What Incident Triage Is and Why You Shouldn't Skip It
Incident triage is key to effective, efficient investigations. Learn the steps to triaging and why you shouldn’t skip it in this guide.
Amy’s Kitchen, a vegetarian food brand known for their frozen burritos and pizzas, has recently been in hot water for alleged mistreatment of their employees. One widespread issue, according to ex-employees, was the mishandling of harassment complaints. According to Eater, the former “workers outline[d] a pattern of sexually inappropriate behavior and allege that HR did not sufficiently act on complaints of harassment.”
While the cause of the mishandling is unknown, failure to triage could be the culprit. While the word “triage” might summon images of a hospital emergency room in your mind, incident triage is an essential step to handling internal issues in organizations from all industries.
Failure to triage complaints and reports gives them time to escalate. As a result, your company could face non-compliance penalties, lawsuits, and bad press. Depending on the type of issue, it endangers your employees and your organization, too.
Follow this guide to learn more about how to triage your internal incidents and why it’s important.
What is Incident Triage?
Incident triage is the step where you evaluate an incident and decide how to tackle it. You might start this stage when you receive a complaint or report, or immediately after an incident (such as a security breach or workplace injury).
Triaging is a key aspect of incident response. Without it, you could add legal trouble to an already stressful situation. For instance, if you don’t notify customers of a data breach within the timeframe set out in your local regulations, you could be hit with a fine.
Not sure how to triage effectively?
In this free white paper, compliance expert Tom Fox explains the steps you need to take for thorough, compliant investigations, including the incredibly important triage stage.
Collect Reports
Step one of incident triage is collecting the complaints or reports. To do this effectively, your organization needs an easy-to-use reporting system that’s checked often. Even better, use case management software that integrates with your hotline to create instant case files when reports are received so you can start triaging right away.
To streamline your triaging process, design your reporting system to be as thorough as possible. The form should include spots for the involved parties, date(s) of the incident(s), the nature of the incident, and a free-text box for details.
Determine Seriousness
Next, you must analyze the incident and decide how serious it is. The higher the level of seriousness, the faster and more sensitively it should be dealt with.
Gauge Legal Consequences
While it’s a separate step from determining seriousness, gauging the report’s potential legal consequences helps you identify what stage the incident is in and how quickly you need to address it.
For example, say Harold reported that he is being harassed by Kim. If you don’t investigate the allegations quickly and seriously, Harold could sue your organization.
You can also include compliance considerations in this step of incident triage. For instance, say your company processes data, you must notify affected parties within 72 hours of becoming aware of a data breach. So, even if you have other investigations on the go, you’d need to move that incident to the head of the line in order to avoid regulatory fines or other repercussions.
Choose an Investigator
Next, choose an investigator or team to tackle the allegations. Fox says that the seriousness of the incident, as well as its potential consequences for the involved parties and your organization, should determine whether you handle the case internally or with external help.
As an example, he explains:
“If you have something around an expense report violation, it certainly could be important, but it’s not an illegal act or even about the company situation. And so, you can deal with it quickly, efficiently, in-house, by reviewing expense reports and talking to a few people. But, if it turns out there may be . . . accounting fraud or illegal or unethical behavior, which could lead to illegal behavior, that’s something that’s very serious. You need to elevate that. It may go as high as the board of directors and you need to bring in serious investigative council.”
Make a Timeline
Finally, create a timeline for addressing the incident. This doesn’t have to be a full investigation timeline, but should include the order of next steps and rough deadlines for each one.
It might sound like the simplest step, but shifting your schedule around during incident triage takes a lot of thoughtful work. That’s why it’s essential that not just any team member completes the task.
Fox asks, “Do your employees have training to do the job?” He stresses that “whoever you appoint or handles the triage needs to have the ability to actually perform that,” as it’s a delicate part of the incident response process.
The 5 Steps of Incident Response
Incident triage is just one step you have to take when responding to a workplace incident. In fact, a lot of the work should occur before an issue even arises.
So, what are the phases of incident response?
Start with preparation. In this first phase, you’re getting your team ready for when incidents occur. This stage includes writing (and updating) an incident response plan, training your employees on the plan, and making sure you have the necessary resources to handle incidents of all types.
Step two is detection. Detecting problems can be tough, especially if employees are afraid to come forward. Having a speak up culture and multiple robust reporting mechanisms in place will help you catch issues before they escalate.
Next up is triage and analysis. As described above, this is the stage where you study the details of the report and decide who will handle the issue, how, and when.
After that is the containment and eradication stage. The goal of this step is to minimize the impact as much as possible, which looks different for each incident type. For example, you might allow a harassment victim to work remotely so they can avoid their alleged harasser. Or, you change passwords used in your payroll system if you suspect an employee defrauded it.
Lastly comes the post-incident activity phase. Use this time to plan preventive actions that will reduce the risk of the issue happening again. This will likely be the longest phase but also the most important.
Don't succumb to the chaos of an incident.
Having a clear plan in place helps you respond to and resolve incidents faster, without having to worry that you missed a step. Download our incident response plan template to start writing yours.
Incident Response Checklist
Responding to an internal incident is always stressful and often chaotic. However, knowing the actions you’ll need to take ahead of time ensures the process goes smoothly.
Next time you’re faced with an issue, use this incident response checklist so you don’t miss any important steps:
- Incident triage
- Contain the risk
- Make a timeline
- Assign roles and responsibilities (can be laid out ahead of time in an incident response plan)
- Notify necessary parties
- Investigate or otherwise work toward resolution
- Complete documentation (e.g. incident log, incident report, investigation report, root cause analysis)
- Write corrective and preventive action plans
- Analyze the affects these plans have had and rework if necessary
“Triage is critical to make an initial determination of how important an issue is, how significant it is, and how quickly you need to get to your investigation, because the clock is ticking.”
-Tom Fox
Why Incident Triage Matters
Any incident could be the one that takes down your organization. That’s why incident triage is such an important step of the response process. It also ensures that every investigation is timely, compliant, and handled sensitively and correctly.
Conduct More Efficient Investigations
Thoughtful incident triage helps you make decisions that then lead to more efficient, effective investigations and resolutions.
A major decision in this process is choosing an investigative team. Based on the seriousness level, scope, and nature of the issue, your team could include employees from HR or legal, a forensic auditor, and/or an internal controls specialist, says Fox.
Fox also emphasizes the importance of knowing when you should bring in outside counsel, such as when you need an expert with a specific skill set or need an unbiased investigator.
Triage also helps you set a reasonable, compliant timeline. This ensures you complete the investigation as soon as possible, but not to the detriment of other issues you’re dealing with.
Finally, who needs to know about the incident besides the involved parties? While triaging, you need to determine what Fox calls the “ultimate audience,” or “the final person or persons who would review your report.” This could include:
- A regulatory body
- Senior management
- Board of directors
- Internal committee (e.g. compliance)
- Judge and/or jury
- Other employees
- Affected customers/clients (i.e. after a data breach)
Knowing your audience will help you determine how and when to deal with the incident, as well as what information to include in your triage documentation.
Catch Issues Before It’s Too Late
If you don’t triage your internal incidents, you risk giving an issue time to escalate into an even bigger problem. That means bad news not just for the involved parties, but for your organization, too.
First, you could become the victim of an illegal act, such as fraud or theft. These schemes can go undetected for months or even years, so the minute you receive a report of suspected fraud, you need to take action.
Failing to act quickly against unethical behavior could also lead to legal trouble or reputation damage for your company.
For instance, restaurant chain Applebee’s agreed to pay $100k to settle an EEOC complaint. Why? An employee reported coworkers calling him racial and homophobic slurs but “he was told the co-workers were ‘just joking around’ and was told to ‘ignore it’. The store manager claimed to have investigated, but Applebee’s has no record of any investigation,” explains employment lawyer Janette Levey.
“Sure you can ‘just ignore it’—for now,” says Levey. But putting off dealing with problems won’t solve them. “If your company is sued, I can assure you the lawsuit will NOT go away if you ignore it,” she warns.
Encourage Formal and Informal Reporting
While many of the reports you have to handle during incident triage will come from your formal reporting mechanisms (e.g. hotline, webform, email), be sure to include informal reporting avenues as well.
Encourage a speak up culture where employees feel safe sharing concerns without fear of retaliation. Managers should report issues their employees raise to them (with permission) with HR or your compliance department before big incidents happen.
“The most important thing before setting up a helpline . . . is to ensure you deal with corporate historical malfeasance or issues so that you set a new foundation,” explains Shannon Walker, President of WhistleBlower Security. “Once you set a new foundation, you can start to put training, and tools, and open door policies [into effect and] then you can start to really discourage retaliation.”
An open culture with strong formal and informal reporting will help you catch issues faster and more often.
Keep Thorough Records
When triaging, make sure to document the decisions you make, as well as the reasons behind them. Take note of:
- Incident type and details
- Seriousness level/stage (as described above) and why
- Date you received the report
- Deadlines for next steps
- Assigned investigator(s) and why
- Compliance considerations (if applicable)
- Explanation for placement in your investigation lineup (if not placed at the back of the line)
By documenting these details, you can protect your organization if an employee challenges your process.
For instance, say you receive a report that one employee called a coworker a homophobic slur on the same day you uncovered major accounting fraud. The fraud would affect your company more, so you investigated that first. If the harassed employee feels you didn’t respond quickly enough to their complaint, you can show that you determined more people would have experienced negative consequences from the fraud, so you handled that first.
Want to learn more about incident triage?
Watch Tom Fox's entire webinar (for free!) to ensure your internal investigations go right from start to finish.
How Case IQ Can Help
If you’re still capturing and managing incidents and complaints with spreadsheets or an outdated system, you’re putting your organization, your employees, and your reputation at risk.
Case IQ’s powerful case management software offers multiple intake options to ensure no reports slip through the cracks.
Integrate your intake system to save time and eliminate both mistakes and duplicated effort. Upon case creation, Case IQ flags related cases and involved parties, giving you the full picture as your start your investigation.
Learn more about how Case IQ can reduce resolution time and improve your organization’s investigations here.
Frequently Asked Questions
What is the meaning of triage?
The term "triage" refers to the process of evaluating an incident or complaint to determine its severity and prioritize response actions.
What is an example of a triage?
An example of triage is studying the details of the report (a harassment complaint, for instance) and decide who on your team will handle the issue, how, and when, and whether or not the report warrants a full investigation or can be resolved in another way.
What are the 5 levels of triage?
The five levels of triage typically include:
- Insignificant: incident causes near-negligible amount of damage to victim and organization
- Marginal: incident causes minor amount of damage to victim and organization
- Moderate: incident causes sizeable amount of damage to victim and organization
- Critical: incident causes a great deal of damage to victim and organization
- Catastrophic: incident causes unbearable amount of damage to victim and organization