Report Intake Portal: This is the website in which the organization’s employees, staff, vendors, customers, or investors enter to make a report. This is also the portal that the call center agents use when receiving an intake call. The report intake portal can be found at www.mysafeworkplace.com. Through this website, individuals can file a report or check report status.
Enterprise Portal (EP): This is the portal in which the organization’s management or executive staff will utilize to access and actively manage reports, organize the database to reflect the organization’s relevant information (i.e. subsidiaries, alternate names, tiers, locations, departments etc.), gather statistical information regarding the organization, and follow-up with the reporting party. Enterprise Portal (EP) Users are the managerial members who the organization deems appropriate to have access to the database. The enterprise portal consists of two different modules:
User Groups: Reports are routed based on User Group settings and NOT individual user settings. Each EP user will be placed in a User Group (with the exception of OSAs). The User Group settings include the tiers and locations that User Group should have access to, the incident types they should receive, and the email alerts the group should receive. The main purpose of a User Group is to simplify routing of reports. By grouping EP users with similar requirements, configuration of your report distribution is simplified.
An example of a user group is that of the audit committee. If you have four audit committee members who are to receive reports from every location for several incident types (such as accounting errors, auditing matters, and ethical violations), you can put these four individuals in a User Group labeled “audit committee”. The “audit committee” user group would then receive the reports for the designated incident types for all locations. However, if you have an individual (for instance a CEO) that is interested in specific incident types or email notification rights that do not match another User Group, simply place the CEO in a User Group with NO other members.
Organization and Tier Structures:
1. An organization (company, institution, agency, or other business type) is established as its own entity, having a unique set of users, locations, departments, user groups, and distribution logic. It may also have a subsidiary organization, which can have its own unique set of users, locations, department, user groups, and distribution logic. A subsidiary is linked to its parent organization; and the parent has no other “upward” linkage to another organization. Throughout the EP, “organization” refers to a parent or a subsidiary organization.
2. Tiers can be established to facilitate the distribution logic of reports, by associating locations to sub-structures within the organization, and then associating those sub-structures upward. The default setting is for a two-tier structure (organization and location). An unlimited number of tiers may be added between those two levels. For example, a location may be associated with a division; and the division may be associated with a region; and the regions then associated with the organization. In this example, there would be 2 new tiers added to the organization’s configuration for a total of 4 tiers (1. location, 2. division, 3. region, and 4. organization). Tiers can facilitate the selection of multiple locations at once, by selecting the highest appropriate tier (which automatically selects all sub-tiers and locations for the tier selected).
Distribution Logic: The distribution logic is accessible through the Enterprise Portal and only OSA and OM users have access to this portion of the database. The distribution grid allows for the specific routing of incidents, based on organization, location, and incident type. The incidents are routed within 3 minutes and notification sent via email to the appropriate designated individuals.
There are three options for the EP users to have access to and to receive notification about incident reports and related updates to these reports:
1. Access Only: The User Group (by incident type) with this designation will ONLY have access to the incident reports and will NOT receive emails alerts. These User Groups must be very proactive and enter the database through the unique URL provided to them by MSW and actively check for incident reports and message board updates.
2. Initial/Audit Emails Only: The User Groups (by incident type) with this designation will receive the initial email alert and audit emails. Audit emails include notification of newly granted access to EP users on a specific report, as well as modifications to location and/or organization assignment. EP users with this designation will NOT receive notification emails pertaining to the message boards (investigatory notes and talk to reporting party). See below for detailed description of the message boards.
3. All Emails: EP users with this designation will receive ALL email alerts. This includes initial email, audit emails, and all message board notifications.
Reports are retrievable in two ways: 1) via the email notification and hyperlink sent to your email account upon submission of a report, if you have been set up to receive email notifications (see above), or 2) by going to the Enterprise Portal (the URL specific to your organization), logging in, and clicking on in incident number in the Incident Overview listing. The Enterprise Portal URL was provided to all EP users when they received the welcome letter containing their username and initial password. By entering the system this way, all EP users will have the ability to review reports they are designated to see.
Please review your personal filtering structures regarding your email account (junk mail settings, filtering or email handling rules, etc.). It is important to check with your IT department to make sure your internal system will not block the email alerts generated by MySafeWorkplace®. All notifications to you regarding incidents submitted through MySafeWorkplace® come from the following email address:
Regarding EP users external to your organization, such as audit committee members who may have AOL, Earthlink, CompuServe etc. as their email accounts, we suggest setting up company email accounts for them. You can then set up their company email to simply forward alerts from email@example.com to their personal email accounts. This should ensure they receive those alerts even if those service providers have blocked MySafeWorkplace® emails.
Although we make a conscious effort to contact individuals if they have not reviewed a report, it is ultimately not the responsibility of MySafeWorkplace® to check that EP users are monitoring their system and reviewing incidents. You should regularly check your database by entering through the Enterprise Portal URL to see if there are reports that have not been reviewed. This is to ensure that even if your internal email system has blocked the notifications, you are still reviewing the incidents.
Message Boards: The EP allows for an anonymous dialogue with the reporting party via the message boards. These message boards are found on each report. They are labeled Talk to Reporting Party and Investigatory Notes. Talk to Reporting Party messages allows EP users to follow up with the reporting party and protects the anonymity of both the reporter and the EP user, who is identified as “your organization”. Should an EP user wish to disclose their identity to the reporting party, they may do so by including their name and/or contact information in the body of the message. The Investigatory Notes section allows for continual documentation by EP users who have access to a report. Investigatory Notes are NOT accessible by the reporting party.
Incident Report Activities
For users that are designated to respond, review, and investigate incident reports submitted via MySafeWorkplace®, it is important to understand the different report activities available.
• Categories. This is an optional feature of MSW. If you chose to utilize this feature, it is recommended that you use it as descriptors to help you better organize your workload. Priority is a sortable column in the incident overview listing. MSW recommends using caution if using this feature to prioritize. Be careful with your choice of words and establish protocols to determine what each priority means. In the unfortunate situation in which litigation ensues, it may be difficult to explain to a reporting party why a report is prioritized “low” and others of the same incident type are prioritized “high”. Seeking legal consultation regarding this feature is recommended.
• Report Status. There are five report statuses utilized within MSW. Each status is defined below and reflects the status descriptions provided to reporting parties when they call to check report status.
o New: The report has been submitted, but has not been reviewed by the organization.
o Reviewed: At lease one authorized EP user within the organization has reviewed the report. This is an automatic status change. Once an EP user logs on to review the report, the status is automatically changed to Reviewed.
o Action Pending: A review or investigation into the incident report is in progress. This status change is a manual process.
o Closed: The review or investigation has concluded and reported issue has been resolved or no further action will be taken. This status change is a manual process.
o Re-Opened: New information has been presented and the review or investigation has resumed. This status change is a manual process.
• Granting/Removing Access. EP users at the OSA and the OM levels have the opportunity to add or remove individual EP users from specified reports (in addition to the automated distribution to user groups). However, they CANNOT remove other OSAs or OMs and can only remove EP users with access levels lower than their own level. The Audit History log records the date and time an EP user was added or removed, who made the change, and the reason for the change.
• Modifying location, incident type, and organization selection. Oftentimes, reporting parties choose an inappropriate location, incident type, or organization. (The mistaken organization selection usually only occurs when there are subsidiaries associated with a parent organization). The MSW solution allows for EP users at the OSA and OM level to make modifications to these three distribution parameters if the report incorrectly identifies these items and therefore the distribution to the appropriate EP users is inaccurate. Consistent with MSW’s standard of preserving the integrity of the original information submitted from the reporting party, ALL initial information is retained and the modifications are listed along with the original information in the report.
• Message Boards. Message Boards include “Investigatory Notes” (internal for EP users only) and “Talk to Reporting Party”. Messages are “threaded”, meaning that the original message and any replies to that message are linked together to show continuity. Message Boards are described in greater detail in the following section.
Guidelines for Using Message Boards
MySafeWorkplace® message board capabilities allow EP users to communicate anonymously with reporting parties. Additionally, message boards allow for internal tracking to document steps taken during an investigation and can provide for valuable case management tracking. There are two message boards, one available only to EP users, and one available to communicate with reporting parties. Links to the message boards are found at the top of each incident report. The report must be opened before you will be able to view the message boards. These message boards are labeled “Talk to Reporting Party” and “Investigatory Notes.”
• Both of these message boards are accessible by any EP user who has been assigned to review that specific incident type.
• RO users can view the information in the message boards, but cannot post their own message or reply.
• The reporting party has the ability to access their own report and post messages on the message board by using the unique access code assigned and personal password created upon report submission.
• The reporting party is coached on the importance of checking report status by the call center agent and via instructions on the website and is encouraged to check back within 24-48 hours and to look for messages from the organization.
• The message boards protect both the anonymity of the reporting party and the EP user. A reporting party will see that messages are from “Your Organization”. EP users will see the name of the specific EP user who created the message or reply, and will see “Reporter” for postings from the reporting party, regardless of the anonymity level selected by the reporting party. Therefore, the reporting party does not know the identity of the EP user who posted the message to them and the EP user does not know the identity of the reporting party.
• Every time a message is posted, an email alert will be sent to all EP users who are configured to receive “all emails” for that specific incident type. The email will contain a hyperlink stating a message has been posted. This is similar to the initial email received when the initial incident was submitted. Note: the email link goes to the report, not directly to the message. The report must be opened first, and the message accessed by clicking on the appropriate message board button.
• Once a message is posted, it is permanently retained in the database. Messages posted via these message boards CANNOT be deleted or edited! You are encouraged to utilize the spell check feature and to review the content before you save the message. A warning/reminder will appear when you save the message to indicate whether or not the message will be viewable by the reporting party. This is your ONLY opportunity to back up and modify the message if necessary and to confirm that you are in the correct message board (Investigatory Notes or Reporting Party). Once saved, the message cannot be removed or altered.
• EP users can mark Investigatory Notes and Talk to Reporting Party as “attorney work product”. This option IS NOT available to the reporting party. Although this option is available, please use it cautiously. Should a report result in litigation, ALL messages and report content may be subject to discovery.
• The Incident Report Overview page contains two columns that allow you to know, at a glance, if messages and replies have been posted. These columns are labeled “IN” and “RE” and contain the number of messages and the number of replies (i.e. #/#). “IN” is for Investigatory Notes, and “RE” is for Reporting Entity. For example, if the “IN” column reads “2/1”, there have been two investigatory notes posted with one reply.
• For security purposes, there is a 20-minute automatic time-out when creating messages. Keep this in mind when entering messages into the message board. If you have the message open for an extended period of time, you may lose the message content.
• You have the ability to cut and paste a text document into the message boards. MySafeWorkplace® recommends creating a lengthy document in a text or word processing program, and then cut-and-paste the content into the message boards. This may prevent you from being timed out and losing some, if not all, of the information you have created. Note: you do not have the ability to attach documents to the report; you may only cut-and-paste content into the message board content window.
Suggested Guidelines for Posting Messages:
MySafeWorkplace® suggests the following best practices for using message boards:
• You should establish internal protocols for utilizing the message boards and setting parameters appropriate for your organization.
• The number of individuals assigned to review incidents will determine the complexity of the message boards. However, you may limit the complexity by assigning EP users to the Read Only user level.
• If there are more than two individuals assigned to review and respond to a specific incident type, it is recommended that one individual take the lead with the investigation and track the results on the message boards. If there are too many hands in the process, the chances of making mistakes are greater.
• If someone should not be responsible for responding to incidents, or there are concerns about certain individuals documenting responses to an incident, assign those individuals to the Read Only user level. They will have the ability to read the message board, but not write any information in this section.
• MySafeWorkplace® recommends an initial message be submitted once a reporting party has made a report. This message demonstrates that the report was reviewed and is being looked into by the organization. MySafeWorkplace® recommends this message thank the reporter for coming forward. Often, the organization may ask for more information or allow a different avenue for the reporter to come forward with more information. Here is some sample language to consider:
”Thank you very much for coming forward with this information and we value your concerns. We truly want to investigate the situation to the best of our ability and identify appropriate possible solutions. To assist us in completing a good faith investigation, we would like to offer you a couple of options. If you feel comfortable speaking with our HR department [or other department], please call [insert name and phone number] to discuss this in more detail. If you would like to continue to protect your anonymity, please continue to communicate with us through these message boards. We have a couple of questions that need clarification so we can move forward in the correct direction with the investigation. . . ”
• DO NOT state in any messages that the individual “should” or “need” come forward and relinquish his/her anonymity to ensure a proper investigation. This is not appropriate and will most likely scare or anger the reporter and potentially pose a liability risk for the organization. Most likely, the reporter is using this system because they DON’T feel comfortable initially providing their contact information. You can offer direct contact as an option (as seen above), but remember to always support the reporter if he/she chooses to continue to remain anonymous.
• It is recommended that you do not cut-and-paste a generic response to each and every report that comes in. The reporter may potentially file more than one report and see the generic response more than once. Experience has shown that reporters perceive this as the organization “does not care” and they are less likely to assist with the remainder of the investigation, or worse, less likely to bring forward concerns in the future.
• Providing minimal details regarding the investigation is the best approach. The organization has NO duty to provide a detailed explanation regarding its investigative endeavors or conclusions.
• Try to use “we” instead of “I” when responding to incidents. This will let the reporter know that the organization as a whole is thankful the information was brought forward and is looking into the reporter’s concerns, not one specific individual. In the unfortunate case that the reporting party becomes angered, we do not want the individual fixated on one specific person within your organization.
• MySafeWorkplace® recommends that any EP user who changes status on an incident post a message in the Investigatory Notes message board to inform the other users that status has been changed and the reason for changing status.
• If you continually post messages to the reporting party and do not receive any response, you have a couple of options:
o If you review the incident and notice that the reporter chose the anonymity option “Remain anonymous towards organization,” you know that the reporter provided MySafeWorkplace® with contact information. You can call your Account Manager or speak with any of our support team at our Corporate Headquarters at 800-335-7639 and ask us to contact the reporter. MySafeWorkplace® will then remind the reporter of the two avenues for checking report status and let them know that their organization is attempting to respond to the submitted report.
o If the reporter did not provide MySafeWorkplace® with contact information, there are no other options to get in touch with the reporter. MySafeWorkplace® recommends you post a message relating this information. Here is some sample language to consider:
“We thank you for the information you have brought forward. We have attempted to contact you to gain some more information so we can properly investigate the matter, but have been unsuccessful in receiving a response from you. Without further information, we will have a difficult time bringing this issue to a close. Until we are able to gain some more information, we will not be able to further investigate this issue. Please remember, you can remain completely anonymous through this process.”
• Keep in mind that these reporters are often frightened and unsure what the outcome will be by coming forward with their concerns. Any message that conveys to the reporter that the organization has heard them and plans on looking into the matter will usually help diminish their anxiety.
• MySafeWorkplace® understands that every reporter is unique and, therefore, every incident submitted will be different. Please feel free to call us at anytime to help obtain advice regarding the message boards. This tool can be very helpful, if utilized in the proper fashion.