Gluu

How to run your employee compliance training & development without LMS

Blog / Quality management (QHSE)

How to set up incident reporting for lower IT and HSE risk

Tor Christensen
By
Last updated on 19/10/2023

Estimated reading time: 7 minutes

Accidents hardly ever happen without a warning. Everyone has at some point tried a near miss: You almost fell on you bike hitting the curb – but luckily you didn’t. You sigh in relief, learn from it and move on. In a company setting the same logic applies. In this case incident reporting lets your company learn and perhaps prevent future accidents.

“Estimates show that in high-income countries, as many as one in 10 patients is harmed while receiving hospital care. The harm can be caused by a range of adverse events, with nearly 50% of them considered preventable.”

WHO

In this post I will give you an introduction to incident reporting which is the first step towards incident management. You will also learn how to capture valuable lessons from your colleagues.

Along the way we will find inspiration from incident reporting in the standards covering this area: Health, Safety and Environment (ISO 45001 standard) and Information security (ISO 27002 standard).

What is the difference between incidents, non-conformities and deviations?

Some refer to incidents and others to deviations. Let’s quickly sort out the lingo. ISO standards and process literature provide the following definitions:

  1. Non-conformity: The failure to meet a requirement.
  2. Deviation: Departure from an approved instruction or standard.
  3. Incident: An unexpected operational event outside standard operations.
  4. Non-conformance: A deficiency in a product’s characteristic, making it unacceptable or not meeting specified requirements.

These definitions encompass two main characteristics:

  1. Unplanned events occur.
  2. Planned events fail to occur.

Non-conformance, in this context, primarily focuses on the product’s quality impact rather than its cause. Beyond product-related issues, undesirable events encompass near misses, harm, accidents, compliance problems, and missed opportunities.

In healthcare, incidents (often termed “adverse events”) are costly, harmful, and preventable to some extent. While everyone agrees on the need for accident prevention, several factors hinder efficient incident reporting.

Below, we delve into three key reasons behind the challenges in incident reporting.

Three reasons why incident reporting fails

#1 in a culture of perfection there is no room for error

Who wants to be the idiot who admits there was an incident?

Peronal blaming on incidents reduces the incentive to report.
“You did what?!?”

In a ‘blame culture’ no one wants to admit they made a failure.
If the incident didn’t directly affect anyone – why report it and stand out in a negative light?

Remember: When you set up an incident reporting system, then the company must foster a culture of openness and trust. Incidents must be seen as opportunities for organisational learning, rather than individual failures.

IT can help by ensuring anonymity and removing potential penalties for the reporter. Yet this contradicts the goal of creating culture of openness where everyone works towards a common goal of systematic improvement.

Management must spearhead this cultural change and embrace incidents potential for innovation and improvement. For more on this please read the Harvard Business Review on “The failure-tolerant leader”.

Failures are – after all – better than repetitive failures.

#2 it’s too difficult to report an incident

If the process of reporting an incident is too much of a hassle, there is a good chance that it will not be reported at all. Everyone doing incident analysis want more data, but remember that front-line employees are busy bees. If the incident is not reported shortly after the event employees will move on to the next task on their todo-list.

“Bureaucracy is the art of making the possible impossible”

Someone disillusioned

Striking a balance between getting enough data to understand the incident and making the process lightweight enough to ensure that it is completed, is essential to getting the data needed.

Ease of use for everyone is crucial to get data at all.

#3 incident reporting gets no response

As for any effort it is important to see that your input matters. If there is a sensation that management will just ignore the reported incidents, chances are that future incidents won’t be reported.

Saying ‘thank you’ for the report, notifying when it is being handled (or even implemented) is a simple, effective and inexpensive way to show appreciation. Gratitude does not have to be monetary, especially when incident reports help the entire company.

Again – without incident reporting from employees there is no data to prevent future accidents. So keep these cultural factors in mind.

Two main types of incidents to report

To prepare for proper incident reporting we need categorize incidents into two very different types that can occur in any organisation. Each is covered by its own ISO standard:

ISO 45001: Health, Safety and Environment (HSE) incidents

An event not causing harm, but has the potential to cause injury, loss of property or material or accidents under similar conditions. For example, not wearing a helmet on a construction site. In itself it doesn’t matter, but due to the hazardous environment protection is key to prevent accidents.

Cloud Download Icon

ISO 27001: IT Cyber security incidents

Unlike an actual data breach, a cyber security incident doesn’t necessarily mean information is compromised; it only means that information is threatened. For example, an organisation that successfully repels a cyber attack has experienced an incident, but not a breach.

Cloud Download Icon

The Three Steps to Reporting an Incident

#1 Prevent the incident from becoming an accident

The first activity should always be to stop (if possible) anything bad going on. Let me give you some examples.

What to consider for HSE incidents?

preventing incidents from becoming an accident
Please prevent the incident from becoming an accident

Health and safety incidents usually require physical intervention:

  • Electrical plug halfway out?
    – put it back in.
  • Machine out of control?
    – turn it off.
  • Soap on the ship deck?
    – clean it up.

Please remember that you must keep yourself safe in the process!

Secure the scene by barricading the area if possible and prevent any further entry thus preventing your colleagues from harm.

What to consider for IT incidents?
Cyber-crime is harder to discover. There are rarely masked people raiding the server room. Intervention comes in many forms – if it is possible at all.

You can maybe prevent phishing emails from being forwarded (or alert emails can be sent to everyone) and if you suspect that someone has the root password, it might be a good time to change it.

#2 Gather information

Document the incident details thoroughly. Include information such as the date, time, and location of the incident, names of involved parties, and any witnesses. Take photos or videos if it’s safe to do so.

#2 Report the incident

Now is the time to fill in an incident form and start the formal incident management process. For this you need the right format. I cover this in a separate article that I hope you will find useful: Improving Employee Incident Reports for Better Data ↗️

Going from reporting incidents to managing incidents

Let’s assume you now have incident reporting in place. Then it’s time to do something with the reports and actually learn and change from them. This is the top of ‘incident management’. I have written this article as a high level intro to this topic Why Every Company Needs an Incident Management System ↗️

Lastly, I will give you a step-by-step guide on how to create an incident reporting process using the process management platform Gluu.

Based on knowledge from the ISO 27002 and ISO 45001 standard, we will create a incident reporting process in Gluu.

As one of the fathers of modern manufacturing once put it:

Conclusions

This post emphasizes incident reporting’s vital role in preventing workplace accidents and promoting organizational learning. It relates near misses in personal life to corporate incidents, stressing the risk-reduction benefits of reporting. The article introduces incident reporting with references to ISO standards (ISO 45001 and ISO 27002), explaining key terms like non-conformity, deviation, and incident.

It pinpoints three common issues hindering effective incident reporting:

A culture of perfection discouraging error admission.
Complex reporting processes.
Insufficient acknowledgment or response to reports.

The need for cultivating open and trusting reporting environments is emphasized. Incidents are categorized into HSE and IT Cybersecurity types, each requiring prompt action to prevent accidents. The three reporting steps—accident prevention, information gathering, and reporting—are detailed with practical guidance.

Overall, the article underscores incident reporting’s role in enhancing workplace safety and risk management, highlighting the complexities and challenges of implementation.

You might also like ...