Can Weak & Ineffective Controls Save You Money?
by William Hord
March 10, 2017 10:03 am
I was honored to speak last month at NAFCU’s Strategic Growth Conference about “Transforming Your ERM Program from Enterprise Risk to Enterprise Opportunities.” The topics covered were Risk Appetite Opportunity, Weak & Ineffective Control Opportunity and Effective Key Risk Indicators for Opportunity.
After the presentation, I appreciated the level of questions and comments that came from those in attendance. It was great having discussions across all three topics, but it seemed most of the questions were focused on the second topic, Weak & Ineffective Control Opportunity.
So, with that in mind I thought it might be good to share with you some of the highlights related to that topic.
First off, what is a Control in the context of Enterprise Risk Management (ERM)? In the simplest of terms, it is a business process mitigation activity designed to reduce or eliminate one or more risks.
As a business, you obviously have hundreds or possibly thousands of controls across your organization within every department. When those controls were first designed and put into place the probability was very good of them being strong and highly effective. However, over time as our business changes, process changes are introduced and therefore potentially new risks. If new controls aren’t introduced or existing ones properly evaluated the probability that those controls are still producing the same risk mitigation as originally designed may be impaired.
When evaluating process risk and controls I can’t tell you how many times I have heard the responses, “I don’t know” or “We’ve always done it that way.” When I’ve asked the question, “Why do you do it that way?” Which brings me to my first point, if the employee responsible for completing a control or set of controls to mitigate risk don’t understand why they do it, its effectiveness is going to be less than ideal. Additionally, in the absence of your control assessment how would risk management even begin to know if the employee can’t articulate its intended mitigation and therefore its perceived deficiency?
However, you generally only find out the answer to that question and others by sitting down and assessing the controls within your organization. My second point is how often are you really evaluating your controls to determine which ones are weak and ineffective to the point that they potentially elevate your process residual risk to levels outside your established risk appetite and tolerances?
Impacting Your Bottom-Line
When you begin to effectively evaluate your controls and determine which ones are weak and ineffective you can truly begin to have a positive impact on your organization’s bottom-line. This can easily be accomplished in a couple ways:
1. Can the control be automated? If a control is still relevant to reducing risk and the deficiency is tied to lack of understanding or lapses on the part of employees performing them, can they be automated?
You could train and counsel the employee(s) but that takes additional time and other resources to maintain and/or improve the control’s effectiveness. If the control can be automated a quick cost benefit analysis can be performed to show how the overall cost of automating the control may not only improve its effectiveness but save the organization resources and money over time.
2. Should the control be removed? If a control is still relevant to reducing risk and can’t be automated or the cost benefit analysis shows the ROI isn’t optimal, then can it be removed
A quick cost benefit analysis here can possibly show that the time it takes to complete the control and continually monitor and train to maintain its effectiveness far exceeds the benefit derived from the control. In this case, risk management can make the sound recommendation for removing the control and document its reasoning.
The Starting Line!
Several conference attendees asked me, “Where is the best place to start?” Well without a full understanding of your organization, its risk management practices and other factors it’s tough to say. However, a baseline place to start would be as follows:
1. Review your existing Control Library;
2. Sort your Weak and Ineffective Controls;
3. From those Controls start with the processes that have the highest level of Residual Risk;
4. Ask the employees responsible for those Controls:
a. “Why do you do it that way?”;
b. “Do you have ideas on how we can improve it?”
5. Begin your analysis
8. Automate and/or;
One of the last questions I got before leaving the conference was “Do you really believe that Weak and Ineffective Controls Save You Money?”
Of course they do, but only if you are effectively assessing them on a periodic basis. Otherwise, the money, time and resources you waste is never truly realized and your perceived risk mitigation is simply that…..a perception. When was the last time you evaluated your Controls?
New Release Quantivate Complaint Management Software
November 15, 2016 08:11 am
Streamlines the customer complaint management process and ensures compliance with detailed regulatory requirements
Woodinville, WA, November 14, 2016— Quantivate today announced the release of its new module called Quantivate Compliant Management—a simple and effective SaaS solution, which effectively automates the process of complaints management. Complaints are the natural occurrence of any organization and in the current regulatory environment, the management has be intensified, leaving spreadsheets no longer as an option for any organization to stay compliant.
Quantivate Complaint Management software facilitates compliance with the growing regulatory environment, and helps organizations meet both governmental and voluntary regulations for complaint handling. Customer complaints flow into any organization from various touch points from emails, direct mail, calls, regulators, and social media. Organizations need to effectively manage these complaints to ensure efficient handling and resolution not only for their customer satisfactions, but also to remain compliant with regulatory bodies.
“Organizations need a simple and effective solution to automate the process of complaints management while still meeting the growing demands of regulatory bodies like the CFPB,” said Andy Vanderhoff Quantivate CEO and founder. “We designed the Quantivate Complaint Management module to not only automate the intake, management, and resolution of complaints, but we also included built-in analytics to help identify compliance issues or potential risks.”
With one centralized database the Quantivate Complaint Management software module enables users to manage the entire complaint lifecycle with real-time complaint tracking, reporting, alerts, and escalation of potential issues. Quantivate Complaint Management is a simple to use and configurable solution which includes the ability to track and manage complaints from customers, suppliers and other stakeholders, record follow-up actions, and report on any findings or regulatory non-conformance that may be associated with a complaint.
Quantivate Complaint Management Key Features:
- Real Time Complaint Tracking: As complaints are entered, researched, and resolved, you’ll be able to easily visualize and track where each complaint is in the complaint lifecycle.
- Regulatory Compliance: Effectively meet regulatory requirements from CFPB, UDAAP, DFI, ISO, etc.. In addition, enter tracking information for other regulators of your choice.
- Escalations: Automatically escalate any complaints that have been open or idle for too long, and quickly view how long a complaint has been open without resolution.
- Response Templates: Use built-in response templates, or create your own, to respond quickly to common complaints.
- Executive Reporting and Dashboards: Designed to offer insights for busy executives that want to quickly understand relevant risk trends.
- Comprehensive Reporting: Pre-made and custom reporting options available to view risks by location, product/service, and other criteria.
- Alerts and Notifications: Customizable alerts and notifications are available to notify you when a complaint has been received, escalated, approved, or resolved. If a complaint has remained open for too long, then a notification will be generated to notify the appropriate party.
- Analytics: Complaint data is collected and compiled over time to demonstrate which products, branches, and services are trending with high or low complaint volume.
Quantivate Complaint Management can be used as a stand-alone complaint management module or integrated as part of the greater Quantivate GRC solution suite. For more on Quantivate Compliant Management please visit: http://quantivate.com
Quantivate is a provider of web-based Governance, Risk, and Compliance (GRC) software and service solutions to organizations both large and small nationwide. Founded in 2005 with the release of its Business Continuity Software, the company has grown to feature a full suite of modules for GRC including Business Continuity, Vendor Management, Enterprise Risk Management, IT GRC, Internal Audit, and Regulatory Compliance.
What Do You Really Need to Know About Zika Virus?
by Andrea Tolentino
October 05, 2016 10:10 am
Unless you have been living under a rock, you probably are familiar with the recent Zika virus outbreak that has been spreading across the globe through the bite of an infected mosquito. You may be asking yourself; ‘Does it matter?’, ‘Should I care?’, ‘What should I do to protect my organization?’. Disaster prevention, mitigation, and preparedness are some of the key roles a Business Continuity professional plays within any organization. Due to this fact, Business Continuity managers play a critical role in safeguarding an organization and countering the risks Zika (and other infectious diseases) pose. (more…)
Is an 18% Hit to Your Net Income Within Appetite?
by William Hord
August 26, 2016 10:08 am
18% Hit to Net Income
Yesterday the CFPB released the following statement: “CFPB Orders First National Bank of Omaha to Pay $32.25 Million for Illegal Credit Card Practices.” As I read this press release several things came to mind and maybe yours as well. I will break them down into 4 areas. (more…)
ERM Risk Quiz
by Dan Banning
August 08, 2016 11:08 am
With Enterprise Risk Management (ERM) getting increased attention in many organizations and across industries it is important to understand the various parts of an ERM program and how they affect the program overall. Proper implementation of ERM can facilitate better decision-making, increase efficiency, and enhance an organization’s risk control efforts to support critical Governance, Risk, and Compliance (GRC) initiatives. Effective ERM enables management to cope with potential future events that create uncertainty and helps management respond in a manner that reduces negative outcomes. (more…)
FFIEC Issues Statement on Cybersecurity
by William Hord
June 08, 2016 08:06 am
FFIEC Issues Statement on Safeguarding the Cybersecurity of Interbank Messaging and Payment Networks
The Federal Financial Institutions Examination Council advised financial institutions yesterday afternoon to monitor the risks associated with interbank messaging and wholesale payment networks. Coming just two weeks after a malware attack on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) breached 12 banks. The FFIEC stated “financial institutions should review risk-management practices and controls related to information technology systems and wholesale payment networks, including risk assessment; authentication, authorization and access controls; monitoring and mitigation; fraud detection; and incident response.”
If you haven’t already been assessing this process risk via your ERM program and/or your IT/GRC program, you should. Ensuring you have all the necessary controls in place to mitigate your risk and provide assurances to examiners and stakeholders is critical for such a highly utilized and trusted financial service.
New Workflow Engine
by Dan Banning
May 26, 2015 02:05 pm
Dynamic Workflow Engine
The Quantivate GRC platform now includes a native workflow engine that helps manage and support GRC processes. The workflow engine enables you to easily build workflows that control the routing and gathering of information and the notification of completion.
Deliver scalable and relevant workflows to your enterprise
From basic tasks to complex solutions, workflows in Quantivate can drive user action, simplify user activities, and ensure consistency by connecting your users with the relevant tasks and information they need most. Workflows can be set up to manage single users or departmental processes, or even built to span all your GRC initiatives and modules.
Gather information from both internal and external sources
GRC processes often require information from both internal and external sources. The Quantivate workflow engine allows you to build workflows, pages, and questionnaires to gather information from external sources such as vendors and other third parties. Combined with the Quantivate platform’s temporary user accounts feature, you can now create powerful self-service portals so your vendors, suppliers, and other third parties can manage their own information and documentation.
Sequential, Parallel and Multi-tier Workflows
The Quantivate dynamic workflow engine allows you to build workflows that involve sequential, parallel or even multi-tier processes or a mix of them. This gives you complete control of the steps and processes for advanced workflow management and development.
Vendor Management: Change the performance scale
by Mark Callender
March 19, 2015 11:03 am
Vendor Management: Change the performance scale.
How are you managing the performance of your third parties? Are they meeting your expectations? Are they providing good service? Do they have a service level agreement and who is monitoring that SLA?
A lot of organizations use a keep vs. fire or A vs. F system of evaluating their third parties. They will go through and rate their vendors; grade them A – F, or score them 1 – 5 and come out of that saying were either going to keep the vendor or terminate the contract. (more…)
Senior Level Vendor Managers
by Dan Banning
March 06, 2015 11:03 am
Senior Level Vendor Managers
Given the importance of our third-party relationships to the success of an organization, the role of the vendor manager has evolved so that they are no longer a legal clerk, a contract negotiator, or a paperwork administrator.
In today’s business world, vendor managers are often a part of the senior level management team where strategic thinking and business development are vital necessary skills. (more…)
NCUA Releases Supervisory Guidance on ERM
by Dan Banning
November 13, 2013 10:11 am
Today the NCUA released a Supervisory Letter for Enterprise Risk Management (ERM). In the cover letter Chairman Debbie Matz indicates that the approach taken for effective risk management can vary from credit union to credit union.
“NCUA’s examination process requires examiners to gauge the overall effectiveness of a credit union’s risk management process based on an evaluation of several components, as well as an understanding that each credit union’s approach will be tailored to its individual business strategy and risk tolerance.” (more…)