Ethico
Webinars2026-06-05T16:43:17.988Z6 min read

Risk-Based Investigations: Lessons from Highly Regulated Industries

Drawing on engineering, aerospace, and pharmaceutical risk-management disciplines, the panelists laid out a practical, risk-based framework for triaging matters, scoring severity, assessing detectability, and quantifying whether an issue is minor, major, or critical.

Joah Park

Ethicsverse Lead Producer

Share
Risk-Based Investigations: Lessons from Highly Regulated Industries

Finding the bad actor and closing the file is no longer enough; regulators, the DOJ, and highly regulated industries now expect organizations to prove their systems work. This session brought together a panel of investigation, internal audit, and compliance practitioners to challenge a deeply ingrained habit: treating each internal investigation as an isolated event to be closed rather than a window into systemic weakness. Drawing on engineering, aerospace, and pharmaceutical risk-management disciplines, the panelists laid out a practical, risk-based framework for triaging matters, scoring severity, assessing detectability, and quantifying whether an issue is minor, major, or critical. The throughline was a shift from activity-based compliance — counting cases handled — to effectiveness-based compliance, where success means similar events stop recurring and the underlying system becomes more resilient and trustworthy. Along the way, the panel showed why interview-driven, "find the villain" investigations fail under regulatory scrutiny, why investigations should never sit in organizational silos, and how genuine business partnership turns the investigation function into an engine for organizational learning.

This episode of The Ethicsverse examines the methodological gap between conventional internal investigations and the systems-based, risk-quantified approach demanded by highly regulated industries and contemporary regulatory enforcement. The panel argues that organizations frequently conflate procedural activity with program effectiveness, treating investigations as discrete events oriented toward identifying culpable individuals rather than as diagnostic instruments revealing control-system failures. Drawing on established disciplines in engineering reliability, aerospace systems design, and pharmaceutical quality management, the discussion advances a four-dimensional analytical framework — secondary triage, severity, detectability/trending, and probability — that enables consistent, defensible categorization of matters as minor, major, or critical.

Activity Is Not Effectiveness

  • The panel drew a sharp line between counting how many investigations a program completes and proving those investigations actually reduce systemic and repeat events.

  • An effective program is measured by whether similar issues stop recurring, not by the sheer volume of cases closed.

  • Moving from activity-based to effectiveness-based compliance was framed as the central mindset shift of the entire session.

Finding the Bad Actor Is Where the Work Begins, Not Where It Ends

  • Highly regulated industries and bodies like the DOJ may use different terminology, but they share an expectation that organizations rely on systems, risk-based thinking, and evidence rather than simply identifying one wrongdoer and closing the file.

  • Regulators routinely ask how an organization knows an issue is contained and not happening elsewhere across the enterprise.

  • A defensible investigation must exonerate the systems that could have been implicated, not just name the individual involved.

Human Error Is a Symptom, Not a Root Cause

  • Regulators including the Nuclear Regulatory Commission and the DEA will not accept "human error" as an explanation and will issue a finding against programs that stop there.

  • Treating the individual as the endpoint signals an immature program that cannot demonstrate genuine containment.

  • The mature posture treats human error as a symptom and the underlying system as the cause that actually needs investigation.

Secondary Triage Asks What Should Have Happened

  • Beyond the intake question of "what happened?", secondary triage forces a second question: what control, SOP, electronic system, governance program, or code of conduct should have prevented this if it were working properly?

  • This hypothesis-driven, fishbone-style brainstorming surfaces every plausible system that could have been implicated in the failure.

  • Following a system and having an adequate system are two different things, and triage is where that distinction gets tested.

Severity, Detectability, and Probability Form a Quantifiable Spine

  • The framework evaluates each matter across severity, weighing its regulatory, legal, business, and cultural significance.

  • It assesses detectability and trending by examining how the issue was caught and how often the same issue or control has been implicated before.

  • It then weights probability to identify which systems are most likely implicated based on design and history, borrowing directly from engineering, aerospace, and software-design risk methodologies.

Categorization Drives Prioritization and Depth

  • Once a matter is categorized as minor, major, or critical, that categorization should drive prioritization, timing, milestones, and the depth of corrective action required.

  • A genuine policy misunderstanding with no harm and no history can be closed in hours when the systems are demonstrably solid.

  • An enterprise-level risk where decades-old controls have gone stale demands far greater scope, resources, and scrutiny.

Understand What the System Was Designed to Prevent

  • You cannot evaluate a failure without first understanding the system's original design intent — what it was built to prevent and detect, who designed it, and what controls were embedded.

  • When a "Fort Knox" system is circumvented by multiple people, that signals a potentially compromised enterprise rather than an isolated lapse.

  • Controls designed adequately twenty years ago may no longer be adequate as business models and risk environments change.

Detectability Reveals Your Blind Spots

  • How an issue was detected is itself a diagnostic signal about whether the surrounding system is functioning.

  • If a matter surfaced through the normal monitoring channels designed to catch it, the system is working as intended; if ten people had to call it in because the channels failed, it was effectively undetectable.

  • An undetectable issue is a blind spot, and blind spots are precisely where the most dangerous systemic risk lives below the surface.

Investigations Must Withstand the Scrutiny of Time

  • A defensible conclusion is one that a different trained professional could review three to five years later and still find sound.

  • This standard requires consistency, documentary support, and institutional justice, including documenting the reasoned decisions not to proceed.

  • Audit, in this framing, is essentially an investigation multiplied many times over, asking whether the original work truly contained the issue.

Silos Are a Governance Failure; Partnership Is the Solution

  • When investigative, internal audit, compliance, and HR functions operate in isolation, accountability falls through the cracks and the organization loses its richest source of cross-functional insight.

  • Internal audit knows how to navigate systems, gatekeepers, and access in ways few other functions can, making it the ideal first partner on complex matters.

  • The greatest investigative successes came from genuine business partnership, where teams co-authored training, built controls together, and treated the investigation function as a shared engine for organizational learning.

Closing Summary

The throughline of this session is a single reframing: an investigation is not an event to be closed but a diagnostic window into the health of an organization's systems. By importing risk-quantification disciplines from engineering, aerospace, and regulated manufacturing — secondary triage, severity scoring, detectability analysis, and probability-weighted root cause hypotheses — practitioners can replace subjective, interview-driven, "find the villain" investigations with evidence-anchored work that holds up years later under regulatory and audit scrutiny. The payoff is effectiveness rather than activity: fewer repeat events, systems that grow more resilient, and a compliance function that earns its place as a strategic partner to the business. None of it works in isolation, though. The most durable results come when investigations, audit, compliance, and HR partner around shared evidence and feed what they learn back into the system, transforming the investigation function from a perceived cost center into a genuine driver of organizational learning and enterprise value.

Related Articles

EV MBA: Connecting Compliance To Corporate Strategy
Webinars

EV MBA: Connecting Compliance To Corporate Strategy

What the DOJ’s Updated Corporate Enforcement Policy Actually Says About Policy Management
Compliance

What the DOJ’s Updated Corporate Enforcement Policy Actually Says About Policy Management

Stop Calling SharePoint a Policy Management System: The Hidden Cost for Compliance Teams
Best Practices

Stop Calling SharePoint a Policy Management System: The Hidden Cost for Compliance Teams

Enjoyed this article?

Subscribe to our newsletter for more insights on ethics and compliance.

View All Articles