Governing issues management - a guide for directors

As organizations navigate the complex landscape of today's business environment, the timely identification and efficient resolution of challenges, referred to as "issues," become paramount. This report outlines signs that suggest issues management might be faltering and provides a checklist to help assess the current program. By examining these aspects, organizations can become more adept at addressing challenges head-on and able to consistently refine their approach based on past experiences and robust oversight.

Quick take:

• An effective issues management program is integral to navigating business challenges successfully
• Recognizing flags indicating potential deficiencies in the program is the first step towards strengthening it
• Enhancing issues management requires scrutiny of governance and how issues are managed from identification to closure
• Continuous learning, adaptation and proactive measures are the cornerstones of a robust issues management program

Know when issues management isn’t working

Any business inevitably encounters challenges or setbacks, which are termed "issues." These can range from operational hiccups to more significant concerns affecting company performance. "Issues management" is precisely that approach. It involves identifying challenges early, assessing their potential impact, finding the most suitable solutions and addressing them effectively. By understanding and learning from these issues, a business can better prepare and prevent similar challenges in the future.

However, many companies struggle with their approach to governing, remediating and learning from past issues. Signs issues management isn’t working include:

• Decision-making bodies seem ill-equipped. Issues reports are infrequent or so dense they bury vital insights. There is a discernible absence or inconsistency in guiding policies
• Roles within and between teams are muddled. Review and challenge documentation is scanty or missing. Disputes or disagreements seem unresolved.
• Repeated issues emerge, pointing to surface-level adjustments. There's a discernible lack of consequences for neglecting or mishandling issues and visible preference for quick, short-term fixes over in-depth solutions that address root causes.
• Teams display varied interpretations of risk levels, causing evident discord. Training or awareness initiatives seem lacking or outdated, hinting at knowledge deficiencies.
• Stakeholder feedback is dismissed or underutilized, suggesting an insular problem-solving.
• Internal audit or third parties, rather than senior management or risk management, are the ones flagging significant challenges. Worse still, regulatory authorities frequently issue warnings or even penalties for governance or control failures.

10 questions for boards

#1. How robust is our governance of issue management?

A governance framework lays the foundation for a robust issue management program:

• Install robust board oversight: How actively are our board and senior management involved in overseeing the issue management process? Is there a structured mechanism for the board to provide feedback on reported issues and insights?
• Implement clear policies: Are our policies clear, updated and communicated effectively? Are there channels for feedback from different departments to refine policies based on experience?
• Allocate sufficient resources: Is there sufficient allocation of resources, in terms of personnel and technology, to handle and remediate issues efficiently?
• Report frequently: How frequently does the board receive detailed reports on issue management? Are these reports dynamic, highlighting status, insights, patterns and future projections? (For more on enhanced board reporting, see From data overload to actionable insight—revolutionizing board reporting: A guide for directors.)
• Establish escalation protocols: Is there a clear procedure in place for escalating critical issues? Are all employees aware of this process and do they feel confident in its effectiveness?

#2. How is our operating model structured to effectively handle issues?

An integrated operating model is essential so responsibilities are clear, processes are streamlined and potential bottlenecks eliminated:

• Clarify roles and responsibilities: Are the roles across the three lines of defense well-defined and understood by all stakeholders? How do the three lines collaborate and share feedback?
• Embed first-line accountability: Does our process factor in strong first-line ownership for identifying, reporting and remediating issues? Are issue owner roles well articulated? How promptly and effectively do we assign an issue owner? What criteria do we use to select the right owners? Is there sufficient management oversight of issue owners’ activities?
• Establish risk management involvement: How are risk professionals involved in issues management? How do they engage in risk ratings, action plan review and issue closure? How do they identify themes across the organization and prioritize them? What key risk indicators (KRIs) are used to track issues performance?
• Determine internal audit role: How effective is our internal audit team in validating findings, assessing remediation stays on track, performing closure reviews and assessing the entire program?
• Embed issues in risk foundations: Is the issues management program well embedded in our foundational risk practices, such as our risk taxonomy, risk appetite and KRI frameworks, risk and controls self-assessments and root-cause analysis framework? Any any of these insufficiently mature to support issues management? Does our technology support effective issue management? Se Governing risk.
• Implement robust change management: When changes are made to the issue management program, how effectively are they communicated and implemented across the organization?
• Align incentives to effective issues management: Are there incentives to reward teams or individuals who excel in issue identification, management or resolution? How do we recognize and celebrate these successes?

#3. How effective is our process for identifying issues?

Unearthing issues promptly and accurately is fundamental for their timely resolution. An effective discovery mechanism can drastically reduce the potential impact of problems across the organization:

• Install a culture of addressing issues: How does our company's culture support (or impede) identification and management of issues? Are employees encouraged to report concerns without fear of negative repercussions?
• Use multiple sources: Are we tapping into a diverse set of sources for issue identification? Is data on issues linked to other risk, compliance and audit data and findings to get a more fulsome picture of risks and controls in our organization?
• Test controls: How often do we test effectiveness of our controls and what benchmarks do we use? How do testing results inform issues management?
• Gather input from employees: Do we regularly engage with employees to identify potential issue management gaps? Is there a robust mechanism for anonymous feedback that allows employees to voice concerns candidly?
• Use scenario planning and stress testing to identify issues: How often do we engage in anticipatory exercises, like scenario planning or stress tests, to forecast potential issues? How are outcomes of these exercises integrated into our issue management strategy?
• Assess intra- and cross-divisional impact: Once an issue is identified, does divisional management analyze whether it is isolated or indicative of broader challenges? How do we gauge potential impact across different divisions? How well do we engage and communicate with affected divisions?

#4. How do we capture sufficient information on issues to inform action plans?

In the digital age, the alignment of documentation with technology platforms is critical. This allows for accurate logging and enables data-driven insights and action:

• Set standards for issue capture: Do we have robust requirements for what data has to be entered when an issue is identified? How do we enforce those standards? If adhered to, is the data provided sufficient to properly understand the issue, root cause, risk level and so on?
• Leverage data analytics: Are we leveraging data analytics to extract patterns, insight and potential predictive indicators from documented issues?
• Maintain robust technology: Are our technology platforms equipped to record comprehensive details about each issue?

#5. How thorough is our risk evaluation of issues?

Evaluating risk associated with each issue guides subsequent action plans or decisions to accept risks related to partially or not remediating issues:

• Assess risk appetite alignment: How do we assess identified issue against our predefined risk appetite? How are associated risk thresholds and limits used in this regard?
• Use clear severity metrics: On what metrics or parameters do we base our evaluations of issue severity? How do these align with industry benchmarks or standards?
• Distinguish and measure inherent and residual risks: Do we have clear definitions and processes to differentiate and assess inherent and residual risks? Are we confident our employees understand the difference so they can properly assess risk severity?
• Establish risk acceptance protocols: How well documented is our process for deciding on risk acceptance? Who has authority to accept medium or high residual risks?

#6. How comprehensive is our approach to remediating issues?

A decisive response to discovered issues means they are addressed in a timely and efficient manner, as are long-term remediation and prevention matters:

• Establish action plan requirements: How do we draft and refine our action plans? Are remediation goals clear, measurable and aligned with the nature and severity of the issue?
• Engage stakeholders in developing action plans: At what stages and how deeply do we involve risk management and, when appropriate, internal audit, in the remediation process? Are their insights given due weight in action planning? Who approves action plans?
• Unearth root causes: How do we evaluate accuracy and thoroughness of our root cause analyses so we have sufficient understanding of what is causing issues so they can be remediated effectively?
• Leverage historical data: Do we periodically review past issues for lessons and insights? Can we identify recurring patterns in past issues to inform strategic interventions that should be included in action plans?

#7. How proactive and adaptive is our monitoring approach?

Continuous oversight of remediation helps us remain on track and be adaptable to emerging challenges:

• Establish dynamic monitoring: Do we have mechanisms to track real-time progress of remediation activities? How swiftly can we adapt to changes or new insights during the process?
• Update risk and internal audit: How regularly do second-line risk management and, where appropriate, internal audit get updated on remediation milestones? Are their monitoring roles clearly defined?
• Gather and act on feedback: How do we gather, evaluate and incorporate feedback from different stakeholders? Is there a structured mechanism to adjust action plans based on feedback?

#8. How effective is our reporting on issues?

Regular and comprehensive reporting provides a snapshot of the organization's health in terms of issue management, offering insights into strengths, weaknesses, and opportunities:

• Establish insight-driven reporting: Does our reporting capture patterns, trends and deeper insights into issue management? How are these insights communicated to relevant stakeholders? Are we using our reporting to project future challenges or areas of concern?
• Prepare for issues-related communications management: If an issue becomes public, do we have a strategy for managing communications to safeguard the company's reputation? Are spokespersons trained and prepared for such contingencies? For more on crisis management, see Crisis preparedness and management: A guide for directors.

#9. How rigorous is our issue resolution and closure process?

Finalizing the status of an issue, especially one that has potential long-term implications, demands a meticulous approach. It's paramount that once an issue is closed, it doesn’t re-emerge due to overlooked aspects:

• Evaluate residual risk: After all remediation efforts, do we routinely evaluate if the risk level aligns with our appetite and thresholds? Are there clear metrics or benchmarks that guide this evaluation?
• Clarify downgrade/closure process: How do we decide when an issue should be downgraded or closed? Are these decisions based on clear criteria and is there a review mechanism in place? How detailed and robust is our documentation process in this phase?
• Establish rigorous closure approvals: When seeking approvals for closure, especially for significant risks, do we embed layers of scrutiny (including risk management and, where appropriate, internal audit)? How do we safeguard against hastened approvals that miss critical details?

#10. How do we foster a culture of continuous learning and enhancement in issues management?

The best organizations recognize that resolving an issue isn't the end, but a point in an ongoing journey of learning and improving. Capitalizing on past lessons is key to preempting future challenges:

• Conduct post-closure reviews: After resolution, do we have processes to dissect closed issues to derive insights and lessons on our control effectiveness? Do we analyze what went well and what could have been done better in the management of the issues? How do we implement lessons?
• Train employees: How are our teams staying abreast of the latest in issues management best practices? Is there a continuous training regimen in place? Are trainings rooted in real-world scenarios and challenges?
• Review program effectiveness: How frequently do we assess the effectiveness of our issues management program? Do we have a structured mechanism to identify areas of improvement?
• Establish mechanisms for external input: How often do we bring in external consultants to provide an unbiased assessment of our issue management program? Can they spot gaps that internal teams might overlook due to familiarity or bias? Do we actively seek insights on issue management from industry peers or professional forums? How does our approach align with, or differ from, recognized industry standards or benchmarks?

In conclusion

Effective issues management is more than just problem-solving; it's about proactively identifying challenges, learning from past experiences, and continuously refining our approach. By recognizing early warning signs and critically examining 10 key areas, organizations remain resilient and forward-thinking, thereby safeguarding the organization's success and longevity.

The views in this article are mine. The insights reflect an engaging and sparring discussion between me (as governance and risk expert, and accomplished author) and Open-Source AI ChatGPT (as know-it-all and so-so author). Copyright: Mark Watson