Challenge: Demonstrating Accountability and Ownership at the First Line
When a fintech company was looking to make a jump to consumer-facing technology, they knew they had to take a closer look at their processes for identifying, mitigating, and reducing risk to expand their offerings.
They already had a strong internal audit programme that identified breakdowns and gaps within the organisation. However, these issues were not always getting the attention they deserved across the rest of the organisation. Management of risks associated with day-to-day operational activities was weak, leading to low audit ratings. Stakeholders were concerned whether the business could make risk-based decisions necessary to safely implement cutting-edge fintech.
In response, the organisation’s management committee charged their risk management function with building a traditional three-lines of defense programme: operational management defending against risk on the first line, risk management and compliance functions on the second line, and internal audit on the third. This meant cultivating accountability and ownership at the first line of the business, where risks are introduced to the organisation. It required standing up a true second-line defense reporting to the Chief Risk Officer. Most important, it necessitated a risk culture in which everyone is responsible for identifying and reporting issues.
Solution: Selecting Lockpath To Support Processes and Build Workflows
To meet this mandate, they started by plotting processes and mapping out how they wanted to manage self-identified issues (SII) and risks. They quickly recognised the importance of utilizing a purpose-built solution. “Rather than investing more resources into the problem, we needed a platform to support the policy management process itself,” says their Director of Risk Management. “We extensively reviewed the available solutions on the market and found Lockpath was the right fit for us.”
The key to their decision was Lockpath’s ability to centralise and automate processes. “We knew that centralization would be essential for us, ensuring policies and procedures were updated on time, with the correct review, and documentation for these decisions,” he recalls. Internal auditing also found value in a centralised approach, which enabled them to easily access the policies, standards, and procedures they would be auditing against. Automatic notifications helped owners and stakeholders meet deadlines and increase accountability.
They were able to build records right into Lockpath’s platform, resulting in the capture of additional information for root cause analysis and addressing emergent issues. The organisation also developed new workflows that allowed executives to accept some risks when appropriate, and dashboards that helped first-line defense employees take increased ownership.
Results: Improved Audit Ratings, Lower Costs, and an Informed Risk Culture
Empowered by Lockpath’s platform, their Risk Management team was able to improve their internal audit ratings by identifying and remediating issues at the very first line of the business. Now, first-line employees own and manage operational risks. They conduct risk assessments, participate in risk roundtables, and receive training on how to use the dashboards and tools available to them.
They also implemented second lines of defense, including Ethics and Compliance, Operational Risk Management, Business Continuity, and Privacy Officers, all reporting up to the Chief Risk Officer. These changes led to a substantial decrease in the number of internal audit findings and issues to remediate. After an initial anticipated increase in self-reported issues, they also saw decreases in SII as the organisation became better at proactively managing risks.
Leveraging Lockpath’s capabilities helps reduce the number of resources required to drive success. According to their Director of Risk Management, “without Lockpath automating our process management, we would certainly need to double the resources to ensure our identified issues are seen through to completion manually.”
Most importantly, they created a risk-aware culture built around prioritizing and adopting the work they put into their lines of defense. “Organisationally, we believe that every employee is a risk manager. Regardless of role, we each have business objectives and take actions that introduce risks. This message has helped our organisation mature in terms of our risk culture.”
Ultimately, this fintech company demonstrated that it was a well-managed organisation capable of making sound risk-based decisions, giving its management committee the confidence to proceed with the implementation of their new consumer-facing solution.
For this organisation, smart, successful risk management – paired with the power of Lockpath’s platform – resulted in transformational innovation, enabling future developments that they predict “will help us continue to be competitive within our industry.”
Using risk management to make your business a competitive force – that’s the power of Lockpath.
About NAVEX Global, Inc.
NAVEX Global is the worldwide leader in integrated risk and compliance management software and services. Our solutions help organisations manage risk, address complex regulatory requirements and foster an ethical, productive workplace culture.