Dealing with a regulatory exam can be an intense process. For weeks you are focused on the exam preparation, then on the exam itself with all the endless follow up questions. At the soft exit meeting, you learn of a few preliminary findings – perhaps an MRA or two. Then, at the formal exit meeting the findings and MRAs become a reality – to be made official in the formal report of examination. It’s now time to roll up your sleeves and focus on remediation, or, put simply, it’s time to fix things up.
Within days, you have the findings dissected into their smallest actionable components, entered into corrective action tracking tools, and you’ve assigned ownership of the corrective action to appropriate owners. The task-oriented doers at the institution dig right in, but there’s more to be done from a risk and governance perspective. One might think risk and governance only have roles in the prevention of exam findings and MRAs, but they have a sizable role during remediation as well. Sound risk management and governance can help make remediation efforts more effective and efficient.
In the interest of sound risk management and governance, there are a few things to consider as you begin the remediation process, including the following:
- Committee Structure – which committees will receive remediation reports?
- Transparency – a must in all Board and committee communications.
- Remediation metrics – what will you report?
- Review/Approval – what will the process look like for management’s review and approval of corrective actions prior to submitting them for formal independent validation (typically performed by Internal Audit).
- Project Management – how will the processes of Project Management be carried out for the entire remediation team?
Committee Structure
Although most formal and informal enforcement actions include a requirement to form a Board-Level Compliance Committee, a typical Report of Examination with findings and MRAs won’t include this requirement. Therefore, Management should review the current Committee reporting structure to ensure issues and reports are being escalated to the appropriate level. Management should then decide what reports will go to which committees.
Transparency
Management needs to be transparent with the Board of Directors and any Board-level committees with all communications. This isn’t the time to communicate messages such as “this crew of examiners was just tougher” or “examiners feel they have to cite something, right?” Transparency in communicating and reporting to the Board is the best way to gain support for the remediation efforts underway. Transparency around metrics such as percentage complete, estimated completion date, extensions, resources, and budget are critical.
Metrics & Data
Reporting on corrective actions will suffer if managers don’t know at the outset what is being reported on. Managers need to agree on what the remediation metrics will include and how the data to support the metrics will be obtained. This is the time to decide what remediation metrics are truly meaningful to executive management and the Board. Ensure that the metrics are documented in a definitional document so that they are reliable and repeatable. Also decide on what QC will take place over the metrics and underlying data.
This requirement can best be illustrated by an example. Assume you are performing a lookback, and it’s expected that errors will be noted during the lookback. How will these be reported, at what frequency, what is the cut-off, and are all errors the same? Errors are typically reported as the number of errors and as a percentage of errors in the universe being tested. The above governance will help the results be meaningful from reporting period to reporting period.
Review/Approval
As remediation activities take place and wrap up, the support and evidence of corrective action is usually sent to an independent group (typically Internal Audit) for validation. But before the correction action documents are sent for validation, some responsible leader in the department usually has to review it and approve it as being “ready for validation.” This is to prevent delays or misunderstandings if something is ever failed in validation, and the responsible leader says they never approved the documents for submission to the validation group in the first place. Have all the processes agreed upon before validation starts, and this will lead to a more effective and efficient process.
Project Management
It’s great that the doers dig right into remediation, but without high quality project management in place, there could be chaos. For example, assume a lookback has to occur as part of MRA remediation. Good project management will ensure that the right resources are obtained at the right time, that reporting takes place on time, and that corrective action trackers are updated properly. This keeps everyone moving in the same direction.
The management of the remediation plan that follows exam findings or MRAs is critical to an institution or fintech’s success. It’s a time to involve sound risk management and governance concepts from the beginning to ensure the metrics on the remediation efforts are reported completely, accurate, and timely, and reported to the correct committees at the executive and Board level in an atmosphere of transparency. Sound risk management and governance concepts will also make the review, approval, and validation a more effective and efficient process. Finally, solid project management will keep everyone moving in the same direction.
How Bates Group Helps
Bates Group offers ongoing advisory services to a wide range of financial institutions and Fintechs. We offer Compliance Program Support, including Exam Preparation and Remediation, Independent Reviews and Risk Assessments, and Custom Compliance Training.