Many financial institutions and fintechs of all types have some sort of exception reporting as part of their periodic KRI (key risk indicator) reporting. When reporting on exceptions, it’s important to report the whole picture, otherwise the true risk could be inadvertently masked. Let’s consider the two main aspects of exception reporting.
The number of exceptions
The first aspect of exception reporting is informing the reader how many exceptions the reporting period just had. If you report exceptions every month, then the report would show the number of exceptions in August (for example) and would also likely show the number of exceptions for July, June, and as many months going back as the reader requires. The reader is typically senior management or the Board of Directors. Reporting exceptions in this manner allows you to how a pattern or trend with the data. For example, exceptions are increasing month to month. When reporting in this manner, remember to generate the data the same way each time, using consistent reporting and documentation controls. Otherwise, your data could be all over the place, when in fact it’s relatively stable, or vice versa. While this is a great way to report on exceptions, it’s only half of the equation.
The other half of the equation is where the risk truly resides.
Reporting on prior exceptions
The second aspect of exception reporting is informing the reader about the aging of prior exceptions. Without reporting on the aging, it’s possible the reader will just assume that prior exceptions were worked and cleared. The real risk resides in the prior exceptions that were not cleared or in the length of time it took to clear them. Reporting on the aging of exceptions will reveal this risk.
ABC Bank reports on exceptions in practically every operating unit, including customer onboarding. Every month they report on 30 to 50 onboarding exceptions of all types. This reporting includes every month for the prior year, but has never included a report on the aging of any exceptions. Worse… no reader ever asked about an aging report. In reality, only 50% of those exceptions ever got cleared. As time went on, more and more uncleared exceptions stayed on the detail report which had no transparency to senior management. Everyone involved in the operating unit thought it was someone else’s responsibility to follow up on the exceptions to ensure they were cleared.
An internal audit eventually revealed the above situation. The internal auditor rated it high risk because the control breakdown was systemic. There wasn’t even a process in place to work and clear the prior exceptions. The issue was deeper than simply reporting, but it was the reporting function that revealed the issue.
For those generating periodic reporting on KRIs, be sure to reveal the real risk, and when considering exception reporting, understand that the risk resides in the aging.