Steve Foster is executive vice president and chief operating officer of Business Controls, Inc., the country's leading incident reporting and corporate investigations firm.


Four years ago, when a terminated employee began sending former co-workers threatening e-mails and accosting them in the company parking lot, Rae-Ellen Hamilton, vice president for human resources of CSG Systems in Denver, immediately turned to her incident reporting and corporate investigations consultant for help.

The threatened employees were becoming increasingly stressed by this man’s menacing behavior. Hamilton feared the man would harm them or other employees, and she wanted to handle the potentially violent ex-employee firmly but safely. “My first concern was for our employees’ safety. I also was concerned that his continued harassment would lead to lost productivity, stress-related absences, or resignation for these employees,” Hamilton said.

PROMPT, DECISIVE ACTION

The consultant advised Hamilton to act immediately and not wait until the situation escalated. First, the firm recommended blocking the man’s e-mails. Then the consultant guided the legal department through the process of getting a temporary restraining order to keep the man from approaching the CSG facility. The man had often bragged about his military background, using weapons and force to get what he wanted. Through the restraining order process, it became apparent that the man would resist any attempts to put controls on him. Ultimately, the court awarded CSG a permanent restraining order to cover all CSG locations globally.

WRAPAROUND PROTECTION

CSG, a publicly traded international solutions and services provider for the communications industry, had already implemented the consultant’s anonymous incident reporting system as mandated by the Sarbanes-Oxley Act. “They advised us to bring the affected employees into the process and have them use the existing incident reporting hotline if the man approached them again,” Hamilton said. “They also made themselves the man’s sole point of contact, deflecting his attention from CSG and our local employees. Although the consultant’s investigative and psychological divisions determined the man was unlikely to carry out his threats, four years later he continues to contact the investigations firm with requests to lift the restraining order “so [he] can buy a gun.”

Hamilton is convinced the story might have had a different outcome without the consultant’s expertise and breadth. “They stepped in quickly with resources and know-how we couldn’t possibly maintain in-house,” she said. “We would have lost employees if he had hurt someone, and of course productivity and morale would have dropped with the continuing harassment.”

Hamilton is unsure how to measure the dollar value of the consultant’s intervention, but she insisted, “That’s the sort of thing I never want to have to quantify. With their support, we kept our employees safe, and you can’t put a price tag on that.”

PROTECTING PERSONAL DATA

Fortunately, most workplace incidents do not involve threats of violence. But loss of sensitive personal data can wreak just as much havoc for an organization.

In early March 2006, a laptop containing names and social security numbers of more than 93,000 current and former Metropolitan State College of Denver (Metro State) students was stolen from the home of an employee. The employee had been using the unencrypted data to write a grant proposal and his master’s degree thesis.

The college immediately contacted an incident reporting and security firm to both analyze the security risk and to set up telephone and Web-based hotlines to field questions from the affected students.

“They strategized with us, and we decided to hold an immediate press conference to get the information out to the affected students and the public,” said Cathy Lucas, interim assistant vice president of communications for Metro State.

QUELLING THE PANIC

Within hours, the consultant had implemented two hotlines and developed customized scripts and FAQs for the telephone operators. The Web-based hotline featured FAQs and custom reporting fields.

The consultant determined that the admissions employee was not at fault, but the investigation of IT policies and procedures revealed many data security threats. The firm recommended stronger restrictions on employee access to data, mandatory data encryption, stronger password requirements and shorter session time-out intervals.

And social security numbers may no longer be downloaded to laptops.

Lucas stressed the value of outsourcing the incident. “Using a third party to conduct the assessment and staff the hotlines gave Metro State greater credibility. They were a critical component in assessing the situation and minimizing the damage. It could have been an ongoing crisis without them.”

SUMMING UP

Workplace violence and data security compromises can place excessive burdens on managers who lack the training and experience to deal with crisis situations. Prudent companies can avoid the stress and the potential liability from crisis mismanagement by calling an expert in the art and science of workplace security.