Get up to speed on common issue management pain points and 7 ways to improve your issue management program.
One of the more important metrics internal audit should manage is tracking and reporting on issue remediation. How quickly issues are remediated is a sign of how effectively an organization is managing risk because the time it takes to close out identified issues:
- indicates that issues identified by internal audit and other risk and compliance groups are relevant to the organization
- is an indicator of how efficiently the business is operating
- demonstrates the business’s receptiveness to change and risk tolerance
In organizations with independent audit, risk, and compliance functions, a common challenge is siloed issue management practices. Organizations seeking to improve their issue remediation metrics can benefit by addressing inconsistent methodologies and unifying enterprise-wide issue management under one common framework. In this article, we will look at the common challenges and pain points of issue management. Then, we will break down how to address these challenges with seven important tips for building out a well-rounded issue management program.
Issue Management Challenges
In organizations with siloed issue management efforts, different business functions may be performing duplicate activities around issue tracking using inconsistent methodologies. Multiple issue logs (in varying formats) tracking similar outcomes pose inefficiencies to all stakeholders involved, including issue owners who are asked to provide consistent information to different groups at various times. Siloed issue management practices limit the organization’s ability to have a holistic view of issues. According to Protiviti, this can result in the following outcomes:
- Lack of issues prioritization
- Lack of clear accountability
- Poor data quality and root cause analysis
- Incomplete organizational impact analysis
- Undefined issues closure processes
- Culture of closing issues with quick fixes rather than sustainable solutions
How can organizations work toward breaking down these silos and move toward what Protiviti refers to as an agile state of issue management?
Standardizing your issue management program can help reduce inefficiencies for internal audit and other stakeholders, strengthen the organization’s ERM program, and improve collaboration and relationships between internal audit and other business groups. Below are seven tips for improving your issue management program.
1. Apply a standardized risk rating and issue identification framework consistently across different departments.
Implementing a standard framework for rating risks and identifying issues unifies enterprise-wide issue management under one common framework. Because a standard framework involves multiple issue stakeholders coming together, it prevents duplicate administrative work from being performed by those different groups. This strengthens the organization’s ability to report on issues uniformly across the business, correctly identify root causes of issues, and assign the appropriate remediation action plans to issue owners. Examples of a framework include applying the 5 C’s of writing audit observations (Criteria, Condition, Cause, Consequence, Corrective action plans) to issue findings, an issue rating scorecard, or a custom methodology for the person who identifies the issue to assess the severity of the issue and its potential impact on the organization.
2. Tie issue management to the organization’s ERM program.
The standard issue rating framework should mirror the way the business is evaluating risks and be consistent with the organization’s ERM framework. An enterprise-wide issue management process will result in a more comprehensive risk management program and bolster ERM at the organization. If issues are being uniformly managed across the organization, there is more opportunity to perform trend analysis and identify enterprise-wide themes on why issues are occurring — leading to a higher likelihood that the business will be proactive in addressing those themes, and prevent the issues from reoccurring in the future.
3. Strive for executive buy-in and tone at the top.
When the organization’s executive leadership team is united in promoting a standard issue management methodology, this helps embed issue management into risk culture across the organization. A best practice to motivate stakeholders to identify issues early on and implement corrective actions is to align first line performance feedback and compensation to issue management metrics.
4. Employ issue tracking automation that enforces the risk rating and issue identification framework.
An automated issue tracking program streamlines the process of recording issues using a standardized methodology and empowers audit to easily validate issue identification and follow up with issue owners during remediation projects. Protiviti recommends “a single uniform technology platform to organize issues across the company, processes and incentives that lead to faster and more complete remediation of issues, and data-driven impact analysis.” Should you choose to implement a platform, indicators of a great issue management solution include:
- Product design and implementation enforce the issue management methodology. The solution is configured to encourage compliance with the organization’s standard issue methodology, both through the system’s inherent product design as well as the implementation process. A standard issue rating and identification framework is either applied (if there is none to begin with) or formally standardized during implementation, which provides the basis for organization-wide compliance with the standard issue methodology moving forward. For instance, an issue cannot be logged unless the proper information is filled out.
- The solution has a validation workflow. The solution automates the process by which the issue owner provides information to the audit team via a followup process where auditors can initiate an automated workflow that sends notification reminders to issue owners.
- The solution has agile reporting capabilities. An application that is purpose-built for issue management eliminates time spent aggregating information for reports because it automates the entire issue identification and remediation process, promoting an agile issue reporting process. Issues should be automatically reportable anytime they are logged, and status should update in real-time as issues move through the remediation process (validated, outstanding, overdue).
5. Provide different levels of reporting to department leaders, executive team or risk committee, and the Board of Directors.
A well-rounded issue management program will provide custom reporting for different levels in the organization. Department leaders directly influence issue remediation, the executive team or risk committee has the power to provide the full scope of issues and identify issue themes, and the Board should be aware of issues at a high level so that it can help enforce issues remediation.
Metrics to address in these reports are:
- Issues identified by department
- Issues identified by root cause
- Issues that are repeatedly identified
- Issues identified by timeliness of corrective actions
6. Perform frequent analysis of issues to create awareness of lessons learned from past identified issues.
In order to proactively prevent past identified issues from recurring, this should be done on a continuous basis, not as a point in time exercise.
7. Let internal audit take the lead.
Internal audit is optimally positioned to lead an enterprise issues management program for the following reasons:
Internal audit is credible. Internal audit performs issue management in its day-to-day work and is intimately familiar with the process. An enterprise-wide issue management program led by internal audit presents an opportunity for audit to take work off other departments’ plates, and enables internal audit to improve its relationships with other risk and compliance functions. For instance, if internal audit takes over the issue management process for the Compliance group, they may be more open to sharing information regarding their risk assessments performed across the enterprise, strengthening the organization’s overall ERM strategy.
Internal audit can provide independent assurance to the business. If compliance, risk, and finance have their own issue management processes, their issues reporting is subjective, whereas internal audit is independent and represents an objective perspective when reporting on issues.
A streamlined enterprise issue management process led by internal audit yields many benefits. There will be improved issue reporting to executives and the Board. Risk management in the organization will also improve due to better identification of issue themes, leading to more effective actions taken to proactively prevent deficiencies. Prevention of duplicate administrative work being performed across multiple teams or departments will also reduce costs. There will be improved assurance that issues were corrected as management expected, due to internal audit’s independence and objectivity. Follow these seven tips to start building a stronger issues management program today!