Building a Proactive Remediation Approach: 4 Lessons Learned by a Risk and Compliance Expert
- February 14, 2023
A year ago, organizational leaders crystallized lessons learned and built confidence after navigating unforeseen changes. However, despite their growing confidence, leaders are still cautious about future disruptions. For example, in the United States, the economy shrank in the first six months of 2022 and saw a gradual rebound in the early fall.
Consumers observe everyday prices climbing, and businesses tread carefully with an “expect the unexpected” mentality. Additionally, amid geopolitical unrest, including the war in Ukraine, sanctions, increased cyber-attacks and the pandemic waves, leaders continue to speculate about the future state of the economy. These shaky conditions have primed leaders for the possibility of a looming recession.
In this landscape, leaders must engage in long-term planning, which includes building a resilient organization and a step-by-step recovery plan, before the challenges materialize in real time. Some leaders may consider regulatory remediation a time-consuming and resource-intensive process. However, individuals with an in-depth understanding of business resilience see remediation as an essential program to future-proof their organization. In many ways, remediation can drive speed and efficiency that bolsters an organization’s competitive advantage. If an organization is prepared for all scenarios, they are prepared for sustainable growth.
The million-dollar question stands: How can we get ahead of remediation efforts, transform threats into opportunities, optimize processes, and be more proactive in meeting regulatory mandates? Years of successful remedial programs have conferred four critical learnings that I believe will make or break a leader’s remediation plans.
1. A successful remediation program hinges on the early involvement of risk and compliance functions.
When an organization decides to launch a new product or introduce changes to an existing product, leaders discuss the involvement of risk and compliance functions. These conversations are often prompted after the changes have already come into effect. This order of events must change. Ideally, organizations must demonstrate a deep culture of risk awareness across the company that gives Risk and Compliance a seat at the table from the onset of planning through execution.
An essential learning from my experience implementing successful remediation programs is that leaders must create an inclusive risk culture. Mature organizations are improving this practice, but not fast enough. In the current dynamic regulatory and geopolitical environment, organizations must go beyond the annual mandatory “click-and-go” compliance trainings and embed risk awareness into their team’s everyday roles and responsibilities. This way, risk, compliance, and controls become an embedded practice that team members think about continually rather than periodically.
2. Organizations that use a proactive remediation approach build risk management and compliance controls for scale.
Like risk culture, the most effective risk and compliance controls should be built for scale. A common mistake I observe organizations make in their remedial programs is the failure to scale technology controls. Leaders who are laser-focused on business growth can overlook the necessary investment in scaling risk management processes. In one example, an established bank built its risk and compliance process and took this further by developing staff to prepare for increased business volume. However, this bank did not invest enough time and effort into constructing control data sets to enable effective control health reporting.
In this case, the organization would have benefited from a comprehensive risk and control taxonomy that would have aided in control failure detection and allowed them to avoid the consent order. Instead, the organization exerted extensive manual efforts to remediate the issue after the fact. I’ve also worked with clients who initially believed audit trails and segregation of control duties were sufficient processes, only to learn through errors that these practices fall short. As a result, it is important to collect relevant controls data and key risk indicators that significantly aid in effective data aggregation and reporting.
Another best practice to help leaders build controls for scale is learning how to tap into the full potential of GRC systems. GRC systems have been around for decades, and many top GRC systems allow for APIs directly connecting business applications. With the advancement in newer technologies, Key Risk Indicators (KRIs) can and must be linked to these GRC systems and process mining tools. Additionally, leaders must report KRIs to the proper stakeholders to allow adequate decision-making and course correction. Gone are the days when business lines were reluctant to share upfront information with the control functions. Control lapses should not be left for the control functions to discover but must be communicated as they occur, preferably automatically.
3. Leaders can choose a reactive ‘stop the bleeding’ approach or a proactive ‘process and controls transformation’ approach to remediation.
Leaders have access to budgetary resources, and how they choose to use them often divides their approach into two categories: the “stop the bleeding” approach or the “process and controls transformation” approach. With most organizations we have worked with, we notice that budgets are only unlocked when faced with a pressing regulatory issue. Ideally, organizations confronting a regulatory issue use the early challenges to build a robust control ecosystem for the future. They should move away from the “stop the bleeding” approach and adopt a mature “process and controls transformation” approach.
Organizations unable to strengthen technologies upfront should focus on the best service delivery model to address remediation efforts. This activity may involve self-solving the issue, enlisting the help of third parties, using a low-cost location, creating a Center of Excellence (COE), or engaging in all of the above.
4. Teams facing regulatory issues must demonstrate clear communication and defined roles and responsibilities.
Remediation is a collaborative process that involves efforts across teams, including business leaders, process owners, technology, risk, compliance, audit, and remediation delivery teams. An organization and its leaders must define roles and responsibilities from the onset. For example, who will draft the regulatory response and the actions needed throughout the process? In projects we have run, we create hundreds (sometimes thousands) of line items in our project plan that need to be systematically executed. Missing critical line items prove to be a costly consequence for businesses. As a result, collaboration and cohesion across teams are the secret sauce for a successful remediation program.
Reinforcing business resilience with a proactive remediation plan
In the wake of increasing regulatory compliance liability, leaders must safeguard their personnel and corporate interest by demonstrating an assertive and proactive involvement in business matters. Risk and compliance leaders need to be effective partners for sound business growth. And for businesses, it’s time to ask themselves a defining question that will make or break the success of their remediation program: Who would they rather answer to – the regulators and the journalists or the Chief Compliance Officers and Chief Risk Officers?