Issues management is becoming an increasingly important and visible component of Enterprise Risk management for financial institutions.
While risk management deals with the degree of uncertainty and/or potential economic loss, issue management helps the organization identify, and remediate realized risks. Large institutions deal with significant breaches (control, process, policy, regulatory, etc) on a regular basis and given the size and complexity of such institutions today, issues often require a coordinated effort to resolve.
In the absence of a strong, centrally defined issue management program, issues are not properly assessed for root cause, the right personnel are not involved, and at times remedial actions can lead to insufficient or even conflicting resolutions. These challenges can lead to cost overruns caused by issue extensions and serve to increase regulatory scrutiny. Additionally, in our experience, up to 15-25% of low severity events may be false positives. Misidentifying these events as issues can lead to unnecessary effort to resolve and divert resources from more critical projects.
Due to its broad scope, issues management challenges typically arise from a lack of clear standards and inconsistent application across businesses. A siloed approach can lead to varying taxonomies, reduced transparency across programs and business, and limited management awareness of issues. Additionally, legacy technology systems may inhibit process improvement initiatives and create a user un-friendly environment that contributes to poor data quality.
We have identified six key design considerations when building a best-in-class issues management framework:
- Issue Definition: Clearly define issue and related standards that can be consistently executed across all lines of business. A common standard facilitates more comprehensive and detailed capture of issues. For example, issue definitions typically involve non-compliance with a regulation or policy, as well as a process or control deficiency.
- Roles and Responsibilities: Reinforce clearly defined roles and responsibilities across the lifecycle within policies or procedures to promote accountability. Develop a communication strategy and role-based training modules to support users staying informed.
- Integration Across Risk Programs: Develop a sustainable policy and procedure framework with a streamlined end to end lifecycle; develop with input from impacted groups. Connect issues to processes and controls to improve predictive analytics and early prevention. For example, the issue management program would need to have buy-in across all three lines of defense as well as specific risk programs (e.g. Testing and Validation teams).
- Standard Risk Rating: Define standard criteria to use when determining issue risk (e.g., financial loss, customer impact, reputation impact). Incorporate risk rating into policy framework and training to assist consistent application.
- Escalations: Define escalation path as part of policy and procedures; develop measurable criteria to assess materiality. Support with technology to route issues to the appropriate senior leaders or governing bodies with standard reporting. For example, new low rated issues may not warrant escalation to senior management, but extensions of the same issue might.
- Simplified Technology and Data: The solution should facilitate workflow with automated controls to verify data quality and notifications to drive action. Limit the amount of core data managed within the solution to only issue relevant attributes and establish links to other data sources. For example, if the tool requires linking an issue to a control or process, the issue management system should link to a process repository. It should not be a free form entry and is likely to be owned by a risk group outside of the issue management program.
A best in class issues management program can do more than just mitigate regulatory scrutiny. It can be a net benefit for firm performance. An effective issues management program can produce operational cost savings by removing events that were misclassified as issues and resolving via business as usual activities, as well as reducing mitigation timelines and likelihood of costly extensions. In addition to financial benefits, issues management can also enable a proactive risk management culture by spotting weaknesses early and providing transparency to senior leaders making critical decisions. Analysis of issues can also reveal broader underlying challenges and enable managers by providing examples of similar issues that were successfully resolved.
Figure 1: Issue Management Lifecycle
Banks shouldn’t wait for regulator feedback to strengthen their issues management program. By being proactive, they can significantly improve their management of material and realized risks.
Stay tuned for a follow up post on advanced solutions and building a human centric experience. To find out more on the topic or how Accenture can help in your Issues Management Journey, please contact the authors.