An Agile State of Issue Management: The Building Blocks of Agile Risk Management


An Agile State of Issue Management: The Building Blocks of Agile Risk Management

Protiviti has introduced an Agile Risk Management philosophy to enable organisations to focus on growth, improve efficiency and become equally or more effective in managing risk while providing greater value to business partners.
A critical measure of the effectiveness of any organisation’s risk management program is how quickly and completely it identifies and takes action to address the lessons learned from risk and compliance issues. Issues can include operational risk events, regulatory compliance violations, security breaches or other negative results. Issues can be identified by any of the three lines of defence, as well as by external sources such as consumer complaints or regulatory examinations. In this paper, the first of a series based on the agile risk philosophy components, we share Protiviti’s perspective on establishing and maintaining leading practice issue management programme.
Protiviti Agile Risk Management Philosophy


Many organisations struggle with siloed issue management practices that require significant time and effort from resources across all lines of defence. A siloed approach leads to duplication of activities, issues handled using inconsistent methods and a lack of prioritisation, with efforts focused on the largest and most pressing issues. The siloed approach is driven by regulatory commitments, a high number of issues that need to be closed and weak governance across issue management. Also prevalent is the cultural dynamic of the desire to close issues with a quick fix rather than sustainable solutions that may require increasing past due or days to close issue reporting. These organisations often lack a strong, overarching issue management framework supported by tools to identify, track and report on issues uniformly across business units. Agile issue management is centred on a fully integrated issue management framework and taxonomy for all risk domains and issue types, a single uniform technology platform to organise issues across the company, processes and incentives that lead to faster and more complete remediation of issues, and data-driven impact analysis. By focusing on these agile concepts, issue management ties into the firm’s risk appetite and risk tolerance and ultimately improves business processes.

Current State Challenges

  • Inconsistent issue management taxonomy
  • Lack of clear accountability
  • Failure to identify and address root cause
  • Incomplete organisational impact analysis
  • Disparate issue-tracking mechanisms
  • Undefined closure processes


Laying the Foundation

Applying agile concepts to the issue management process may seem elusive, but there are foundational activities that allow an organisation to begin transforming previously siloed processes into a holistic function. Taking, for example, any recent regulatory action at a financial institution, there routinely are signs of the issue arising months, even years, prior to the issuance of the enforcement action. Firms being able to identify and act upon these signs earlier is key to reducing further incidents, so how can agile issue management work in practice?

Aligning first line performance feedback and compensation to issue management metrics promotes self-identification of issues and ingrains issue management principles into risk culture. By incentivising the early identification of issues and applying strong root cause analysis, upstream and downstream customer, reputational, and regulatory impacts of the issue are identified sooner. Similarly, linking the execution and successful implementation of corrective actions to compensation will help ensure that accountable parties seek to close out all issues and remain engaged throughout the issue lifecycle to validate that the root cause is addressed and repeat issues will not occur. By rewarding proactive identification rather than automatically penalising issue owners, stakeholders are encouraged to do the right thing.

Over the past several years, firms have invested a lot of time and resources in risk appetite, risk tolerance and threshold setting activities. However, many organisations still struggle with those activities being overly academic in nature and existing only to serve regulators rather than adding tangible value to risk management practices. Issue management is an area where risk appetite and risk tolerance concepts can play an effective and tangible role in overall risk management. If a firm has a low risk tolerance for compliance issues, resulting in consumer harm, that translates into fewer days being allowed to remediate issues in that area. Conversely, the risk tolerance for issues that are more operational in nature may be higher, allowing for longer remediation periods. The organisation’s risk appetite will dictate the urgency with which action must be taken to reach full issue remediation.

Another critical foundational element for enabling effective issue management is the tools made available to employees. All issues identified should be inventoried, categorised and assessed in a shared platform using the same taxonomies regarding issue type, identification source, risk type, process association, control failure and impact, among other elements. Using the shared platform, additional data on issue causes and impacts can help identify other areas in the organisation that are susceptible to a similar issue. For example, looking across issues identified through customer call centres and business-unit sales data could identify vulnerability in different business units across the organisation before a new issue arises. By looking broadly at root causes of issues, the firm can prevent issues impacting limited areas from becoming larger, systematic issues or from reoccurring in other areas of the organisation.

Once a process is established and the proper tools are in place, additional automation and analytics can be continuously added until the organisation achieves an agile issue management framework.

Given a standardised set of data, for instance, as issues are identified, models can be developed to predict root causes and potential impacts and even design remediation plans based on historical actions. Oversight of issue management can be streamlined through advanced analytics that challenge inappropriate severity and impact ratings and to identify repeat issues. Reporting across all issue types can be generated for various levels of management in real time to enable appropriate allocation of resources, alignment to risk appetite and risk tolerance, and overall achievement of strategic objectives. With this level of data capability, issue management becomes a tool to help an organisation design better business processes from the beginning. With an effective issue management process, firms can look back at previous product launches to evaluate what issues were encountered, how long remediation took, the number of resources needed and the ultimate cost of remediation. This data provides a realistic projection of risks and costs associated with a similar product launch and helps ensure that the organisation avoids making similar mistakes again.

Progressing to Agile Issue Management – A Case Study

In a recent client engagement, Protiviti was asked to evaluate and begin to rebuild the compliance issue management process for a large financial institution following regulatory action. The steps we took to enhance the organisation’s issue management process were foundational in nature, but set the firm up well for future automation and advancements.

One of the main challenges initially encountered was the sheer volume of issues, which were tracked in separate spreadsheets for each issue type (e.g., third party, model risk, compliance issues). This limited the organisation’s ability to produce a holistic view of issues, regardless of risk type or intake channel. Although the institution had a governance, risk and compliance (GRC) system for compliance issue management in place, not all issues were captured. The firm could derive metrics from this dataset; however, the poor quality of the data prevented any meaningful insight into where issues were arising or possible root causes.

Protiviti’s first step was categorising the disparate compliance issues into a uniform taxonomy with requisite detail. The firm’s GRC system was enhanced to provide a cleaner user experience and improved functionality. The foundational implementation of a uniform issue taxonomy and centralised GRC system to house the issues allowed for the development of more meaningful issue reporting. Issue trending, automated extracts and exports were implemented to provide key updates and performance indicators to senior management. These issues were also mapped to processes and controls, enhancing the data model and allowing for deeper insights in reporting.

Future phases of advancement will include expansion of issue categorisation beyond compliance issues to a single platform and taxonomy for all identified issues, ingraining issue management into risk culture, and building data analytics and modelling into the GRC system for deeper analysis and emerging risk identification.

At the beginning of the engagement, the compliance department and all lines of defence were forced to contribute to issue management processes. Today, the effective full-time equivalent supporting issue management processes has dropped. There is a dedicated team focused directly on executing the issue management program, ensuring consistency and adequate attention to issues. This dedicated team allows first line employees to focus on their customer facing roles rather than expending energy on managing issues. These efficiencies will continue to be realised as the institution progresses on the agile issue management maturity scale, ultimately reaching a fully automated, data-driven, forward looking methodology to issue management.

In Conclusion

Adopting an Agile Risk Management approach to issue management allows for time to focus on activities that can make a difference to the organisation remediating issues with sustainable solutions. Increased data capabilities enable early issue identification and ultimately prevent future issues through emerging operational and regulatory risk identification. Efficiencies are gained at each phase of agile issue management maturity from eliminating the need for staff to create manual reports to implementing a fully automated platform that identifies potential issues at the earliest stages. This has the benefit of reducing costs for the business by decreasing the overall volume of issues, both simple and complex, that require dedicated organisational efforts to remediate. A second benefit is realised by aligning the organisation to utilise resources efficiently and successfully remediate issues the first time. Ultimately, a firm’s approach toward issue management and becoming more agile drives positive customer perception and experiences.

How Protiviti Can Help

Protiviti has a record of success helping clients to develop Agile Risk Management practices with the responsiveness required for an ever changing business environment. We work with more than 75 percent of the world’s largest financial institutions, which benefit from our collaborative team approach to resolving today’s risk management challenges. Our professional consultants have varied industry and regulatory backgrounds that enable our unified financial services practice, with the seamless integration of risk and compliance, technology, data, and analytics solutions, to develop customised Agile Risk Management approaches to meet tomorrow’s challenges today.

Business, risk, compliance and internal audit groups need to work within an integrated framework with clear accountabilities that will lead to an aligned organisation for making sound decisions. We address risk and operational excellence as two sides of the same coin, leading to agility and optimal performance. We understand how customer satisfaction and, in turn, growth, have become elusive. While effective risk management is intended to facilitate growth, it too often becomes an inhibitor. Our expertise positions our clients at the forefront of effective risk management with a unique approach to reap both immediate and long term benefits.