How to set up incident reporting for lower IT and HSE risk
Accidents hardly ever happen without a warning. Everyone has at some point experienced a near miss: You almost fell on you bike hitting the curb – but luckily you didn’t. You sigh in relief, learn from it and move on. In a company setting the same logic applies. In this case incident reporting lets your company learn and hopefully prevent future accidents.
“Estimates show that in high-income countries, as many as one in 10 patients is harmed while receiving hospital care. The harm can be caused by a range of adverse events, with nearly 50% of them considered preventable.”
WHO
In this post we will give you an introduction to incident reporting which is the first step towards incident management. You will also learn how to capture valuable lessons from your colleagues.
Along the way we will take inspiration from incident reporting in the standards covering this area: Health, Safety and Environment (ISO 45 001 standard) and Information security (ISO 27 001 standard).
Table of contents
What is the difference between incidents, non-conformities and deviations?
Some refer to incidents and others to deviations. Let’s quickly sort out the lingo. ISO standards and process literature provide the following definitions:
- Non-conformity: The failure to meet a requirement.
- Deviation: Departure from an approved instruction or standard.
- Incident: An unexpected operational event outside standard operations.
- Non-conformance: A deficiency in a product’s characteristic, making it unacceptable or not meeting specified requirements.
These definitions encompass two main characteristics:
- Unplanned events occur.
- Planned events fail to occur.
Non-conformance, in this context, primarily focuses on the product’s quality impact rather than its cause. Beyond product-related issues, undesirable events encompass near misses, harm, accidents, compliance problems, and missed opportunities.
In healthcare, incidents (often termed “adverse events”) are costly, harmful, and preventable to some extent. While everyone agrees on the need for accident prevention, several factors hinder efficient incident reporting.
Below, we delve into three key reasons behind the challenges in incident reporting.
Three reasons why incident reporting fails
#1 in a culture of perfection there is no room for error
Who wants to be the idiot that admits there was an incident?
In a ‘blame culture’ no one wants to admit they made an error.
If the incident didn’t directly affect anyone – why report it and stand out in a negative light?
Remember: When you set up an incident reporting system, then the company must foster a culture of openness and trust. Incidents must be seen as opportunities for organisational learning, rather than individual failures.
IT can help by ensuring anonymity and remove potential penalties for the reporter. Yet this contradicts the purpose of creating a culture of openness where everyone works towards a common goal of systematic improvement.
Management must spearhead this cultural change and embrace incidents’ potential for innovation and improvement. For more on this please read the Harvard Business Review on “The failure-tolerant leader”.
Failures are – after all – better than consistent, repetitive failures.
#2 it’s too difficult to report an incident
If the process of reporting an incident is too much of a hassle, there is a good chance that it will not be reported at all. Everyone doing incident analysis wants more data, but remember that front-line employees are busy bees. If the incident is not reported shortly after the event, employees will move on to the next task on their to-do list.
“Bureaucracy is the art of making the possible impossible”
Someone disillusioned
Striking a balance between getting enough data to understand the incident and making the process lightweight enough to ensure that it is completed, is essential to getting the data needed.
Ease of use for everyone is crucial to getting data at all.
Try Gluu for free
Sign up for a 30-day trial.
No credit card required.
#3 incident reporting gets no response
As is true for any effort, it is important to see that your input matters. If there is a sensation that management will just ignore the reported incidents, chances are that future incidents won’t be reported.
Saying ‘thank you’ for the report, notifying when it is being handled (or even implemented) is a simple, effective and inexpensive way to show appreciation. Gratitude does not have to be monetary, especially when incident reports help the entire company.
Again – without incident reporting from employees there is no data to prevent future accidents. So keep these cultural factors in mind.
Two main types of incidents to report
To prepare for proper incident reporting, we need to categorize incidents into two very different types that can occur in any organisation. Each is covered by its own ISO standard:
ISO 45001: Health, Safety and Environment (HSE) incidents
An event not causing harm, but has the potential to cause injury, loss of property or material or accidents under similar conditions. For example, not wearing a helmet on a construction site. In itself it doesn’t matter, but due to the hazardous environment protection is key to prevent accidents.
ISO 27001: IT Cybersecurity incidents
Unlike an actual data breach, a cybersecurity incident doesn’t necessarily mean information is compromised; it only means that information is threatened. For example, an organisation that successfully repels a cyber attack has experienced an incident, but not a breach.
The Three Steps to Reporting an Incident
#1 Prevent the incident from becoming an accident
The first activity should always be to stop (if possible) anything bad going on. Let me give you some examples.
What to consider for HSE incidents?
Health and safety incidents usually require physical intervention:
- Electrical plug halfway out?
– put it back in. - Machine out of control?
– turn it off. - Soap on the ship deck?
– clean it up.
Please remember that you must keep yourself safe in the process!
Secure the scene by barricading the area if possible and prevent any further entry thus protecting your colleagues from harm.
What to consider for IT incidents?
Cybercrime is harder to discover. There are rarely masked people raiding the server room. Intervention comes in many forms – if it is possible at all.
You can maybe prevent phishing emails from being forwarded (or alert emails can be sent to everyone) and if you suspect that someone has the master password, it might be a good time to change it.
#2 Gather information
Document the incident details thoroughly. Include information such as the date, time, and location of the incident, names of involved parties, and any witnesses. Take photos or videos if it’s safe to do so.
#2 Report the incident
Now it is time to fill in an incident form and start the formal incident management process. For this you need the right format. We cover this in a separate article that we hope you will find useful: Improving Employee Incident Reports for Better Data ↗️
Going from reporting incidents to managing incidents
Let’s assume you now have incident reporting in place. Then it’s time to do something with the reports and actually learn and improve from them. This is the top of ‘incident management’. We have written this article as a high level intro to the topic Why Every Company Needs an Incident Management System ↗️
Lastly, here is a step-by-step guide on how to create an incident reporting process using the process management platform Gluu. Based on knowledge from the ISO 27001 and ISO 45001 standards, we will create an incident reporting process in Gluu How to set up your incident management process.
Conclusions
This post emphasizes incident reporting’s vital role in preventing workplace accidents and promoting organizational learning. It relates near misses in personal life to corporate incidents, stressing the risk-reduction benefits of reporting. The article introduces incident reporting with references to ISO standards (ISO 45001 and ISO 27001), explaining key terms like non-conformity, deviation, and incident.
It pinpoints three common issues hindering effective incident reporting:
A culture of perfection discouraging error admission.
Complex reporting processes.
Insufficient acknowledgment or response to reports.
The need for cultivating open and trusting reporting environments is emphasized. Incidents are categorized into HSE and IT Cybersecurity types, each requiring prompt action to prevent accidents. The three reporting steps—accident prevention, information gathering, and reporting—are detailed with practical guidance.
Overall, the article underscores incident reporting’s role in enhancing workplace safety and risk management, highlighting the complexities and challenges of implementation.
Try Gluu for free
Sign up for a 30-day trial.
No credit card required.
Frequently Asked Questions
Gluu’s incident reporting tool is designed to provide a seamless and efficient user experience. What sets it apart from similar software in the market is its comprehensive suite of features which includes real-time incident tracking, automated workflows, and customizable report templates. Its emphasis on ease-of-use means users can quickly report incidents without having to navigate through complex interfaces. Moreover, Gluu’s tool emphasizes collaboration, enabling members of an organization to work together in addressing and resolving incidents.
When it comes to data security, Gluu’s incident reporting tool takes a proactive approach. It ensures the safety of user data through a combination of rigorous security protocols, including data encryption, access controls, and secure cloud storage. Regular security audits are performed to identify and address any potential vulnerabilities. Thus, users can depend on Gluu to maintain the privacy and integrity of their data.
Yes, users can access Gluu’s incident reporting tool on multiple devices including computers, tablets, and smartphones. This multi-platform accessibility ensures that users can report and track incidents wherever they are, greatly enhancing operational efficiency. As for system requirements, Gluu’s web-based nature means that it can be accessed on any device with a web browser and internet connectivity. Therefore, there aren’t any stringent system requirements; however, users will have the best experience with a stable internet connection and an updated web browser for optimal performance and security. This cross-platform functionality and minimal system requirements make Gluu’s incident reporting tool both accessible and convenient for users across an organization, facilitating a more proactive and responsive approach to incident management.
