Hall of Fame football coach Lou Holtz once said, "Life is ten percent what happens to you and ninety percent how you respond to it." The same can be said for addressing supervisory actions after a regulatory exam. Responding to regulator findings is a daunting process for even the most mature financial institutions and, in today's ever-changing world of financial regulation, how your financial institution responds to a regulator's inquiry, will be vital to how your clients and potential clients perceive your organization. In an effort to address your firm's operational, compliance, and reputational risks, while promoting transparency and accuracy, DHG recommends a three-phased call to action.
Each journey begins with a first step, and, true to the idiom, that first step is the most important. When financial institutions receive feedback from their regulators, the first thing that needs to happen is to respond – acknowledge the feedback and organize a remediation plan. This is seemingly straightforward, but intensive time should be spent to carefully and thoughtfully develop a plan of attack that both addresses the issue as noted and that is realistically achievable. In order to do this, firms should:
- Gather all relevant and impacted stakeholders to discuss the findings and agree upon scope and understanding. There should be alignment in strategy and approach from the start for each impacted line of business and control function
- Establish the core remediation roles (ex. Accountable Executive, Change Lead, etc.) and governance framework/routines to monitor and oversee the program
- Set milestones and attainable deadlines that will help the firm remediate the issue(s) and achieve a state of compliance
- Lastly, financial institutions should establish quality metrics and other key performance indicators that are trackable and reportable throughout the remediation timeline. This implements accountability, which allows management to properly assess roles and responsibilities for the overall remediation effort
Now that the response letter has been submitted to the regulator, how should financial institutions approach remediation of the existing issues? How can they make sure that everyone is working together so that compliance can be achieved? In this section, we will cover the integral activities within the remediation phase.
Often, regulator feedback is based on an indication of an issue or an identifiable problem within a sample population. Due to this reality, remediation activities must generally begin with an assessment of the true depth and breadth of the problem. This will help financial institutions categorize and understand the true root of the problem and build resolutions from the source. The gap assessment will help pinpoint what the issue is; however, root cause analysis will investigate why the issue exists.
A sound action step to include in any remediation is policy or standards review. In this step, financial institutions will need to review any existing enterprise policies and standards, or lack thereof against the current regulations that apply to the organization to understand if there are gaps in policy that need to be addressed? Alternatively, if there are specific areas of policy that are not being followed can also be discerned. Since corporate, as well as business level policies and standards often set the rules and frameworks within the organization, management and other stakeholders need to ensure that these documents are clearly and precisely written so teams may rely on them for sound guidance.
What happens once issues have been spotted and root causes have been uncovered? As people often say, words are meaningless unless actions take place; the identified issue will not change without the execution of a strategy.
Within the execution phase, process mapping will often occur before any changes can be made. Whether it is a specific or general business activity, a process map can show the inputs, actions, and outputs of a process. An end-to-end mapping exercise of all in-scope processes should be leveraged to develop an inventory of potential points of failure and associated controls.
Process re-engineering is where real changes will take place. This is the execution of improvements to people, processes, and technology to address issues and gaps mentioned previously. Each improvement can and should be tied to the identified issue noted in order to track actions taken and report ongoing metrics and improvements. Often, it is beneficial to look for those quick-win opportunities that can help to both gain momentum with internally-impacted stakeholders as well as show progress to regulators. As processes change, it is important to ensure new controls and performance metrics are developed to test for sustainability and progress reporting.
Like any improvement effort, change can only be maintained for as long as it can be controlled through monitoring. With this in mind, to build a sustainable strategy, financial institutions will need to have a sustainable governance model. Governance embodies the structure and processes that are implemented by management for stakeholders to inform, manage and monitor the activities within the governance framework. More specifically, a governance model set up for regulatory activities should have a focus on:
- Manual Processes – Where are the processes that still require manual intervention and controls to ensure adherence? Are the existing controls sufficient and performing as expected; and
- Automated Processes – Are automated processes being assessed to ensure appropriate data quality and accuracy? Are we using the right data? Is it from the right sources?
Sustainable compliance requires an ongoing effort focused on improving day-to-day business activities. Hence, continuous improvement, whether it is seeking improved technology or changing business processes to eliminate potential points of failure, should become a consistent lens through which an eventual steady process is viewed.
How We Can Help
The Regulatory Advisory practice at FORVIS is ready to help your organization through any of the response, remediate and sustain phases of regulatory examinations. Our subject matter leaders include seasoned industry professionals, former regulators and experienced project managers that can help your organization navigate the complexities of addressing regulator feedback.