Skip to Main Content

Issues and Actions Management

240313 Issues And Actions Management Journal

‘Sound issue management starts with strong ownership by the first line of defense, but the second and third lines must buy in and offer support and guardrails to the first line.’

Regulators stress the importance of effective issue handling in building a strong enterprise risk management program. But as operational complexity in banks grows, it’s getting harder to keep pace with the volume of governance breakdowns and to maintain the transparency and accountability regarding issue remediation that regulators encourage. 

A formal issue management framework that incorporates the right tools could be the answer. Such a framework introduces consistent processes for identifying, responding to, and reporting on issues across the organization. Centralizing identification and management can help organizations move beyond scattershot approaches to more effectively address their risks. And by establishing a uniform approach that supports staff and transcends organizational silos, banks will be better equipped to navigate their increasingly challenging operating environment. 

This article explains the basics of issue identification and outlines the elements necessary for creating a robust framework for issue management at your bank. Creating a strong culture, getting board-level backing, and deploying technology effectively are important to the success of any coherent plan. 

First Things First: Identifying Issues 

“Issue” is a term of art risk professionals use to define a deficiency or gap caused by ineffective or nonexistent controls. An issue can also be a condition that exceeds acceptable tolerance levels and may require remediation. Issues can be identified in a variety of ways including by: 

  • The business, in the first line of defense.  
  • Risk management team reviews in the second line.  
  • Internal audit in the third line. 
  • External parties such as auditors and regulators.   

One way small and mid-sized banks have measured whether they’re on track is their speed at solving problems, a survey last year by the Mid-Sized Banking Coalition of America revealed. 

To address issues in a timely manner, it is important to establish clear channels and processes for identifying and reporting on them. Too often, issues find their way to the board or audit committee because remediation processes break down. Regulators have suggested that this over-reliance on internal audit is a major deficiency that can lead to longer issue resolution times. 

Failures in issue management commonly include: 

  • Leniency on non-regulatory issues that have gone on for too long. 
  • Repeat offenses. 
  • A failure to adequately disclose issues to senior management.  

Avoid keeping issue lists siloed among risk, compliance, or audit. That can create prioritization challenges. Without knowing what’s facing the organization, it’s hard to steer resources to the most pressing concerns. Consider: While risk professionals are best positioned to spot and fix failures in controls, they often operate in silos that limit the opportunity to learn and share best practices across the enterprise. By establishing a uniform approach that supports staff and transcends these silos, banks will be better equipped to navigate their increasingly challenging operating environment. 

Sound issue management starts with strong ownership by the first line of defense, but the second and third lines must buy in and offer support and guardrails to the first line. It is the second line’s job to challenge the first line and ensure appropriate remediation. The third line establishes and maintains the integrity of the issue management framework while identifying issues in its regular audit process. With these roles in place and in coordination, organizations can considerably improve their issue management performance.  

Creating the Policy or Standard: Charting the Course 

A truly effective issue management framework depends on a policy or standard that serves as a roadmap for all employees in the process. Defining the criteria for consistent issue management across the organization is an essential way to support proactive operational risk management. 

Developing an effective issue management policy or standard starts with understanding the bank’s specific needs, operating environment, and regulatory requirements. Banks should instruct their compliance, internal audit, and risk functions (among other stakeholders) to coalesce around a consistent approach for the enterprise. A policy or standard outlines the possible issue sources, including: 

First Line of Defense Self-Identified Issues: 

  • KRI or KPI monitoring  
  • Risk and Control Self Assessments (RCSAs) 
  • First line control testing activities

Second Line of Defense Identified Issues: 

  • Third-party risk management's ongoing monitoring or testing 
  • Credit/loan review issues/findings 
  • Model risk management validation issues/findings 
  • Information security issues/findings 
  • Compliance testing  
  • Compliance/BSA business oversight and monitoring 
  • Complaint monitoring 
  • Other second line assessments, reviews, or effective challenge 

Third Line of Defense (Internal Audit) Identified Issues/Findings: 

  • Internal audit identified issues 
  • External audit identified issues 
  • Third-party disclosure of identified issues 

Other Issue Identification Sources: 

  • Change control processes 
  • Regulatory exam findings, recommendations, and suggested best practices 
  • Due diligence or post acquisition reviews  
  • Postmortem process identification (i.e., root cause analysis) 
  • Internal incident response issues/findings 
  • Risk acceptance approvals 
  • Finance/SOX identified issues/findings 
  • QC/QA process findings 


The ability to track and record multiple sources for any issue is important. If a first line business team initially identifies an issue, and that same issue is later flagged by internal audit and/or a regulator, the source field should record each of these sources.  It is important to be able to document and report that an auditor or regulator spotted an issue that was already subject to an action plan.  

Once an issue has been documented and all appropriate sources have been identified, the issue, risk rating, and respective corrective action should be reviewed and validated by the appropriate subject matter experts (SMEs) within a timeframe determined by the risk rating (high, moderate, low). This is meant to ensure that:  

  • The issue is properly entered into the system. 
  • The integrity and consistency of the data within the system is maintained.  
  • The issue was identified, rated, and managed appropriately.  

The policy or standard outlines the process workflow along with the steps needed to validate the issue depending on the issue source. Once the remediation action is completed, the system should require signoffs from: 

  • The team that identified the issue.  
  • An agreed-upon validator. (Depending on the issue, that may be the second line, third line, and/or another appropriate SME. 

While standardized definitions and selections for issue types and issue ratings will vary by organization, the decisions should be agreed upon and included in the issues policy or standard.  For example, the criteria for identifying the severity of an issue as low, medium, or high risk should be clear and aligned with the severity definitions defined in the enterprise risk management policy or standard(s).  

The issue management policy or standard should also provide guidance regarding repeat findings and past-due issues. Finally, it should outline the roles and responsibilities of the system owner/administrator, the issue owner, and any other relevant parties—as well as the reporting frequency and details that will be presented to governing bodies. 

Building a Strong Risk Culture 

An issue management framework plays a critical role in building a strong risk culture by promoting a risk-aware and proactive ethos throughout the organization. Through its defined and structured process everyone can follow, it is also a way to strengthen existing controls and create new ones as part of remediation efforts. Integrating issue management into your risk management framework empowers your employees to act as part of their regular responsibilities. 

Ensuring that self-identified issues, depending on severity, are allotted a remediation window and safe harbor period exclusive from internal audit is critical. Encouraging improvement and continued learning—and celebrating success rather than blaming—reinforces a positive culture around issue remediation. 

Sometimes, though, the organization may need the stick instead of the carrot. To ensure issue management is taken seriously, the board should hold accountable those executives who do not prioritize identification and remediation of issues. By focusing on issue management and remaining actively involved, the board can also find gaps and address them. Some common examples of gaps include: 

  • Identification of an unreasonably low number of issues by the first line compared to internal audit’s listing of identified issues. 
  • Untimely issue remediation.  
  • Systemic firmwide issues. 

Beyond Email and Spreadsheets: Putting Technology to Work 

Email and Excel spreadsheets are the most common tools banks use for managing issues and their responses. These tools are usually decentralized, often inefficient, and create a lot of cumbersome manual work. What’s more, they can slow down solutions and aren’t great for keeping audit trails or identifying systemic issues across the organization. While banks may say they don’t have the resources to invest in better tools, sticking with email and Excel can be penny wise and pound foolish. 

An issue management system or governance, risk, and compliance tool can be an ally in building a transparent, consistent, and proactive issue management framework. 

A typical issue management system captures data including:  

  • Detailed issue descriptions. 
  • Issue type.  
  • Issue sources. 
  • Risk severity or rating. 
  • Relevant compliance regulation impacted by the issue. 
  • Corrective action plans. 
  • Due dates. 
  • Responsible parties. 

Such tools can simplify reporting to senior management and the board and provide enterprise-wide insights, data, and visualizations that might be difficult to create manually.   

Another benefit of a formal issues and actions module is its ability to link issues to risk appetite, KRIs, financial thresholds, root cause, and issue types—all of which provide valuable insights for reporting purposes.  

The Framework in Action: Socializing and Training 

As powerful as issue management framework and related tools may be, their effectiveness is only as strong as the buy-in and understanding of the personnel across the organization.  

To ensure consistent adherence to the policy or standard and an effective approach to issue management, training is crucial. Support can include comprehensive training materials, regular and/or ad-hoc training sessions, and ongoing responses to questions. And it should be tailored to the specific needs and roles of personnel.  

It is recommended that training be regularly assessed to refine and improve it as the maturity of the issue management framework evolves. Finally, it is important that senior management, through their comments and regular review of the issues and actions reporting and tracking, emphasizes the importance of self-identification and remediation of issues. One way to encourage that is for the internal audit team to track and give credit for self-identification and remediation of issues during internal audit exams. 

The Future Is Here 

The case for activating or improving an issue management framework can be made by the potential for benefits in terms of maintaining regulatory compliance, mitigating risks, and ensuring smooth operations. An issue management framework, particularly when strengthened by an issue management tool (and/or other modern technology systems), provides many benefits to an organization and its risk culture. Chief among them is making it easier and more efficient for all employees to be active and more dynamic risk managers with an eye not only on smooth and efficient operations, but also on the robustness of the control environment.  

Andrew Mansholt is a Risk Management Analyst in Wintrust Financial Corporation’s Enterprise Risk Management and Operational Risk Oversight Department.  The author also wishes to acknowledge the contributions of George Voight and Jennifer LaMalfa in the research and preparation for this article.