Managing risks and strengthening controls associated with operations have become increasingly more complex for all organisations. Firms are expending significant time, money, and resources to implement required changes and prioritise operational risk management efforts. As costs continue to increase, it is clear that the overly manual, reactive, and siloed status quo is unsustainable.
In this episode of Protiviti’s Powerful Insight’s “Future of Risk and Compliance” podcast series, Protiviti Risk and Compliance Director Bygie Dixon interviews Patrick Dillon, Executive Vice President and Head of Independent Testing and Validation at Wells Fargo. Bygie and Patrick share insights on successfully applying emerging technologies and leveraging an innovative mindset to reduce risks and strengthen controls.
To learn more about Protiviti’s Risk Transformation services, visit us at our website.
Kevin Donahue: Hello, this is Kevin Donahue, Senior Director with Protiviti, welcoming you to another edition of Powerful Insights and the latest episode in our transformation series, focused on the Future of Risk & Compliance. This series highlights how organisations can embrace change, harness technology, and bring innovation to the fields of governance, risk, and compliance.
In this episode, Bygie Dixon, a Director with Protiviti’s Risk & Compliance practice, interviews her long-time friend and colleague, Patrick Dillon, Executive Vice President and Head of Independent Testing and Validation at Wells Fargo. Patrick shares his success in applying emerging technologies, and how he is leveraging an innovative mindset to reduce risk and strengthen controls.
In their discussion, Bygie and Patrick drill down into the processes related to managing risks and strengthening controls associated with operations, which have become increasingly more complex for all organisations. Firms are expending significant time, money, and resources to implement required changes and prioritise operational risk management efforts. As costs continue to increase, it is clear that the overly manual, reactive and siloed status quo is unsustainable and cannot continue.
And now, let’s go to their conversation.
Sure. Thanks, Bygie. As you mentioned, I currently lead the independent testing and validation function at Wells Fargo. I’ve been a longtime risk and compliance professional. I got into risk and compliance first about 10 years ago, working with Bank of America, coming out of the financial crisis, focusing on a lot of the mortgage-remediation activities that were going on across the industry. I spent some time with Bank of America working in consumer risk and compliance regulatory relations. I spent a little bit of time in consulting, went back to Bank of America and worked in the payments industry, focusing on merchant acquiring.
Where I really got my start, I was an attorney for five and a half years and focused on corporate transactional defaults, workouts, bankruptcy and a lot of the real estate-related default transactions that arose during the financial crisis. Definitely, I’ve had a diverse career that’s really led me to where I am, and I’ve enjoyed every step of it. It’s been a really great experience, and I’ve gotten to see a lot of different things and worked for a lot of different banks. But I really enjoy my job today at Wells Fargo as well. Prior to leading testing within IRM, I actually led consumer compliance for Wells Fargo and moved over there in 2018.
One of the biggest risks that I’ve seen in common themes over the years has really been just the pace of change. When you look at the last 10 years within the financial services industry, we’ve really seen the digital channels becoming front and center. Realistically, technology enablement and tech change management have introduced new risks that previously, financial services firms didn’t have to manage with nearly as much rigor because they weren’t nearly as reliant on these technologies in the digital channels for their success, for their exemplary customer experiences.
So, I really think that one of the biggest risks we’ve seen, and that I’ve seen, in the industry is the pace of change, and needing to digitise how we deliver our products and services to our customers, and then, having to be agile in how we address those risks while still serving the needs of the customer.
Well, I think there are always going to opportunities to look at your risk management programmes, and finding ways to balance appropriate risk oversight and control with the need to align with the pace of change within a business. And that pace of change right now is light speed. When you think about the changes that firms have had to make in the past year just to respond to the COVID-19 pandemic, the long, very antiquated risk management practices were really the ones that probably were the least effective in addressing risk management during the pandemic.
So, I know, among industry colleagues and for myself, we’ve seen a lot of agile risk management programmes that have balanced appropriate oversight governance with the need to, in many times, react quickly to make sure that the customer is protected. That’s really been where my team, I think, has excelled and where the industry has seen an introduction of another opportunity: to have agile testing, and being able to use data as a tool for us to be able to hone in on areas where we may need to dig deeper and where we need to perform additional transactional deep testing. A lot of that work can be leveraged by aggregating various data points across an organisation, and that’s one of the areas where I think we still have a lot of opportunity.
As organisations build higher-quality risk data sets and risk data processes that allow us to ingest and use that data to make decisions, we’re going to obviously see more effectiveness coming out of our risk management programmes. And where we’ve had some pilots in this space and where, in the past few years and even across other organisations, we’ve seen successes, is when that becomes part of the DNA of an organisation.
One of the biggest building blocks is having a very robust data government structure that allows you to rely on the underlying existing data that you have. You have to have confidence that it’s going to be able to tell you what you need to know and that you can rely on the accuracy.
That’s one. Two, you have to have really smart people who know how to interpret that data and use it to be able to identify indicators that might be indicative of something going wrong within a process – KRIs, KPIs. Those need to be quality indicators that help to identify areas where we need to deploy resources to go and dig and look at something more deeply to see if there’s a problem in achieving the outcomes that we want for a given process, a given product or even an experience with a customer.
I guess one of the areas I’m most curious about and one of the areas I’ve been focusing on over the last few years is figuring out how to use RPA – robotic process automation – artificial intelligence and some of the other emerging technologies to increase the effectiveness of a risk management programme. It’s something that’s core to the industry right now. It’s something that offers a huge opportunity for risk managers to be able to transform sample-based programmes into continuous 100% monitoring coverage.
It’s a lot more effective to be able to have a script running in the background continuously that tells us if we have a problem versus a couple of times a year deploying testing teams to go pull files and see if they can detect errors or potential issues with a given process. So, for me, finding ways and opportunities to implement automated testing, continuous monitoring, and generate intelligence that we didn’t have before, is where I’m spending a lot of my time.
It’s an interesting question, Bygie, because in theory, it’s easier to oversee a digital process than it is one that’s manually executed by a person. But what it requires to really effectively oversee digital processes is a new skill set for risk managers. Strengthening the UAT testing and engaging in our compliance teams upfront in system design, those are different skill sets than what we saw traditionally in second-line compliance and operational risk functions. You might have a few technology risk specialists in a given organisation, but it’s starting to become a discipline that most risk managers need to have in their tool kit regardless of what space you cover.
Becoming a digital champion, especially when we’re talking about the ability to automate a process that’s manual, risk managers should view that as a huge opportunity, because when I think about it, an ideal controlled environment is one that is well-documented and automated. So, being able to have automated process and controls, that’s a utopia for a risk manager. It’s understanding the unique risks that come with digital processes and automated processes. Those are sometimes a little bit harder to uncover and understand until something goes wrong.
I think there are two big opportunities: Frontline businesses can use technologies to automate their processes, to get to monitor their processes, to automate controls. We’ve seen many firms have RPA and AI centers of excellence stood up that are solely dedicated to helping the businesses automate manual activities, and I think that’s great. In addition, though, there are also opportunities for your risk oversight partners to use automation to oversee the business, using RPA and AI in testing activities; it’s extremely efficient. But it’s also much more effective than manually looking through files and performing manual testing procedures and things of that nature. So, over time, it allows us to get broader coverage and it goes deeper.
The other area is, both from an AI perspective and from using other technologies like natural language processing, it allows us to analyse data sets faster, to be able to identify where something is going wrong. It allows us to, hopefully, in more real time, address those issues so that we don’t have long-term, long-tailed issues that impact our customers that have negative customer experiences and that we find out about those in a much more real-time way. That way, we can course-correct and take action to make sure that a process is working the way that we want it to.
Yes, so, in my career, I’ve led multiple risk and control self-assessment design and implementations across a number of organisations, and it’s an area that I am pretty passionate about because I do think that they help businesses to manage risk. They’re definitely a tool that frontline businesses should be using to effectively manage risk. But in order to do that, there are a lot of things that they’ve got to get right. Having quality underlying risk data, having good taxonomies that allow you to see similar risks across different areas of your company, having good documentation around your controls – those are all just the basics.
When you want to start talking about enhancing RCSAs, where I think most organisations see opportunities is getting to real-time risk management – the historical RCSAs, many of which were legacy tools that were used coming out of SOX implementation to manage their financial reporting risks and controls. They’ve morphed into these very long, detailed operational risk assessments that are done annually, or a few times a year. Most organisations, at best, will have refreshes based on triggering events.
Where I think most people want to get it to is having a set of metrics and indicators that would tell us that we either need to go and update our RCSAs, or the RCSA itself would tell us that something is not working as intended and that we need to go and take a deeper look at that process. In order to do that, I think we have to remove some of the assumptions around how an RCSA is even built and make it much more streamlined and focused on core risks, controls, appropriate metrics, and use it as an agile tool to allow firms to have a dashboard view, to be able to open it up and look and see, “What are my core risks?” and not just a bucket that we throw out everything into, which is historically how our RCSAs have been built.
But I go back to what I said in the beginning: You have to have good risk data. In order to manage risks in real time, you have to understand your risks. Generally, that means you had to have documented them and identified them and put them somewhere. So, I would expect to have a very robust and mature risk identification process. You have to have information on when something is going wrong, whether it’s control failure, a negative process outcome, a breach of a metric.
So, that means that you’ve got to have robust frontline and second-line and third-line oversight processes for those risks and the controls, so you have to know early on when something is not working in order to make this a real-time view. You have to link all of your risk data together too – issues, metrics, KRIs, monitoring, testing results. All of that needs to come together to inform an RCSA to make sure that it is. The more real-time each one of those processes and the results are, the more real-time your RCSA is going to be and the more of a dashboard view you’re going to get.
In terms of other keys to success, you can’t try to boil the ocean. You really going to need to be very targeted. You need to have good definitions of what key controls are. You need to understand that not every single activity in your firm needs to be appropriately documented in an RCSA. Getting the leveling right at which you perform an RCSA is really crucial to being able to consistently execute those and to be able to update them in more real time.
Mine your data. That’s probably the best advice I can give. When we have, we find most of our opportunities for deploying automation and new technology, whether it’s when we have an issue or a project, we’re looking at our risk and control data. We’re looking at controls that are manual, we’re looking at high-risk processes that are manual, and continuously talking about opportunities to automate.
Build connections, if you’re in risk, with the automation and AI teams that are within the organisation. Even if they’re not directly aligned to your risk function, go build a relationship with those folks. I talk to our head of AI on a regular basis, and we sit down and have conversations about risk, about what he’s seeing, opportunities and things of that nature. At my old shop, I did the same with our automation COE leader, and figured out a framework for innovation of risk and how we could employ some of the same things that the COE was using to help the business and to help us make our risk management process more effective and automated.
Other than that, there’s a lot of great material that Protiviti puts out in thought leadership about automation. I read a lot. I spend quite a bit of time reading about industry trends, and when I attend conferences and meet with some of my peers at other organisations, automation and innovation always ends up being one of the topics that we cover because we really do want to figure out the best way for us to deploy risk management programmes and make sure that our processes are sound. In my opinion, the best way to do that is to continue to use new and emerging technologies that help us to get better at managing risk.
Kevin Donahue: Our thanks for Patrick Dillon and our own Bygie Dixon for this informative conversation, and thank you for listening today. Watch for the release of our April edition in our risk transformation series, in which Protiviti Managing Director Vicki Alexander will speak with Nishant Desai, CCO of TIAA Bank and Gary Stein, Chief Product and Compliance Officer of OpenPay about their vision of and the future of compliance.
To learn more about Protiviti’s perspectives on risk transformation, visit our Risk Transformation page under Risk & Compliance section at Protiviti.com. And finally, I invite you to subscribe to our Powerful Insights podcast series, and to review us, wherever you find your podcast content.