12 Key Components of an Effective Issues Management Framework

?

In today’s heightened regulatory environment, it is critical to develop and maintain a robust issues management framework. No matter the size of the bank, effective risk management requires a consistent and sustainable approach to issues management. And this applies to issues raised not just by Regulators, but also by internal assurance providers such as Audit and second line risk partners such as Compliance, Operational Risk, Credit Risk Review, Legal and others. Some banks make the mistake of viewing issues management as episodic. A fire is detected, a program is put in place to put out that particular fire and the program is discontinued once the fire is extinguished. But your issues management framework must be ongoing and include an adequate governance structure to address all issues as they arise.

?

The good news is that with proper planning and coordination, you can establish a robust issues management framework that will withstand the test of time no matter what issues are identified. During my 41 years in banking, I led issues management programs for commercial lending line of business and adjudication (separate programs), mortgage lending and as the department manager for a major merger. In my experience, I found the following to be key components for effective issues management:

?

1.???? It must be intentional: As noted above, your issues management program should not be reactive. Proper attention should be placed on setting up a well thought out framework with the commitment to maintain and execute the program in perpetuity. Don’t make the mistake of thinking you have “finished” issues management just because a major series of findings (e.g. regulator Matters Requiring Immediate Attention, Severity Level 1 Compliance or Audit issues) is cleared. Likewise, it is important to continuously evaluate and the tweak your program as necessary to ensure its relevance.

2.???? It requires strong support from executive management: Effective issues management starts with the CEO and others on the executive team. The key leaders in the bank must make it clear that a robust issues management infrastructure is a vital part of the overall risk management framework and, therefore, non-negotiable. And this messaging from the top must be repeated on a regular basis. Banks are faced with a myriad of competing priorities (e.g. growing revenue, achieving high client service scores, managing expenses, minimizing credit/operational losses, etc.) and issues management will get lost in the shuffle if executive leadership does not insist on a strong program.

3.???? The program must have a leader: Issues management cannot be implemented effectively by committee. There must be a leader of the program. In larger banks, this typically includes someone at the top of the house that owns the overall governance with departmental leaders throughout the bank who own the set of issues for their respective area. In a community bank, the overall program might be owned by one leader who works with each department to identify and clear issues. The key is to have a leader(s) who feels both responsible and accountable for the governance of the program.

4.???? Each issues must have an owner: This is often harder than it sounds given that many issues arise from cross-functional processes. For instance, a weakness may be detected in a particular loan underwriting practice that has a relationship manager, analyst, underwriter and adjudicator involved. And these individuals likely will report through different channels in the bank. So, not only is it critical to assign an owner for each issue, it is also important to ensure effective cooperation and coordination when an issue is cross-functional. But even with monoline issues, make sure ownership is clear to all involved in clearing the issue.

5.???? Each issue needs a written plan: In my experience, I have found the Four-Blocker to be the most efficient and effective method to track and clear issues. In case you are not familiar with the Four-Blocker (also known as a Quad Chart), it is a concise way to track, manage and resolve issues (and projects). The four sections of the document are: Summary of Scope and Stakeholders; Key Milestones and Achievements; Risks/Dependencies/Opportunities; and Action Steps/Upcoming Deadlines. The Four-Blocker allows you to take a big issue and boil it down to individual tasks that cumulatively will add up to successful remediation of the issue. Of course, there are other methods to track the successful remediation of an issue, but make sure there is a written plan for accountability purposes.

6.???? Each issues should include a status update: This is typically as simple as having Red/Yellow/Green color coding at the top of the document. However, a common mistake is reluctance to declare an issue to be “yellow,” let alone “red.” But things could end badly on an issue if the ongoing assessment is not objective. The taxonomy followed should be: Green = On Schedule for Remediation; Yellow = Issue is at Risk of Missing the Deadline for Remediation Based on One or More Challenge; Red = Issue is Likely Not to be Remediated by the Deadline without Major Changes. I know this sounds obvious, but I have been surprised over the years by how many smart people did not understand this taxonomy. While on the status topic, make sure you don’t have an environment that fosters punishment for being in Yellow or Red status. This starts at the executive level and will ensure objective status reports and proper resourcing when an issue becomes Yellow or Red.

7.???? ?Set Reasonable Remediation Dates and Don’t Go Past Due: For most issues, the remediation date should be no longer than a year from the point of identification. The exception to this rule is if the remediation is entirely dependent on technology change or installation that is more than a year out. Even in these cases, your assurance provider may expect a temporary manual fix be put in place if the technology solution is in the distant future. The best way to determine a “reasonable date” is to back engineer the steps that will be required to implement a particular task, perform your own testing to make sure it is working and then allow the assurance provider time to validate the result. So, don’t be too aggressive with remediation dates either. And most banks set a tolerance level for past due issues (typically 5-10%). No matter how strong your framework, unexpected occurrences will lead to unavoidable delays in remediation of some issues. Setting a reasonable tolerance level also will lead to more objective status reporting. But a word of caution here: If you are constantly running at a high level for past due issues, your program is flawed, and you will receive strong criticism from your assurance providers.

8.???? Set Severity Levels for Each Issue: Of course, the regulators will provide severity levels when they site an issues, ranging from Observation to Supervisory Recommendation to Matters Requiring Immediate Attention to Matters Requiring Board Attention. You will be required to develop a remediation plan for the last three, but it is advisable to consider setting up an issue remediation plan even for an Observation to avoid having it elevated to a formal finding during the next exam. Likewise, it is a recommended practice to set severity levels for internal issues with three levels. For instance, an outdated risk grading model that is not accurately assessing credit risk is more serious than users including wrong inputs into the model. The outdated model should be rated severity level one and will likely require a major update (or even a model replacement); whereas, the input errors should be rated severity level 3 and can be successfully remediated with training and/or updating the user guide.

9.???? Strongly Encourage Matters-Self-Identified (MSI’s): A robust issues management framework encourages teams to identify their own issues. If you are routinely finding defects on a process or system, it is certainly better for you to call it out and set up a plan to fix it than to wait for an assurance provider to detect it. In fact, it is a recommended practice to set expectations for a certain percentage of issues to be MSI’s (could be as high as 50%). As with Red/Yellow/Green status reports, it is important to cultivate an environment that encourages objective self-identification of issues. Teams should be applauded (not punished) for finding and fixing MSI’s.

10.? Hold Regular Progress Meetings: While meetings are often over-used in banking, it is important to find the right cadence. I developed a meeting regimen over the years that included bi-weekly meetings with the issue owners to monitor progress, provide effective challenge, discuss new issues and assess status. We would then meet monthly with my manager to do the same and to ensure they were up to date when asked about issues progress from the CEO or CRO. And we also held monthly or quarterly meetings with the internal assurance providers and regulators to provide status updates. This meeting cadence accomplished two key objectives. First, everyone was kept apprised of remediation progress on a timely basis, which helped us avoid surprises. And second, the issues owners had to keep the Four-Blockers up to date in order to provide regular reports. The last point regarding meetings is to make sure they are not just perfunctory. Encourage the participants to ask each other questions and establish an environment that fosters adequate effective challenge to make sure remediation remains on track.

11.? Celebrate Success: Issues management can be perceived as drudgery, so it is important to celebrate success. Emphasize the importance of having a robust issues management program as essential to effective overall risk management, and then make a big deal out of accomplishments along the way. This can be done in the regular meetings as milestones are met and as entire issues are remediated. For more impactful accomplishments, I would sometimes ask our CEO or CRO to make a congratulatory call, or I might pen a handwritten note to the issues owner. These small gestures will go a long way in reinforcing the criticality of a successful issues management framework.

12.? Make Sure Accountability Matches Responsibility: Because many bank processes involve cross-functional cooperation, it is vital to match accountability to responsibility when process weakness is detected and issues are created. For instance, if your relationship managers and client service teammates are involved in proper execution and collection of loan closing documents, they need accountability measures to ensure they take responsibility for sound loan documentation, just as you should include similar objectives for the closing and servicing teammates. This can include positive and negative reinforcement. One method to ensure proper attention is to include risk modifiers in an incentive plan. Another effective approach is to include goals related to issues management in the annual review objectives. I have found that most people will focus more on what is inspected rather than just what is expected, so measures are needed to add rewards and consequences to ensure accountability and responsibility are aligned.?

?

During my banking career, I witnessed both ineffective and robust issues management frameworks. If you include these 12 components in your issues management framework, you will experience a high level of success in implementing and executing the program.