Don't gamble with your company's investigation process.

Learn about i-Sight software today

Incident Response Plan: 15 Steps to Address Workplace Incidents, Accidents and Emergencies

Preparation is the key to timely, effective incident response

Posted by Dawn Lomer on February 13th, 2018

The key to developing an effective incident response plan is the understanding that it’s not a matter of “if” an incident or accident occurs in the workplace; it’s a matter of when. In 2016, employers reported almost 2.9 million non-fatal workplace injuries and illnesses and 5,190 fatalities. And in December of 2017, the Identity Theft Resources Center (ITRC) had recorded 1,293 U.S. data breaches for the year, with more than 174 million confidential records exposed.

Employees should be trained on how to respond to workplace incidents and cybersecurity incidents so that they know what to do when the inevitable occurs. Proper training and incident response planning can mean the difference between chaos and control and can save your company from fines, lawsuits and reputation damage. This article provides a template for what to include in your incident response plan.

What is an Incident?

physical violence in the workplace


The definition of an “incident” can include a broad range of events. Incidents can be:

  • Workplace accidents and injuries
  • Other health and safety incidents
  • Near misses
  • Physical security breaches, such as break-ins
  • Workplace violence
  • Cyber incidents or data breaches

What is an Incident Response Plan?

An incident response plan is a set of written instructions that outline a method for responding to and limiting the damage from workplace incidents. Every company should have a written incident response plan and it should be accessible to all employees, either online or posted in a public area of the workplace.

Incident response plans should be specific to different incident types. For example, an incident response plan for a physical security breach, such as a break-in, would be very different from a data breach or cyber incident response plan.

Cybersecurity or Data Breach Incident Response Plan

To create a cybersecurity incident response plan, you should first determine:

  • what data you have
  • where it is
  • how important it is to your business
  • what security measures are in place to protect it
  • what back-ups are in place
  • which regulations govern your data
  • what level of cybersecurity insurance, if any, your company has in place


Have you suffered a data breach?

Download the cheat sheet 7 Steps to Address a Data Breach to find out what to do now.

Download the Cheat Sheet

Responding to a Cybersecurity Incident or Data Breach

A response plan for a cybersecurity incident or data breach should include the following steps:

  1. Inform your corporate security and IT departments immediately.
  2. Complete a preliminary incident report so that there is evidence of the prompt action taken to investigate and contain the breach.
  3. Secure all computers and mobile devices that could be involved in the breach. Take all involved devices offline but avoid turning on computers or devices that are off. Engage a forensics team to examine computers and devices if you don’t have in-house expertise and follow their advice for securing devices and files.
  4. Investigate whether to notify your internal investigative team or call in outsiders. Act immediately to get the investigation started and the preservation of evidence under way before valuable evidence is deleted or lost.
  5. Interview everyone involved and anyone who might know anything about the breach.
  6. Notify your customers, if necessary, according to data breach notification regulations for your jurisdiction.
  7. Reassure affected consumers about the breach and your response to it. Outline the actions you will take to mitigate any harm consumers may suffer. Consider engaging a third party company to help manage your incident response to minimize the reputational damage and your risk of lawsuits.
  8. Determine whether to alert regulators and the media and document the decision as well as any actions you take. Regulations vary depending on the type of data involved and the industry. Breaches of personal health information, for example, are subject to strict regulations.
  9. Complete the investigation, analyze the results to determine the cause of the breach and take corrective actions to prevent data theft in your organization in the future.
  10. Complete a detailed incident report, outlining the incident and the company’s response to it.

Physical Security or Workplace Incident Response Plan

Your plan for physical security and workplace incidents, such as break-ins, active shooters or accidents should start with:

  • Regular safety audits and risk assessments to determine weak points in your premises and fix them where possible.
  • Employee training on security measures, including who can be admitted to the premises and how to secure entrances.
  • Employee training on safety issues and use of equipment, when necessary.
  • An “incident response team” of employees who are responsible for safety and security updates and have assigned responsibilities.
  • Training for employees on what to do in the event of a workplace incident and who to go to on the incident response team.
  • Regular drills and dry runs to prepare for different types of workplace incidents.
  • A review of the company’s insurance coverage level for different types of workplace security incidents and accidents.

Responding to an Accident or Workplace Incident

An accident or incident response plan should include the steps to take when a workplace incident occurs, including:

  1. Check that all employees are safe and address any injuries or illnesses immediately. For simple cuts and bruises or other minor injuries, basic first aid treatment may suffice. For serious injuries or illnesses determine the level of emergency and contact an appropriate medical professional.
  2. If there is a serious injury or fatality, report the incident immediately to the appropriate authority. Reporting requirements may be different for in each state in the US. In Canada reporting regulations differ by province. Know where to report.
  3. Assess the scope of the incident. Determine which employees were involved or affected, the nature of injuries or damage.
  4. Identify any witnesses and document their information. This will help to decide who to interview if and when an investigation is initiated.
  5. No matter how trivial the incident or accident may seem, every incident should be documented in a detailed incident report.

Documenting Workplace Incidents

Every workplace incident should be documented in a comprehensive incident report, even when long-term consequences are unlikely. Detailed documentation ensures you have the background information you need if a complaint related to the incident arises in the future.

An incident report proves that the company:

  • Acknowledged the incident
  • Investigated the incident
  • Took the necessary steps to comply with any state or federal regulations related to the incident
  • Ensured those involved in the incident had a chance to tell their story
  • Completed a root cause analysis to determine why the incident occurred
  • Took steps to prevent its reoccurrence

Incident Report Template

Download the incident report template to ensure your documentation is bulletproof.

Incident Report Template

Root Cause Analysis for Workplace Incidents

Once the investigation is closed and the incident is fully documented in an incident report, it’s time to do a root cause analysis to find out why the incident occurred and how to prevent it from occurring again.

A root cause analysis should isolate the main reason the incident occurred:

  • Policies or procedures not developed or not followed
  • Inadequate or missing training
  • Faulty equipment or facilities
  • Exposure to infections or contagious viruses
  • Poor communication
  • Productivity issues
  • Environmental hazards
  • Employee behavior
  • Missing or faulty personal protective equipment
  • Inadequate physical security equipment

The assessment should conclude:

  • Why the incident occurred
  • How future occurrences can be prevented
  • Corrective action plan and timeline

A final assessment should also include a review of the effectiveness of the incident response plan, with recommendations and a timeline to address any weaknesses.


Download our eBook to learn how case management software can help you manage workplace incidents more effectively.

Dawn Lomer
Dawn Lomer

Manager of Communications

Dawn Lomer is the Manager of Communications at i-Sight Software and a Certified Fraud Examiner (CFE). She writes about topics related to workplace investigations, ethics and compliance, data security and e-discovery, and hosts i-Sight webinars.

Book A Demo

To our customers: We’ll never sell, distribute or reveal your email address to anyone. Privacy Policy

Want to conduct better investigations?

Sign up for i-Sight’s newsletter and get new articles, templates, CE eligible webinars and more delivered to your inbox every week.