analyze with RAiDAR”
3. Review AI suggestions for improvement
4. Manually incorporate relevant feedback
Output: Tips and suggestions, not automatic rewrites
Note: May require prompt refinement based on organizational needs

Date Management

Three Critical Dates:

Date Identified: When the incident was first discovered
- Can be any past date, not future
- Often different from when it occurred
Date Occurred: When the incident actually happened
- Can be any past date, not future
- May be unknown initially
Date Logged: When formally recorded in system
- Defaults to current date
- Cannot be future date

Real-world Context: Most incidents are logged days or weeks after they occur and are identified, making these separate dates crucial for accurate reporting.

Location and Disruption Assessment

Location Selection: Choose from predefined organizational locations
Critical Question: “Is this currently disrupting your ability to operate?”
- Yes Response:
  - Automatically creates connection to Resilience Incidents module
  - Prompts: “Would you like to view this record?”
  - Enables immediate business continuity response
- No/Don’t Know Response:
  - Continues with standard incident workflow
  - No resilience module connection created

Phase 2: Impact Assessment

Consequence Evaluation

Consequence Level Selection:

Uses same consequence table as risk assessments
Options typically include: Insignificant, Minor, Moderate, Major, Catastrophic
Assessment Comments: Space for detailed impact analysis

Consequence Categories:

Multiple categories can be selected
Examples: Financial, Operational, Reputational, Regulatory, Safety
Allows for multi-dimensional impact assessment

Strategic Questions

Three key organizational impact questions:

Financial Impact: “Could this lead to a material financial impact?”
- Purpose: Early identification of significant financial exposure
- Follow-up: If yes, requires detailed comments
- Use Case: Helps prioritize resource allocation and escalation
Critical Operations: “Could it lead to an impact on ability to maintain critical operations?”
- Purpose: Identifies business continuity implications
- Integration: Links to critical operations framework
- Escalation: May trigger additional response protocols
Compliance Breach: “Could it lead to a reportable compliance breach?”
- Purpose: Early regulatory impact identification
- Future Integration: Will connect to compliance module for breach management
- Regulatory Preparation: Enables proactive regulator notification planning

Ownership Assignment

Incident Owner: Person accountable for incident resolution
Selection Process: Choose from organizational user list
Responsibility: Overall accountability for progressing the incident through workflow
Authority: Can make decisions about incident progression and closure

Assessment Locking Mechanism

Critical Feature: Clicking “Next” locks all assessment data
Purpose: Preserves initial assessment for audit and regulatory purposes
Immutability: Locked data cannot be changed, only supplemented with reassessments
Audit Trail: Maintains integrity of original incident evaluation

Phase 3: Record Connections

Linking Strategy

Purpose: Connect incident to relevant organizational elements for:

Impact analysis and understanding
Automatic team member identification
Comprehensive reporting and trend analysis
Root cause investigation support

Connection Types

Processes:

Selection: Choose from organizational process library
Impact: Identifies which business processes were affected
Team Building: Process owners automatically added to incident team
Reporting Value: Enables process-specific incident reporting

Critical Operations:

Auto-Population: Flows from connected processes
Business Continuity: Links to critical operations framework
Regulatory Relevance: Important for operational resilience reporting

Policies:

Breach Identification: Which organizational policies were violated
Examples: Data protection, modern slavery, operational procedures
Compliance Tracking: Enables policy breach reporting and analysis

Service Providers:

Third-Party Impact: External organizations involved in incident
Vendor Management: Links to supplier risk management
Contractual Implications: May trigger SLA or contract review processes

Automatic Team Assembly

Team Building Logic:

System automatically recommends team members based on record ownership
Example: If incident connects to “Accounts Payable” process, the process owner becomes recommended team member
Benefit: Ensures relevant subject matter experts are included
Flexibility: Recommendations can be accepted, modified, or supplemented

Phase 4: Team Management & Coordination

Required Roles

Coordinator:

Mandatory Role: Must be assigned for incident progression
Responsibility: Manages incident response team and activities
Authority: Can modify team composition and assign tasks
Flexibility: Can be same person as owner or different individual

Team Composition Flexibility

Automatic Additions:

Record owners from connected processes, policies, service providers
System provides recommendations with rationale
Example: “Recommended for Craig Goldberg because they own Jax Workshop service provider record”

Manual Additions:

Process: Click “Add” and search organizational directory
Use Cases:
- Subject matter experts not connected to formal records
- Senior stakeholders requiring visibility
- External consultants or advisors
No Restrictions: Not limited to record owners

Organizational Flexibility

Scalability Considerations:

Small Organizations: Same person can fill multiple roles (logger, assessor, owner, coordinator)
Large Organizations: Different people for each role with proper segregation
Departmental Structure: Can route to divisional risk teams or central functions
Authority Levels: Can require senior approval for certain actions

Phase 5: Escalation Decision Point

Critical Workflow Branch

Key Question: “Do we need to notify anyone or complete investigations?”

“No” Response Path:

Use Case: Incident already contained, just recording for compliance
Workflow: Skips directly to Review & Closure phase
Benefit: Streamlines process for simple or already-resolved incidents
Example: Historical incident being logged for record-keeping

“Yes” Response Path:

Use Case: Active incident requiring investigation and response
Workflow: Enters full Contain & Respond phase
Resources: Full action management and team coordination tools
Timeline: May remain open for weeks or months

Phase 6: Contain & Respond (Active Incidents)

Incident Status Management

Re-entry Capability:

Flexibility: Users can exit and re-enter incidents multiple times
Status Preservation: System maintains current phase and progress
Team Access: All team members can contribute to ongoing response
Audit Trail: All changes and updates are logged with timestamps

Dynamic Reassessment

Reassessment Capability:

Purpose: Update impact assessment as situation evolves
Process:
1. Modify consequence level (e.g., from Moderate to High)
2. Update consequence categories
3. Revise strategic impact questions
4. Add reassessment comments
Audit Trail: Creates new assessment record while preserving original
Historical View: Can review all assessments over time

Team Management During Response

Dynamic Team Modification:

Add Members: Bring in additional expertise as needed
Role Changes: Modify responsibilities based on incident evolution
Access Control: New members gain access to full incident history
Communication: Team changes trigger notifications

Action Management System

Action Types:

Comments: General observations and updates
Communications: Stakeholder notifications and updates
Decisions: Key choices made during response
Tasks: Specific assignments with accountability

Task Management Features:

Assignment: Delegate to specific team members
Due Dates: Set completion timelines
Status Tracking: Monitor progress (Not Started, In Progress, Complete)
Dependencies: Link related tasks and activities

Example Task Creation:

Task: “Get Alex to deliver the letters”
Assignee: Alex (selected from team or organization)
Due Date: 30th of current month
Status: In Progress
Comments: Additional context or instructions

AI-Powered Response Assistance

Radar Response Suggestions:

Trigger: Click “Generate potential response tasks”
Analysis: AI reviews incident details, connected records, and organizational context
Output: Suggested response activities and tasks
Examples:
- “Develop communications plan for affected customers”
- “Review and update relevant policies”
- “Coordinate with service provider for remediation”
- “Prepare regulatory notifications”
Implementation: Suggestions can be accepted, modified, or used as inspiration
Continuous Improvement: Prompts will be refined based on usage and feedback

Progression Criteria

Containment Assessment:

Question: “Has the incident been contained and effectively responded to?”
Yes Response: Enables progression to Review phase
No Response: Continues in Contain & Respond phase
Flexibility: Can move back and forth as situation evolves

Phase 7: Review & Analysis

Final Record Verification

Linkage Review Process:

Purpose: Confirm accuracy of all connected records based on investigation findings
Editability: Can add or remove connections discovered during response
Examples:
- Remove process initially thought to be impacted
- Add service provider discovered during investigation
- Include additional policies found to be relevant
Reporting Impact: Final linkages drive all subsequent reporting and analysis

Enhanced Impact Assessment

Comprehensive Impact Documentation:

Customer Impact Quantification:

Question: “How many customers were impacted?”
Regulatory Relevance: Many regulators require annual customer impact reporting
Data Quality: Enables accurate regulatory submissions
Trend Analysis: Supports customer impact trend reporting

Financial Impact Assessment:

Question: “Was there any financial impact? How much did it cost us?”
Example: “$900 operational loss”
Risk Management: Links to operational risk loss databases
Control Valuation: Enables cost-benefit analysis of risk controls
Insurance: Supports insurance claim documentation

Compliance Breach Documentation:

Confirmation: “Was there a compliance breach associated with the incident?”
Regulatory Notification: “Did we need to notify our regulator?”
Regulator Selection: Choose from dropdown (future: integrated with compliance module)
Automated Reporting: Future capability for standard breach notification reports

Severity Analysis Enhancement

“Could Have Been Worse” Analysis:

Question: “Could the consequence of this incident have been significantly more serious?”
Purpose: Understand near-miss scenarios and control effectiveness
Follow-up Questions:
- “What could it have been?” (potential worse outcome)
- “What stopped it?” (effective controls or lucky circumstances)
Strategic Value:
- Identifies high-value controls that prevented escalation
- Supports investment decisions in risk management
- Provides data for control effectiveness reporting
- Enables “value of controls” analysis as referenced in Paul’s SeaWorld presentation

Phase 8: Root Cause Analysis

Three-Tier Classification System

Configurable Depth:

Simple Organizations: Can use single-level categorization
Complex Organizations: Can implement full three-tier system
Flexibility: Number of levels adjustable per organizational needs

Classification Levels:

Factors (High-level categories):
- People
- Operations
- Technology
- External factors
Categories (Mid-level groupings):
- Inadequate processes
- System failures
- Training deficiencies
- Vendor performance
Root Causes (Specific causes):
- Detailed identification of actual cause
- Enables precise trend analysis
- Supports targeted remediation

Root Cause Documentation

Detailed Analysis Requirements:

Narrative Description: Comprehensive explanation of why incident occurred
Example: “Our third-party service provider didn’t send the letters, and we did not monitor performance to identify the issue on a timely basis”
Supporting Evidence: Attachments for detailed root cause reports
Quality Standards: Should identify systemic issues, not just immediate causes

AI-Enhanced Root Cause Analysis

Radar Root Cause Assistance:

Analysis: Reviews incident details and initial root cause assessment
Feedback: Provides suggestions for deeper analysis
Examples:
- “Consider clarity of communication requirements”
- “Evaluate performance monitoring systems”
- “Assess system integration capabilities”
Purpose: Elevates quality of root cause analysis without replacing human judgment
Challenge Function: Encourages deeper thinking about underlying causes

Phase 9: Risk & Control Integration

Control Failure Analysis

Control Identification:

Question: “What control failed or was ineffective?”
Selection: Choose from organizational control library
Effectiveness Review: “Do we need to re-evaluate the effectiveness of any control?”
Documentation: Record whether re-evaluation has been completed
Integration: Links to control effectiveness monitoring

Risk Class Connection

Risk Classification:

Question: “What was the risk class associated with this incident?”
Examples: Compliance risk, operational risk, technology risk
Re-evaluation Trigger: “Do we need to re-evaluate that risk?”
Risk Register Integration: Can create new risk records directly from incident
Trend Analysis: Enables risk class incident reporting

Action Plan Integration

Action Plan Management:

New Plans: “Is a new action plan required?”
Existing Plans: “Link to an existing action plan”
Multiple Plans: Can connect to several related action plans
Creation Capability: Can create new action plans directly from incident screen
Progress Tracking: Links to action plan monitoring and reporting

Phase 10: Closure Process

Closure Checklist

Completion Verification:

Actions Complete: “Have we completed the actions?”
Root Cause Done: “Has the root cause analysis been done?”
Action Plans Sufficient: “Are the action plans sufficient?”
Notifications Complete: “Have all relevant people been notified?”

PIR Report Generation

Post-Incident Review Documentation:

Automatic Generation: Creates comprehensive PDF report
Content Includes:
- All incident linkages and connections
- Assessment history and reassessments
- Root cause analysis findings
- Action plans and remediation activities
- Team members and responsibilities
Use Cases:
- Board reporting
- Regulatory submissions
- Internal lessons learned
- Audit documentation

Closure Authorization

Authority Management:

Self-Closure: User can close incidents they manage
Delegated Closure: Can select other users for closure authorization
Example: “Only Craig can authorize closure of high-risk incidents”
Audit Trail: Records who actually performed closure action
Flexibility: Supports organizational approval hierarchies

Phase 11: Post-Closure Review (Optional)

Second-Line Review Process

Purpose: Independent validation of incident management quality

Reviewers: Typically risk management or audit teams
Access: Can review all incident documentation and PIR reports
Single Question Approach: “Do you concur with the closure of this incident?”
Simplicity Philosophy: Avoids complex checklists in favor of professional judgment

Review Outcomes

Concurrence (Yes):

Status: Incident moves to “Closed Post Review”
Finalization: Incident fully completed
Reporting: Available for all standard reporting

Non-Concurrence (No):

Status: Returns to “Closed Pending Review”
Action Required: Must address reviewer concerns
Comments: Reviewer provides feedback on deficiencies
Remediation: May require additional investigation or documentation

AI Integration (Radar)

Radar Capabilities Overview

AI Enhancement Philosophy:

Augmentation, Not Replacement: AI assists human judgment rather than making decisions
Quality Improvement: Focuses on elevating the quality of human input
Contextual Awareness: Considers incident details, connected records, and organizational context
Privacy Protection: Does not use organizational data for AI model training

Incident Description Enhancement

Process Flow:

User enters initial incident description
Clicks “Analyze with Radar”
AI analyzes content for quality and completeness
Provides specific suggestions for improvement
User manually incorporates relevant feedback

Example Feedback:

“Consider adding specific timeframes for when the incident occurred”
“Clarify the nature of oversight or monitoring gaps”
“Specify the scope of customers or systems affected”
“Avoid including personal identifiable information”

Quality Improvements:

Completeness: Identifies missing critical information
Clarity: Suggests clearer language and structure
Compliance: Flags potential confidentiality or regulatory issues
Consistency: Promotes standardized incident documentation

Response Task Generation

AI-Powered Response Suggestions:

Context Analysis: Reviews incident type, severity, connected records, and organizational structure
Task Generation: Suggests specific response activities
Customization: Recommendations tailored to incident characteristics

Example Suggestions:

“Develop customer communication plan for affected mortgage holders”
“Review and update interest rate change notification procedures”
“Coordinate with third-party service provider for process improvements”
“Prepare regulatory breach notification for relevant authorities”
“Conduct staff training on monitoring requirements”

Implementation Approach:

Inspiration, Not Prescription: Suggestions serve as starting points for human decision-making
Customizable: Users can modify, combine, or ignore suggestions
Learning Opportunity: Helps less experienced staff understand comprehensive response approaches

Root Cause Analysis Support

Analysis Enhancement:

Initial Review: AI analyzes user’s root cause assessment
Depth Evaluation: Identifies opportunities for deeper analysis
Alternative Perspectives: Suggests additional angles to consider
Quality Challenge: Encourages more thorough investigation