Finding A Problem Is One Thing, Fixing It Is Another
Not long ago, I visited an institution we’ll call “Flub Financial.” Flub’s compliance team was knowledgeable and experienced. Their well-executed audit program employed savvy auditors whose comprehensive coverage allowed Flub to easily detect problems. So why did Flub find itself in a multi-million dollar enforcement action? The reason: Flub kept applying the same practices that had created the problems in the first place.
Management did little to correct the underlying issues. Worse, Flub’s directors exercised even less oversight because they assumed management took care of problems after the board was informed of deficiencies. Simply put, Flub failed to apply our third lesson from the construction industry: Maintenance and repairs are essential to preserving value.
Just as contractors are responsible for a well-built house, directors are accountable for ensuring the compliance program’s sound foundation, and overseeing its ability to detect deficiencies. Moreover, directors must ensure corrective actions are taken when weaknesses occur. Similar to preserving a house, an institution’s success depends on whether corrective actions are taken immediately.
Examiners, much like building inspectors, want to see things working properly. Has prompt action been taken to correct weaknesses noted in routine monitoring as well as during examinations? Do records show how problems were addressed with evidence of corrections made? Good answers to these questions are crucial, because without a proven methodology, deficiencies may turn into large cracks.
There are three main aspects to successfully implementing corrective action:
1. Specifying and assigning corrective steps,
2. Confirming the correction occurred, and
3. Following-up at appropriate intervals to ensure the correction’s effectiveness.
Specifying the Steps
To identify and assign corrective steps, the board must determine who, what and how. Who will ensure correction happens? What oversight and work steps are needed and what is the deadline for the correction? How will the assignee apprise the board of their results and how will the board monitor whether the correction worked, or if problems still persist?
It’s essential for the board to assign correction actions to executives, who have the necessary accountability and proper authority, rather than to a department. For example, listing the lending department as responsible leaves it unclear as to who is accountable for doing the work and confirming it was completed. Avoid this mistake by listing specific job titles or individuals. The institution must be able to recreate the chain of events so the board can validate the process, and examiners can confirm that proper repairs were made.
Confirming the Correction
The responsible party should report to the board when the correction is complete. The board should have a regular and predictable interval for these reports with standard formatting. It’s a best practice to require that managers provide evidence of the correction—in other words—trust, but verify. The implementing manager should conduct preliminary validation of the correction, and demonstrate through actions and evidence that the problem is fixed. This action assures directors that management has resolved the issue, not just given it the appropriate lip service.
Follow-up reviews should be conducted by compliance personnel, after corrective measures are implemented, at the proper timing. Reviews shouldn’t happen too soon because the board won’t be able to tell if the fix stuck. Often, a corrective measure validated within days after its application will seem to work beautifully. This is either because it worked, or because the change is fresh in the minds of staff and they haven’t had time to backslide into old ways.
A minimum interval of 90 days before verifying corrections allows enough time to gather trend and analytical information, and to see whether corrections withstood the test of time. Beware, however, of waiting too long. Problems may persist if the fix wasn’t properly applied at the outset. Imagine waiting a year before reviewing your fix, only to find that the wrong corrective actions were taken.
To recap, avoid these red flags of poor corrective action:
- Failure to set specific correction standards
- Failure to designate a single party ultimately responsible
- Failure to confirm issues are resolved
- Failure to keep records so when examiners ask how and why certain things were done, the action can be reconstructed and proved
Bottom line, it is simply not enough to have strong policies and procedures, even with a strong audit program that detects weaknesses. It’s crucial to have an equally strong protocol for swift and precise corrective actions. Just like preventive maintenance protects your home, a strong compliance program protects your institution’s value for the long term.