Categories
Uncategorized

The compelling case for outsourcing GRC

It has been a gruelling couple of years for most businesses meeting the challenges presented by the COVID-19 pandemic. It has also represented an opportunity to break with old ways and embrace change. At PX Partners, we have been listening to our clients and others as they tell their stories from the pandemic. Generally speaking, business have found novel and creative ways to get things done. And this question really resonated with us: How best to get things done?

 

Upending of traditional business and operating models was underway before the pandemic took hold. But the pace has accelerated with incredible outcomes. Established industry players have struggled as new participants have disrupted business models and challenged traditional thinking. It is not just a competition for market share but a fight for survival in some cases. It is mind blowing that Tesla’s market capitalisation is larger than the nine largest carmakers combined. And the rally in the Airbnb share price following its recent listing means that it is now more valuable than the collective of the seven largest US hotel chains (figures as at December 2020).

 

This is a time for thinking differently. But where to from here?

 

Play to your strengths
Accept that you cannot be excellent in all things. This acceptance will serve you well. By leveraging specific expertise in supporting core business activity, centres of excellence are developed. Support actors can invest in systems, process and people to continually improve without diverting funds from business growth initiatives as these are the business growth initiatives. Clients benefit from best practice and benchmarking.

 

The traditional model of having an office which organised people into different teams to perform functions has been challenged by COVID. Less people to organise allows the firm to focus on its core activities.

 

Do you need a problem solved or do you need an FTE?
It can be a natural instinct to throw bodies at problems. But are they the bodies needed when the dust settles? Since the Global Financial Crisis there has been much investment in governance, risk and compliance (GRC) resourcing. But it is now obvious that there is more to be done in how these functions operate efficiently and effectively. Traditionally, firms have always been comfortable outsourcing distribution, operations and legal services but until recently, less so with GRC. At the same time, businesses are faced with growing uncertainty on many fronts – technological disruption, growing community expectations, regulatory and political scrutiny to name a few.

 

To meet this uncertainty successfully, GRC teams must be more elastic with the ability to dynamically augment capability when required. Having the right people at the right time enables success; and what is “right” can change tomorrow.

 

Quantify the cost
The impact of COVID-19 has proven that employees don’t need to physically be in an office to achieve the same or even greater levels of output. Outsourcing of non-core functions reduces payroll costs while bringing the benefit of having qualified experts available with a pool of resources. This is especially relevant in times of stress when more may be required at short notice, such as when the early impacts of the COVID-19 pandemic were being felt by businesses.

 

When considering the right mix of resourcing, it is important to consider the cost of an employee is not limited to a salary but extends to all the related costs such as recruitment fees, superannuation contributions, insurance, benefits, training, desk space and technology. So, in reality, the ongoing cost of an employee can be multiples of a base salary.

 

The insource / outsource trade off
A common argument used against outsourcing is the perceived loss of control. Tightly drafted agreements with suppliers, clear service level agreements and measurable performance indicators put paid to that argument. Meaningful reporting from service providers in a standardised format makes for more efficient and impactful management and Board meetings. Issues are easily identified and actions quick to implement.

 

Outsource the ‘people risk’. There is much time spent by managers dealing with the disruption caused by turnover in teams, including difficult performance conversations, resignations, recruitment and induction. Time is better spent on revenue generating activities.

 

By having access to a pool of outsourced on-demand talent, firms can dynamically augment their workforce without the need to hire additional full-time employees. In addition to management time, this saves on fixed overheads.

 

Security of data
The ability of businesses to stand up remote and virtual models to continue business as usual operations has been incredible. There is now an opportunity to build on that success by further exploring options to support business growth by identifying core and non-core functions. Selecting partners with industry leading technology platforms and Software as a Service (“SaaS”) to provide support to non-core functions can enhance rather than detract from the technology security risk profile of a business.

 

Applying this to your GRC capability
A survey carried out by PX Partners in November 2020 found that over 90% of senior executives see a shortage of governance, risk and compliance (“GRC”) practitioners as ‘limiting business success’. In addition, 94% agreed that accessing variable or scalable GRC teams would ‘better support their business’.

 

Some small – medium sized firms may have real need for a senior compliance resource (Head of / CCO level) at the management table day in and day out to provide advice. But when the compliance function is a (senior) 1-person-band, this resource can be underutilised by spending time on ‘compliance hygiene’ activities such as maintaining policies and monitoring obligations. These firms could benefit from outsourcing core, ongoing GRC activities and benefit from the scale and benchmarking an outsourced GRC provider can offer.

 

Boutiques and start-ups often give functional GRC responsibility to their CEO or COO. These firms may not require, or cannot justify hiring, a senior GRC resource. A frequent mistake is to hire too junior for an environment where quick decisions and exercise of experienced judgement are vital (with no “committee” to hide behind!). A solution is to engage an outsourced CRO who can provide the judgment and advice required but without the FTE cost. Distinct from a consultant, this outsourced CRO benefits from a pan industry view but retains an ongoing and deep relationship with the firm and proactively helps identify risks and opportunities from within.

 

jon@px.partners is supporting clients with GRC model and framework reviews. Please reach out to discuss.

Categories
Uncategorized

PX Partners supporting clients with GRC

Hear Jon O’Keeffe and Tanushree Dabral speak to ausbiz about PX Partners and the power of the practitioner experience when it comes to supporting clients with GRC solutions.

Post the Royal Commission there has been pressure on the regulators to step up, we’ve seen that with the unprecedented level of action that ASIC has taken; AUSTRAC has come out swinging. In the clients we’re speaking to now, people are more concerned than they’ve ever been before.

Watch the full video here:

Categories
Uncategorized

In honour of the humble checklist

10 November 2020

 

In this post we shine a spotlight on the unassuming, seemingly unsexy checklist and why it is a powerful tool for reducing errors by dealing with the limitations of our brain.

 

Whether you’re launching a rocket, flying a Boeing, or building a skyscraper, checklists have become an essential ingredient for error reduction and have been proven to literally save lives. Books and a podcast (which is the source of inspiration for this piece!) have been devoted to lauding the checklist.

 

Even experts need checklists

Checklists are at their most powerful when they are used by experts. They mitigate the mental bias in humans where repetitive activities become routine, leading to the risk that small, but critical, steps are missed.

A case study and modern rebirth story about the power of the checklist is the story of the Flying Fortress. The 1935 crash of this Boeing aircraft was caused by the pilots forgetting to unlock the elevator before take off resulting in the aircraft pitching upward. The pilots were unable to level off and the aircraft crashed. The US military insightfully responded to the event not with additional training, but with a tool that would be instrumental in changing aviation safety – the checklist.

The military recognised that providing more training to expert pilots would not address the root cause of the error. The pilots involved in this crash were highly trained, highly experienced and competent. They were so experienced and sure of what they were doing that they missed routine steps. This is the exact situation where the checklist is a hero.

Atul Gawunde, author of The Checklist Manifesto, speaks of a study he conducted that involved developing a basic surgical checklist. He was motivated to conduct this study after examining data that indicated that the major cause of disability or death in surgical patients was related to a problem where the answer was known, however not executed upon. Gawunde finds that only a small percentage of disability or death in surgical patients was due to a problem where the answer was unknown. The failure was in the execution, not the knowledge. Gawunde and his team developed a basic surgical checklist and trialed it with surgical teams in 8 cities around the world. The average reduction in complications was 35 percent. The reduction in deaths was 47 percent.

The steps in the surgical checklist were elegant in their simplicity; Has the patient confirmed their identity and the procedure prior to the induction of anaesthesia? Has the surgical team introduced themselves to one another by name and role before making an incision? These small steps may be obvious and easily overlooked. A checklist helps to ensure these small, important steps occur each and every time.

 

Involve the experts

Checklists are most effective when they are designed and implemented in parallel with the teams who will be using them to ensure they are practical.

Anaesthesiologist Peter Pronovost, upon seeing the number of people dying from infections despite existing checklists, sought to understand the root causes for non-compliance at John Hopkins Hospital in Maryland. While the existing checklist required medical staff to use PPE, alcohol swabs and drapes, a key pain point he identified was that supplies were stocked in eight different places adding precious time to operation preparation. Medical teams were choosing timeliness over managing an “invisible” risk of infection that may not manifest.  Supplies were located to a centralised and accessible cart and replenished regularly. This action saw checklist compliance improve from 30% to 75%.

 

Culture matters

In his book, Peter Pronovost identified that a power dynamic was also impacting checklist adherence. Doctors did not want to be called out for not following agreed procedures in the operating theatre and nurses were reluctant to challenge the doctors they were working with. Pronovost brought the teams together to agree one central principle – ensuring patient safety and care. In getting this buy-in and addressing culture, checklist compliance increased from 75% to 98% and infection rates more than halved.

Gawunde’s research identified similar cultural considerations. Introducing surgical checklists was only part of the solution, another part was understanding the culture of the workplace. Differing approaches were taken by hospitals in Ottawa and South Carolina. In Ottawa the checklist was mandated by law with hospitals attesting that they had followed the checklist. A change management program was not put in place. The result was little improvement in patient death outcomes. In South Carolina extensive consultation was undertaken including one on one sessions to ensure teams understood why the checklist was being implemented and encouraging hospitals to make the checklist their own. South Carolina hospitals involved in the program saw a 22% reduction in patient deaths.

 

The makings of a good checklist

A good checklist should:

  • Focus on the areas or processes where mistakes occur most frequently;
  • Be chunked into 5 to 9 steps;
  • Be designed by the teams that use them – not administrators or control functions that could them unnecessarily lengthy and unusable; and
  • Use succinct, direct, even terse, language.

 

The learnings from the experiences of Pronovost and Gawunde are equally relevant outside of the medical sector. Again, culture comes to the fore when seeking to manage risk. And an agreed shared purpose helps underscore the importance for all members of the team. The local environment and context need to be understood.  With changes in business practices and advancements in technology, it is worthwhile remembering the humble checklist still has pride of place when it comes to managing risk.

 

tanushree@px.partners is an avid fan of the checklist and has applied the pervasive rigour of PX Partners to support clients with framework & control design and implementation. 

Categories
Uncategorized

Controls are Queen

3 October 2020 

 

High profile headlines have seen organisations such as Westpac, NAB, State Street and ME Bank face scrutiny as they tango with Australian regulators over compliance failures while negotiating findings and unprecedented financial penalties. This leaves no doubt that ASIC, AUSTRAC and APRA have become more probing and are baring their teeth in response to community expectations and outcomes of the Royal Commission into financial services.  

 

As we reflect on these cases, it’s not difficult to see patterns in these varied situations (even if you aren’t the visual type!). Common threads are clear across the shortcomings identified in the provision of financial advice, management of home loan redraw facilities, regulatory reporting of International Funds Transfer Instructions (IFTIs) and transaction monitoring.  

 

In the case of Westpac, technology resource constraints and the loss of key subject matter experts  without proper handover to BAU impacted successful implementation of the 2009 IFTI program. The impact would be felt years down the track when Westpac identified that it had underreported 19.5m IFTIs to AUSTRAC from 2013 to 2018 within the required 10-day timeframes (and not met record keeping obligations in relation to some of these transactions).  

 

AUSTRAC also alleged that typologies and guidance around potential indicators of child exploitation risk was not implemented by Westpac in a timely and effective manner resulting in inadequate transaction monitoring for 262 customers. 

 

In 2014, ME Bank descoped planned migration of loans from its legacy core banking platform due to complexities and system issues and introduced an interim manual control to  monitor, recalculate and load correct available funds for home loan customers. This became a critical control that failed in 2015 resulting in some customers having accessed redraw funds taking their loan balance above the amortisation curve. The control failure and resulting issue was undetected by ME Bank until 2019. 

 

After NAB transferred customers to its MLC direct business, superannuation fund members continued to be charged fees despite not having a financial adviser from 2013 to 2019. The fee for no service impacted 200,000 customers. This in combination with defective product disclosure statements saw ASIC allege that NAB had not acted efficiently, fairly or honestly and slap the Bank with a $57.5m fine 

 

Hindsight is a wonderful thing but there are several important learnings that organisations should pay heed to. 

 

1. Invest now, or pay later  

In all of these cases control and compliance failures were caused by seemingly simple technology system changes with unintended consequences, deprioritised data migration or incomplete customer migration activities. Upstream and downstream impacts of these changes to complex plumbing and associated risks were not fully mapped outunderstood or risk accepted by senior management. Appropriate post implementation reviews were also not undertaken to ensure changes had been adequately and completely executed. 

There is no better example of the consequence of poor change management than the $1.3bn fine that Westpac has agreed to pay – surpassing CBA’s penalty as the largest fine in corporate history. This is leaderboard no organisation wants to be at the top of.  

Meaningful investment in rigorous controls requires resources – people, time, money. Investing now will save a world of pain later.  

 

2. Controls are Queen  

Yes, you read right – have you ever played chess? At the core of all these scenarios is poor control design and execution. Controls are the bread and butter of managing operational risk, so much so that we are seeing the emergence of Chief Controls Officers in large organisations. Manual controls are reliant on people to provide checks and balances, day in and day, consistently and completely. When that manual control becomes critical control, the expectation is that people will execute it perfectly. Each and every time. This is where things start to unravel. Manual controls are generally not sustainable in the long- term, particularly where the reliance extends for years as it has in all these cases.  

For critical controls it is important that rigorous controls assurance exercise is undertaken to periodically and independently review these controls and assess whether they are both designed and operating effectively and adequately managing the risk. This controls assurance exercise must be performed by those competent in the process they are reviewing. Transparency is important and a reliance on critical manual controls should have Senior Management visibility as it is tantamount to accepting heightened risk.  

 

3. Everyone is accountable for CX  

Customer centricity or customer experience (CX) is no longer a concept owned by marketing teams. It should be embedded in an organisation’s systems, processes, conduct and cultureWhen ME Bank identified the error with amortisation of amounts available for redraw on home loan facilities, its remediation program saw adjustments made to approximately 21,000 customer home loan redraw facilities before informing customers of its action. In a meeting with ME Bank prior to this occurring ASIC had called out that clear, transparent, timely and effective customer communication is a key inclusion to a client customer remediation program.  

In charging customers fees for services never provided, NAB acknowledged that it was unprofessional and wasn’t putting customers first. They garnered Commissioner Hayne’s intense scrutiny at the Royal Commission who commented that its internal investigation and its negotiations with ASIC appeared primarily directed to minimising the amount that NAB would have to refund to customers.  

While Westpac’s IFTI issue was substantial, its alleged failure to adequately identify and manage the smaller population of customers linked to child exploitation has seen significant reputational damage and judgement from its customers and the community.    

 

These examples show that regulators are not being reticent to take enforcement action for technical compliance issues. The numbers speak for themselves. Take State Street being fined $1.24m for omitting to send 99 IFTIs  

 

Some controls are under pressure in the COVID-19 remote working environment where, for example, they have historically relied upon original signatures or similar. The remote working response invoked in response to COVID-19 has forced the hand of some firms to improve the operation of controls through better use of technology or elimination of redundant controls. 

 

We are now in an environment where compliance breaches, self-reported or not, can attract a barrage of parallel investigations by multiple regulators, shareholder dissatisfaction and class actions. Executives and Board Chairs are not immune to the aftermath of failures by the organisations they steer and face remuneration impacts, job loss and scrutiny by their customers and community. If that isn’t reason enough, the financial burden of remediation, additional resourcing demands and financial penalties show it just makes good business sense to invest in compliance expertise and get it done right the first time, with the customer at the centreThere is after all something in that old adage – measure twice and cut once.    

 

tanushree@px.partners would love to hear your comments on this piece or to chat further about how PX Partners brings pervasive rigour to support clients with governance, framework design and remediation work.

Categories
Uncategorized

What’s in a name?

27 September 2020

 

Good customer outcomes are premised on the right information, the right structures and the right controls being in place. In this post, we look at product names and the importance of being true to label. 

 

“Ollie? James? Something Gaelic? 

Nobody can spell or pronounce Gaelic names. And we don’t know that we’re having a boy. 

And on it went.  

The last few months at home has been filled with conversations like this. Choosing baby name is tough. Made tougher when one party is convinced it’s a boy and the other a girl. Watch this space.  Not long to go. 

 

So, it was interesting to see that we weren’t alone with our struggle. ASIC has had a well-publicised engagement with the funds management sector regarding names. Cash? Cash Plus? Short term? Balanced? Conservative? Though I’m sure the path to resolution for affected issuers will be quite a bit different to the resolution of our little family squabble!

 

We understand that ASIC began this review at the end of 2019 and was driven by concerns at the Regulator that investors could be exposed to misleading promotion when seeking better returns in a period of low interest rates and market volatility. ASIC found that some investment products in the market were being spruiked as ‘cash’ or ‘term deposit’ like but were, in fact, much higher risk products.  

 

This action from ASIC and associated media statements have led to some interesting reflections at PX Partners. What initially appears to be a straightforward piece of regulatory action on product labelling has caused us to look deeper, at some more fundamental product governance questions. 

 

Who decides the name?  

Different organisations have different ways of approaching it. We know of one who made it a competition amongst employees at their office. Ultimately, the responsibility sits with the Board or governance authority who approves issuing of the disclosure document. The Due Diligence Committee plays a critical role. As does the Product Manager and Compliance team. But have we paid enough attention to naming in the past? And what about the passage of time? A fund name in 2000 may have been very much in vogue, in line with regulator and community expectations. But its 2020. We have had a Royal Commission in to misconduct in financial service. Times have changed. Have the labels moved with the times? 

 

Does it matter? 

It does. The funds industry relies on advisers, gatekeepers and Approved Product Lists (APLs) to help retail investors navigate their options.   

Screening of funds and bucketing of investment options is a well-established practice in the funds industry in Australia. Those with responsibility for categorising different investment products pay more attention to what is ‘under the hood’ than simply relying on the label. 

But, that being said, many retail investors do not rely on financial advisers and are choosing investment products themselves. ASIC has ‘called time’ on disclosure reliance with their research indicating that only 20 out of 100 people read disclosure documentsThis means it is critically important for responsible product issuers to be transparent with their product labels 

 

What is required of product issuers 

The answer is the same to most questions faced by the industry – do the right thing, be transparent and care about your customer outcomes. In this case – if you’re not running a cash fund, then don’t call it a cash fund.  

From the Regulators perspective, this matter goes to some fundamental obligations – are you being misleading and deceptive? Are you providing financial services efficiently, honestly and fairly?  

 

What action is needed now 

This depends on the maturity of your product governance framework. If you have not started work on your firm’s response to the new design and distribution obligations yet, it is time! 

Product governance is a broad framework which spans disclosure, labels, operations, customer outcomes, target market, distribution channels, marketing, investments, risk and everything in between. Management and Boards should be asking:

  • Is our product lifecycle or governance framework documented? Is it clear where accountabilities lie?
  • Is it broad and encompassingAre product names reconsidered when offer documents are being updated? Do we have representation from across the business to ensure all views are heard?
  • Do periodic product reviews check back to the original business case or intention of the product? Is the investment strategy of the product materially the same? Is it still being sold in line with how it was intended to be sold? 
  • Has the product take-up been in line with expectations? If not, is this because it isn’t meeting customer needs?  

 

While Juliet might’ve argued that names should not matter, recent regulatory action serves as an important reminder that they do.  

 

jon@px.partners would appreciate any (helpful!) baby name suggestions and would be happy to chat more about how PX Partners supports clients through regulatory change and interactions.