Many organizations struggle with siloed issue management practices that require significant time and effort from resources across all lines of defense. A siloed approach leads to duplication of activities, issues handled using inconsistent methods and a lack of prioritization, with efforts focused on the largest and most pressing issues. The siloed approach is driven by regulatory commitments, a high number of issues that need to be closed and weak governance across issue management. Also prevalent is the cultural dynamic of the desire to close issues with a quick fix rather than sustainable solutions that may require increasing past due or days to close issue reporting. These organizations often lack a strong, overarching issue management framework supported by tools to identify, track and report on issues uniformly across business units. Agile issue management is centered on a fully integrated issue management framework and taxonomy for all risk domains and issue types, a single uniform technology platform to organize issues across the company, processes and incentives that lead to faster and more complete remediation of issues, and data-driven impact analysis. By focusing on these agile concepts, issue management ties into the firm’s risk appetite and risk tolerance and ultimately improves business processes.
Current State Challenges
- Inconsistent issue management taxonomy
- Lack of clear accountability
- Failure to identify and address root cause
- Incomplete organizational impact analysis
- Disparate issue-tracking mechanisms
- Undefined closure processes
Laying the Foundation
Applying agile concepts to the issue management process may seem elusive, but there are foundational activities that allow an organization to begin transforming previously siloed processes into a holistic function. Taking, for example, any recent regulatory action at a financial institution, there routinely are signs of the issue arising months, even years, prior to the issuance of the enforcement action. Firms being able to identify and act upon these signs earlier is key to reducing further incidents, so how can agile issue management work in practice?
Aligning first line performance feedback and compensation to issue management metrics promotes self-identification of issues and ingrains issue management principles into risk culture. By incentivizing the early identification of issues and applying strong root cause analysis, upstream and downstream customer, reputational, and regulatory impacts of the issue are identified sooner. Similarly, linking the execution and successful implementation of corrective actions to compensation will help ensure that accountable parties seek to close out all issues and remain engaged throughout the issue lifecycle to validate that the root cause is addressed and repeat issues will not occur. By rewarding proactive identification rather than automatically penalizing issue owners, stakeholders are encouraged to do the right thing.
Over the past several years, firms have invested a lot of time and resources in risk appetite, risk tolerance and threshold setting activities. However, many organizations still struggle with those activities being overly academic in nature and existing only to serve regulators rather than adding tangible value to risk management practices. Issue management is an area where risk appetite and risk tolerance concepts can play an effective and tangible role in overall risk management. If a firm has a low risk tolerance for compliance issues, resulting in consumer harm, that translates into fewer days being allowed to remediate issues in that area. Conversely, the risk tolerance for issues that are more operational in nature may be higher, allowing for longer remediation periods. The organization’s risk appetite will dictate the urgency with which action must be taken to reach full issue remediation.
Another critical foundational element for enabling effective issue management is the tools made available to employees. All issues identified should be inventoried, categorized and assessed in a shared platform using the same taxonomies regarding issue type, identification source, risk type, process association, control failure and impact, among other elements. Using the shared platform, additional data on issue causes and impacts can help identify other areas in the organization that are susceptible to a similar issue. For example, looking across issues identified through customer call centers and business-unit sales data could identify vulnerability in different business units across the organization before a new issue arises. By looking broadly at root causes of issues, the firm can prevent issues impacting limited areas from becoming larger, systematic issues or from reoccurring in other areas of the organization.
Once a process is established and the proper tools are in place, additional automation and analytics can be continuously added until the organization achieves an agile issue management framework.
Given a standardized set of data, for instance, as issues are identified, models can be developed to predict root causes and potential impacts and even design remediation plans based on historical actions. Oversight of issue management can be streamlined through advanced analytics that challenge inappropriate severity and impact ratings and to identify repeat issues. Reporting across all issue types can be generated for various levels of management in real time to enable appropriate allocation of resources, alignment to risk appetite and risk tolerance, and overall achievement of strategic objectives. With this level of data capability, issue management becomes a tool to help an organization design better business processes from the beginning. With an effective issue management process, firms can look back at previous product launches to evaluate what issues were encountered, how long remediation took, the number of resources needed and the ultimate cost of remediation. This data provides a realistic projection of risks and costs associated with a similar product launch and helps ensure that the organization avoids making similar mistakes again.
Progressing to Agile Issue Management – A Case Study
In a recent client engagement, Protiviti was asked to evaluate and begin to rebuild the compliance issue management process for a large financial institution following regulatory action. The steps we took to enhance the organization’s issue management process were foundational in nature, but set the firm up well for future automation and advancements.
One of the main challenges initially encountered was the sheer volume of issues, which were tracked in separate spreadsheets for each issue type (e.g., third party, model risk, compliance issues). This limited the organization’s ability to produce a holistic view of issues, regardless of risk type or intake channel. Although the institution had a governance, risk and compliance (GRC) system for compliance issue management in place, not all issues were captured. The firm could derive metrics from this dataset; however, the poor quality of the data prevented any meaningful insight into where issues were arising or possible root causes.
Protiviti’s first step was categorizing the disparate compliance issues into a uniform taxonomy with requisite detail. The firm’s GRC system was enhanced to provide a cleaner user experience and improved functionality. The foundational implementation of a uniform issue taxonomy and centralized GRC system to house the issues allowed for the development of more meaningful issue reporting. Issue trending, automated extracts and exports were implemented to provide key updates and performance indicators to senior management. These issues were also mapped to processes and controls, enhancing the data model and allowing for deeper insights in reporting.
Future phases of advancement will include expansion of issue categorization beyond compliance issues to a single platform and taxonomy for all identified issues, ingraining issue management into risk culture, and building data analytics and modeling into the GRC system for deeper analysis and emerging risk identification.
At the beginning of the engagement, the compliance department and all lines of defense were forced to contribute to issue management processes. Today, the effective full-time equivalent supporting issue management processes has dropped. There is a dedicated team focused directly on executing the issue management program, ensuring consistency and adequate attention to issues. This dedicated team allows first line employees to focus on their customer facing roles rather than expending energy on managing issues. These efficiencies will continue to be realized as the institution progresses on the agile issue management maturity scale, ultimately reaching a fully automated, data-driven, forward looking methodology to issue management.
Adopting an Agile Risk Management approach to issue management allows for time to focus on activities that can make a difference to the organization remediating issues with sustainable solutions. Increased data capabilities enable early issue identification and ultimately prevent future issues through emerging operational and regulatory risk identification. Efficiencies are gained at each phase of agile issue management maturity from eliminating the need for staff to create manual reports to implementing a fully automated platform that identifies potential issues at the earliest stages. This has the benefit of reducing costs for the business by decreasing the overall volume of issues, both simple and complex, that require dedicated organizational efforts to remediate. A second benefit is realized by aligning the organization to utilize resources efficiently and successfully remediate issues the first time. Ultimately, a firm’s approach toward issue management and becoming more agile drives positive customer perception and experiences.
How Protiviti Can Help
Protiviti has a record of success helping clients to develop Agile Risk Management practices with the responsiveness required for an ever changing business environment. We work with more than 75 percent of the world’s largest financial institutions, which benefit from our collaborative team approach to resolving today’s risk management challenges. Our professional consultants have varied industry and regulatory backgrounds that enable our unified financial services practice, with the seamless integration of risk and compliance, technology, data, and analytics solutions, to develop customized Agile Risk Management approaches to meet tomorrow’s challenges today.
Business, risk, compliance and internal audit groups need to work within an integrated framework with clear accountabilities that will lead to an aligned organization for making sound decisions. We address risk and operational excellence as two sides of the same coin, leading to agility and optimal performance. We understand how customer satisfaction and, in turn, growth, have become elusive. While effective risk management is intended to facilitate growth, it too often becomes an inhibitor. Our expertise positions our clients at the forefront of effective risk management with a unique approach to reap both immediate and long term benefits.