How financial services boards can improve issues management

Often, financial institutions realize they have a problem with issues management way too late. The board – or, often, the audit committee – gets drawn into problems in closing major audit findings, or regulators begin to take notice of delayed timelines or the degree to which firms rely too heavily on internal audit (and even the regulator) to spot issues. Regulators then issue orders to fix issues management. At that point, firms are on the back foot.

But if you look at examples of when issues management has failed, common signs were often apparent for some time:

• Weak or nonexistent first- or second-line self-identification processes, resulting in internal audit or the regulator(s) serving as the primary mechanism for identifying control weaknesses
• Predominant focus on regulator-identified issues, which get closed faster and with fewer, if any, extensions to remediation plans
• The same types of issues (e.g., IT) have been found across the organization over many years and have been identified by management, internal audit and the regulator(s)
• Tolerance for non-regulatory “aged” issues (e.g., issues opened more than two years ago), especially ones that are significant
• Reporting on issues to senior management or the board is buried deep in voluminous materials and is fairly infrequent
• A lack of accountability for weak issues management and no visible consequences (e.g., in bonuses being cut or promotions delayed)

First-line management sometimes reasons a lot of these symptoms are merely reporting issues. They believe their teams are very focused on identifying issues and fixing them quickly so, in some ways, why report them in the governance, risk and control system? It’s simply unnecessary bureaucracy. But how can senior management and second-line risk management identify firmwide themes and systemic issues if they can only see a partial picture of the control environment? Also, how can anyone validate this is simply a sign of a find-it-and-fix-it mentality? It could be a sign that management is not even looking.

Getting issues management to function requires firms to have a detailed understanding of many working parts and of emerging industry practice. But there are five critical components:

1. Strong governance

The board and senior management have to insist on routine and insightful reporting and discussion of issues. This can’t be an annual rote presentation. The board – or more likely a combination of the audit and risk committees – should periodically hear from management on the overall picture of issues across the organization. Data should be provided on the number of risks being identified by management, internal audit and the regulator; the average time taken to close issues and the average length of extensions; and emerging themes and how they are being addressed. The dialogue should be substantive and action-oriented. The senior-level management operating committee should be discussing issues much more frequently than the board and should be redirecting resources when delays occur.

2. Strong culture and accountability

Effectively identifying, reporting and remediating issues has to be woven into the fabric of the firm’s culture. This is not a compliance exercise. This is part of day-to-day business as usual. Senior management has to signal this to all employees and hold management to account for not taking issues seriously. First-line accountability for identifying, reporting and remediating issues is paramount. Risk management and internal audit need the stature to really challenge management on how issues are being remediated and feel free to escalate concerns to the board if they feel they are not being addressed, especially over an extended period.

Accountability has to include consequences for lack of action. If the board and senior management have truly signaled that issues management and remediation is a priority, then executives whose divisions do not prioritize these matters should be held accountable and face consequences (e.g., in their performance reviews and decisions on compensation).

3. Effective operating model

Issues management is a team sport. The first line has to own it. They have to drive consistency in approach across lines of business and IT (this role may fall to an across-the-first-line enterprise function, where one exists). The second line has to provide credible challenge to the first line, identify cross-firm issues and make sure residual risks associated with remediation are captured in risk reporting, especially when, in effect, it may mean the board-approved risk appetite is being breached. The third line – internal audit – should play an active role in making sure the issues management framework is working effectively, as well as identifying issues through their ongoing audits. Audit also has to model behaviors it expects of the first and second lines. The assignment of severity ratings needs to be transparent and consistent, and timely management action plans that focus on sustainable remediation must be agreed across the lines of defense.

4. Effective risk assessment and measurement

It is important that everyone understands how risks are to be assessed and rated, and that there is open discussion on inherent risks and the degree to which controls effectively bring down residual risks to acceptable levels. The dialogue on risk ratings across the three lines should be constructive and with effective challenge but not divisive or laced with miscommunications. Assessments on residual risk, from the outset of the action plans to when they are closed, have to be woven into the overall risk profile and linked to the board-approved risk appetite.

5. Exemplar execution

In the end, it comes down to how issues are managed day-to-day. Robust standards and protocols need to be in place articulating how issues are to be identified and reported; how action plans are to be developed, documented, quality-checked and approved; how inherent and residual risk and root-cause analyses are to be conducted and challenged; and how issues are to be resolved and closed. Those standards have to be rigorously and consistently enforced firmwide, and monitoring progress on action plans has to be well engrained, with transparency on progress reaching senior management and the board.

Part of execution includes the board and senior management dedicating the right resources and attention to aged issues that have accrued in recent years. These shouldn’t be allowed to fester because they undermine efforts to signal the importance of issues management to the rest of the organization.

In some ways, there is a sixth key component: an effective ERM and internal controls framework. Issues management depends heavily on having certain foundational elements, or enablers, in place — for example, a strong first-line risk and control self-assessment, coherent and well-understood risk-rating and root-cause methodologies, and effective risk data capture and reporting. To the extent any of these enablers are insufficiently mature, it will inhibit effective issues management, as will the existence of different and hard-to-aggregate risk ratings and methodologies across the firm.

Boards play an important role in strong issues management. It should not be lost on boards that regulators that step in to force remediation of issues management often view it as a governance, not just management, failure. If the fact pattern suggests issues identification and remediation have not been prioritized, or only regulator-identified remediation has received serious attention, it is hard to conclude otherwise. The only other conclusion is the board or one of its committees actually understood that issues management was not effective but did nothing about it. That conclusion is even starker.

The board has to signal to management this is a priority area for them so that management takes it seriously. Otherwise, if it’s discussed by the board or one of the committees for 20 minutes every 6 or 12 months, the resultant lack of prioritization should not be surprising.

Boards have to invest the time to oversee their firm’s issues management approach. They can ask:

• Are we identifying the number of issues that we should? Is the first line identifying issues before others do (especially internal audit and the regulator)?
• Are we remediating issues in a timely fashion? Are we in line with our peers? Do we remediate issues that we identify as fast as we do ones identified by the regulator?
• How are we validating that our approach to effective issues management is consistent across the firm?
• What firmwide problems have been identified in analyzing our issues and how are we remediating those issues in a systematic way?

Discussing these types of questions on a routine basis with management will make a real difference.

Summary

Financial services firms can struggle to properly manage both small and high-risk issues. Matters bubble along for a while, then explode, sometimes visibly. With boards getting involved in the issues management process earlier, firms will feel the pressure to act sooner and better going forward.