STEAD Framework Incident Investigation, Evidence, and After-Action Review

Establish what happened, preserve the record, and correct the system.

A unified investigative and after-action framework for serious incidents, failures, and institutional risk.

The STEAD Incident Investigation, Evidence, and After-Action Review framework defines how correctional agencies preserve evidence, establish facts, protect due process, coordinate investigations, identify root causes, assign corrective action, and verify that systemic weaknesses were resolved.

Investigative boundary: This public page describes governance and quality principles only. Active investigative methods, evidence locations, witness identities, surveillance details, protected records, security vulnerabilities, and law-enforcement-sensitive information remain restricted.

Investigation purpose

A serious incident should produce more than a report. It should produce verified institutional correction.

Correctional incidents may involve operational failure, misconduct, criminal activity, healthcare, infrastructure, technology, staffing, training, policy, or command.

No single review method can answer every question. STEAD separates immediate fact preservation, criminal investigation, administrative review, clinical review, technical analysis, and after-action improvement.

The objective is to protect evidence and due process while still giving leadership the information needed to correct urgent systemic risk.

01
Preserve before interpreting Records, scenes, media, logs, devices, statements, and physical evidence are secured first.
02
Separate investigative purposes Criminal, administrative, clinical, technical, and policy reviews retain appropriate boundaries.
03
Protect due process Findings remain evidence-based, attributable, reviewable, and consistent with lawful rights.
04
Identify root causes Review extends beyond individual error to staffing, design, training, policy, and systems.
05
Verify corrective completion Action plans close only after evidence shows the underlying condition improved.

Investigation domains

Eight review domains create a complete institutional record.

01 / FACTS

Timeline and verified event record

Establish what occurred, when, where, who was involved, what systems were active, and what actions followed.

02 / EVIDENCE

Collection and chain of custody

Preserve physical, digital, documentary, photographic, video, audio, device, and system evidence.

03 / CRIMINAL

Potential criminal conduct

Coordinate with authorized investigators, prosecutors, law enforcement, and courts when criminal conduct may be involved.

04 / ADMINISTRATIVE

Policy and professional conduct

Review compliance, authority, supervision, decision-making, training, reporting, discipline, and organizational responsibility.

05 / CLINICAL

Healthcare and patient-safety review

Evaluate access, triage, treatment, medication, documentation, continuity, clinical judgment, and professional standards.

06 / TECHNICAL

Technology and infrastructure failure

Review systems, devices, alarms, communications, utilities, cybersecurity, maintenance, configuration, and recovery.

07 / OPERATIONS

Command and institutional performance

Examine staffing, posts, movement, response, communications, logistics, coordination, and continuity of essential functions.

08 / SYSTEMIC

Root cause and organizational correction

Identify recurring conditions, design weakness, resource gaps, policy conflict, cultural issues, and broader statewide implications.

Investigation principle

Accountability is incomplete when the institution punishes a person but leaves the failed system unchanged.

Individual responsibility and systemic responsibility are not mutually exclusive. A serious incident may involve misconduct while also revealing weak staffing, poor design, inadequate training, broken equipment, or unclear policy.

STEAD requires investigators and reviewers to identify both direct actions and the conditions that made failure more likely.

The final measure is not how quickly a report is closed. It is whether the institution became safer, clearer, and more reliable afterward.

Evidence and review controls

Eight controls protect integrity, fairness, and traceability.

01 / AUTHORITY

Defined investigative jurisdiction

Responsible agencies, units, reviewers, prosecutors, clinicians, and technical experts have documented roles.

02 / PRESERVATION

Immediate evidence hold

Relevant records, media, devices, scenes, logs, communications, and physical evidence are secured.

03 / CUSTODY

Traceable evidence handling

Collection, transfer, access, examination, storage, disclosure, and disposition remain documented.

04 / INDEPENDENCE

Conflict and bias controls

Material conflicts are disclosed, reviewers are separated where practical, and outside review is available.

05 / INTERVIEWS

Documented witness process

Interviews are authorized, recorded or documented, protected, and conducted with appropriate rights.

06 / PRIVACY

Protected and restricted information

Clinical, personnel, legal, victim, investigative, and security-sensitive information receives controlled access.

07 / DISCLOSURE

Lawful sharing and transparency

Findings are disclosed according to law, due process, privacy, public records, security, and oversight requirements.

08 / CORRECTION

Verified action tracking

Every material finding has an owner, deadline, resource plan, temporary control, and verification method.

Incident review cycle

Eight stages move the agency from preservation to verified improvement.

01 / STABILIZE

Protect life and secure the scene

Complete immediate response, medical care, accountability, containment, and preservation.

02 / PRESERVE

Hold records and evidence

Freeze relevant systems, retain media, secure physical evidence, and prevent loss or alteration.

03 / CLASSIFY

Define review tracks

Determine criminal, administrative, clinical, technical, operational, legal, and oversight needs.

04 / INVESTIGATE

Collect and test evidence

Build timelines, interview witnesses, examine systems, compare policy, and verify facts.

05 / ANALYZE

Establish causes and failures

Identify direct actions, contributing conditions, control breakdowns, recurring patterns, and unresolved uncertainty.

06 / CORRECT

Assign institutional action

Update policy, staffing, facilities, equipment, training, technology, contracts, healthcare, or command.

07 / VERIFY

Confirm that correction worked

Audit completion, test controls, review outcomes, and confirm that risk was reduced.

08 / STANDARDIZE

Update statewide practice

Translate verified lessons into training, standards, procurement, facility design, governance, and future readiness.

STEAD Incident Investigation and After-Action Review

Every serious incident should leave the institution with a stronger record, clearer accountability, and safer operations.

STEAD combines evidence preservation, chain of custody, criminal and administrative review, clinical and technical analysis, root-cause identification, corrective ownership, independent verification, and statewide standardization.