Management of Issues

Issues, observations, findings, incidents – irrespective of the nomenclature used such outcomes will arise and typically be reported in every organization. 

From a risk and compliance perspective an issue is anything which represents a gap in the internal control environment and which requires mitigating action to be implemented in order to prevent a recurrence. At a macro-level gaps thus identified have the potential to impact the achievement of departmental or organizational goals. 

Issues typically arise from the following sources: 

• Audit processes –either external or internal
• Regulatory reviews by external parties
• Treatment of risk
• Internal assessments
• Benchmarking / Best practice/ Specialist reviews 

In dealing with issues arising it is essential that that the necessary rigor and structures be put into place to effectively manage, monitor and steward the actions arising through to completion. 

Good practice is that a single action database be established to manage all issues arising. Decentralized ownership of issues by the responsible line, with consolidated monitoring, oversight and reporting by the second level compliance function is recommended. 

Once issues are agreed and accepted, accountability for the required action needs to be confirmed and stewardship assigned by the line. At a minimum the action database should provide for the following information: 

• Issue summary and detail
• Originating Source
• Risk exposure detail and risk rating assigned
• Committed action and target date for completion
• Action plans, including interim milestones and dates
• Appointed Issue leads with responsibility for the action
• Regular progress updates against plan with revised forecasting
• Explanation for deviation from targeted dates
• Certification of issue closure, including related evidence 

The key to successful issue management lies in regular, preferably monthly, monitoring and the early identification of lagging issues with escalation where appropriate. 

Issue reporting to management should be delivered on a timely basis and is an important factor in ensuring the identification of negative trends and providing an early trigger alert for approaching target deadlines. 

Key indicators which will provide management with a health check on the state of open issues under management may include: 

• Progress against target at consolidated and sector level (audit, internal etc.)
• Issue movements (adds and closures)

• Trend analysis

• Issue analysis by risk rating
• Forecast closure look ahead
• Emerging/ potential future adds 

A rigorous and disciplined approach to managing and monitoring risk and compliance issues and related actions is a significant contributor in ensuring the maintenance of an effective and robust internal control environment.