Addressing Regulatory Compliance Issues
Point B’s Steve Hall and Sydney Rickelman discuss the benefits of a remediation management office (RMO) and how organizations can establish and execute one, leading to significant time and cost savings.
with co-author Sydney Rickelman
Maintaining compliance can feel like a moving target. Organizational growth resulting from an acquisition or introduction of a new product or service can trigger increased regulatory scrutiny in the form of an audit. If you get audited and a series of noncompliance issues are uncovered, you may be given a warning and a short window of time to fix or remediate the issues before receiving a penalty, which can be hefty: banks globally have been hit with $321 billion in fines over the past 10 years.
However, if you have findings, an effective remediation management program in the form of a remediation management office (RMO) can minimize penalties and fines, potentially saving your organization millions of dollars.
What is an RMO?
An RMO is a program management office (PMO) set up to deal with the list of specific noncompliance issues a regulator has identified during an audit. An RMO creates value from both a regulatory and execution perspective, helping organizations address critical issues highlighted by a regulator, who typically gives just a short timeframe in which to resolve issues before enforcing regulatory action.
If the program management status quo of your organization is not set up to deal with critical regulatory issues that include expedited timelines, a large volume of issues or the impact remediation will have across your entire business, then there is significant value in setting up an RMO.
An RMO helps you right-size your effort. Given the importance of execution on an RMO, you need to have all the right structures and leadership in place, and the organization has to support it. If you’re executing well, the team on the ground knows exactly what they need to do, especially when faced with a very short timeline in which to correct issues.
Business Value of an RMO
Once a regulator has identified noncompliance of critical issues, the overall value of the organization is reduced. However, the business value can be stabilized and even increased through fast, efficient and effective remediation efforts.
Responsibilities for managing regulatory risk can be spread throughout the organization. However, decentralization can result in slower adoption of priorities, different priorities and goals across the organization and varying degrees of responsiveness from the impacted business owners. The RMO can provide a single point of coordination and prioritization to drive the outcomes you need and start closing the gaps, aligning investment with regulatory exposure and business risk.
To decide where to direct resources, determine what revenue streams are at risk, whether you’re at risk for continued fines or what business areas are most critically impacted. The key is knowing your business and wisely diverting your corporate resources.
5 Key Considerations in Establishing an RMO
As you look to establish an RMO, the following are critical areas to consider.
Understanding the Environment
To quickly mobilize to fix noncompliance issues, be clear in how your business operations align with regulatory mandates. A business must understand the scope and severity of the noncompliance issues at hand, the financial and nonfinancial consequences of remaining in noncompliance, the timeline by which remediation must take place and the extent of the impact to the business.
In one example, a financial services institution had undergone a period of rapid growth through acquisition and was unable to adapt to new regulatory implications in a timely manner. As a result, the institution received an enforcement action that included a fairly extensive list of findings with a mandated date, but the regulatory mandate was otherwise fairly vague. The financial institution understood the noncompliance issues at hand, as well as potential consequences, and developed a timeline that gave priority to the findings with the biggest impact on the business. Additionally, they identified the areas of the business that were the most impacted and would require action and input on a regular basis. Next, they created a team that included key individuals, along with sponsorship from executive leadership, to give the remediation effort the necessary focus and attention.
Governance and Ownership
There are multiple levers that can help you determine where an RMO fits within your organization, including the size and structure and the ultimate responsibility for where remediation lies.
As you begin, be clear on what decisions need to be made to drive regulatory remediation and when they need to be made. Think about the scope of governance over your mediation efforts. This could include establishing effective governance bodies, whether a regulatory steering committee or an operating committee, to drive the operational efforts toward remediation, identifying a clear sponsor or identifying business owners and how to involve them in governance and decision-making around your remediation efforts. Define accountability and decision rights not only for the governing bodies, but for individuals within the governing bodies so you have clear accountability. Finally, determine the management processes you want to put in place and how to manage the cadence.
Additional questions to help guide you:
- Do you need effective governance mechanisms over policies and procedures?
- Is there a complete requirements inventory with traceability from findings to business owners? If so, how do you establish controls over it?
- What applications do you use to help manage your regulatory environment?
- Is there an enterprise compliance or management suite that provides visibility into your overall enterprise risk status? If so, how do you make sure that the data in those systems is accurate?
The Need for Speed
Time is of the essence once your organization has been flagged for noncompliance. With a typical project, you establish a plan and timeline and adjust as necessary. With regulatory remediation, you often don’t have that liberty, as the timeline for remediation is often mandated by regulators.
The clock starts ticking the moment your organization receives negative findings. You need to respond quickly while engaging various departments within your organization to evaluate the findings, performing a gap analysis between your operations and the findings and then drive remediating action.
Establish a command center to provide an additional level of agility and coordination to make quick decisions around prioritization of resource allocation, enabling rapid triage of risks and issues and prioritizing long-term action plans, ensuring compliance along the way.
As the central point of coordination, the RMO can be the clearinghouse for internal and external communications about remediation efforts, tracking and reporting on program status. The RMO can also ensure you’re addressing compliance requirement findings through your action plans. That clear traceability shows that you have line of sight from the findings to the action.
One organization slapped with an extensive list of noncompliance issues to remediate was not asked for remediation status updates by their regulator. However, they decided to be proactive in giving quarterly updates on progress made in the action plan, including next steps and key accomplishments. These updates were well-received by the regulators and signaled that the organization was focused on correcting issues and taking the remediation efforts seriously.
Minimal Impact to the Business
Many of the issues requiring remediation impact day-to-day operations. You need business owners to be accountable for any changes while being mindful about how you use their time to gain information. An RMO can create additional capacity, dedicated focus and minimal day-to-day disruption to provide balance in keeping business moving during remediation.
Executing an RMO
Remediation programs impact the whole organization, and tight timelines often dial up the pressure. Successfully structuring your RMO depends on four key factors:
- Mobilization: Based on effort and skills required, determine the structure and size of your remediation program and mobilize.
- Accelerators: Leverage accelerators like playbooks, frameworks, tools and templates to move quickly. Prepare your action plan before the audit report arrives.
- Decision-making: Clear governance prevents barriers. Establish a clear decision-making strategy and owners up front.
- Focus: Dedicate resources to this effort to avoid the trade-off between remediation and “business as usual.”
If the program management status quo of your organization is not equipped to deal with the speed and magnitude associated with regulatory compliance issues, then you need to execute an RMO. Through preparation and speed to mobilization; appropriate triaging and roadmapping of issues and solutions based on priority and impact; and effective governance through execution and validation of remediating actions, an RMO helps you right-size your remediation effort and achieve sustainable compliance.
Rickelman leads transformational projects, including large-scale technology implementations, program enhancements and redesign and implementing risk and compliance solutions.