About Me Course Blog Contact Me

Case Studies - Design Enterprise Lean Risk Management with JIRA

Jul 30, 2024

How the Correct Implementation of a High Maturity Agile Framework Helped a Bank Solve a Consent Order Risk Management Directive and Save more than $57 Million

 

▮▮▮ - Details and names have been masked to protect client information. Sources of the descriptions and published details are available on public sources.

CLIENT DOSSIER

Our client, ▮▮▮ , is one of the top five ranking banks in the USA. The Federal Reserve (Fed) and the Office of the Comptroller of the Currency (OCC) directed the bank to fix longstanding and widespread deficiencies in its risk management, data governance, and internal controls.

Late last year, the Fed sent ▮▮▮ three notices directing the bank to address how it measured the risk of default by counterparties in derivative transactions. This was based on direct knowledge of the matter. Separately, ▮▮▮ internal audit unit indicated that more work was needed in at least one instance to address problems previously raised by regulators. This work was in response to enforcement actions, called consent orders, dating back to October 2020.

In ▮▮▮ , the internal audit unit found some of the work done to improve risk management across the bank was inadequate. The audit unit also found that ▮▮▮ failed to meet a requirement to have procedures in place to ensure the board and senior management received comprehensive reports about risks across the company.

The regulatory notices came as the bank was working through its consent orders, in which the Fed and the OCC directed the bank to fix longstanding and widespread deficiencies in its risk management, data governance, and internal controls.

▮▮▮ has thousands of employees focused on resolving these issues. The complexity of the task facing CEO ▮▮▮ as they carried out the bank's biggest overhaul in decades is immense, aimed at boosting profits and shares, which have lagged behind peers. The third-largest U.S. lender has been selling businesses and laying off thousands of employees to simplify the bank’s structure.

In a statement to ▮▮▮ , ▮▮▮ said meeting its regulators' expectations was a top priority, and it was "making steady progress simplifying and modernizing our bank." "Like any multi-year effort of this scale, progress isn’t linear, and there are important learnings along the way that we’re incorporating into our efforts, including in the areas of regulatory reporting, infrastructure, and data enhancement,” the bank said. ▮▮▮ shares fell almost 1% to $▮▮.▮▮

 

INTRODUCTION

Our client, ▮▮▮ , is one of the top five ranking banks in the USA. The Fed and the OCC directed the bank to fix longstanding and widespread deficiencies in its risk management, data governance, and internal controls. Part of the Consent Order (CO) explicitly directed the bank to implement Agile frameworks such as Scrum or Iterative development.

Internal Audit and CO delivery management leadership translated the CO directive and decided to establish a Lean Agile Center of Excellence (LACE), delegating the creation of a strategic vision and tactical implementation to it. Alex Gas was contracted as Lead Agile Coach responsible for founding and running LACE.

The following initial actions were negotiated with cross-functional stakeholders to clarify business objectives, acquire necessary commitments and approvals, and balance competing business needs: create a strategic transformation roadmap, Agile playbook, and Agile transition roadmap for business verticals, cross-business operations, and IT teams. 

  • Establishing Lean Agile (Scrum & Kanban) practices started with stakeholders’ interviews to establish a pain points map.
  • With the design and introduction of Agile practices, we encountered a series of challenges that posed significant obstacles to the company's ability to organize around value or product and manage risk.
  • Trainings and coaching delivered to all levels of the organization (Leadership, PMO, BMO, Product Owners, Scrum Masters, teams, and other stakeholders) focused on establishing high maturity practices, including risk management, risk visualization, and risk communication at all levels.
  • Educated Leadership recognized the correlation between existing practices and consent order risk-related directives and asked us to research possibilities and identify problems.

 

PROBLEM STATEMENT

Business leadership and program stakeholder interviews led to a series of root cause analysis (RCA) workshops, the buildup of a multidimensional matrix, and a causation diagram, which could be summarized as follows:​

Challenge 1: Lack of Trust/Safe space and tools

  • Our client has an Enterprise Risk Management system (TPS) designed to store, manage, and keep risk records.
  • Any record inserted into TPS immediately became visible to Super Senior Leadership (SSL - MD, ED, and above).
  • Any newly recorded risk triggers visibility and an SSL response known by the workforce as “goodbye bonus.”
  • The workforce, including personnel, VP, and MD, believes that as soon as any risk ends up in TPS, they will get noticed by SSL and may/will lose their bonus. Note: we did not try to discover the root source of that belief. 

Challenge 2: Ambiguity in Roles and Responsibilities

  • Lack of safe space created artificial filters where TPS updates (insert new risks) were managed by Business vertical leaders, known as TPS Gatekeepers.
  • Business and technology teams did not have access or were not permitted to use TPS directly.
  • Teams were afraid to raise risks to TPS Gatekeepers level (mortgage worker syndrome).
  • Multiple program and initiative leaders responsible for risk management suffered from inadequate Risk meeting RACI implementation when decision-makers were not present, or non-decision makers crowded the meeting space. 

Challenge 3: Ineffective Stakeholder Meetings and Communication

  • The company faced challenges in maintaining a consistent and effective meeting cadence.
  • The company hierarchy (Team-Initiative-Program-SSL) with risk review meetings every 2-4 weeks per level contributed to a situation where decision-makers were notified about risks in 6-9 weeks or more. Risk Reaction Lead Time (RRLT) = 9w
  • There was no transparent communication throughout the risk management lifecycle. 

Challenge 4: Limited Cross-Level, Cross-Team Collaboration

  • As our clients got educated and started understanding/practicing Agile product development & risk management, teams realized that the current infrastructure and practices did not support geographically distributed, cross-level, and cross-team seamless collaboration.
  • The lack of risk management tools and practices became increasingly challenging. 

Challenge 5: Inefficient and Inadequate JIRA Support

  • Newly formed Agile business and technology teams were coached, capable, and ready to manage their risks but lacked tools. Jira and Jira Align were designated as the main product/communication platforms, respectively responsible for record-keeping and supporting PMLC, SDLC, Product Planning, and IT delivery.
  • HR/CFO policies minimizing expenses (headcount) led to a situation where the bank had only 2 senior Jira administrators and 1 Jira developer supporting multiple business verticals and multiple Jira clusters globally.
  • Limited human capital capabilities led to a “one size fits all” Jira configurations approach, manifested in the creation of a handful of Jira schemas incapable of or highly limited in supporting the real-life complex banking ecosystems: business or IT scenarios, product flow, or tailored customizations. 

Challenge 6: Ineffective Adoption of Agile Practices

  • The organization faced difficulties in adopting Agile practices effectively, highlighting the need for a deep-seated Agile transformation.
  • As the transformation grew in complexity and scale, the company encountered challenges related to a shallow, low-maturity model.
  • With expanding Agile practices spread across different geographical regions, coordination, adaptation, and collaboration became difficult.  

 

GOAL

The goal was to define a risk operational model and transform the organization's risk management into an efficient process with well-defined RACI, meeting cadence, communication channels, and Information Radiators (IR) to enforce visibility. Due to the nature of the client organization, the following outcomes should be achieved:

  • Create an effective Agile risk management process with maximum automation.
  • Every level should be able to raise and manage their own risk based on a safe space concept.
  • The system should provide the ability to raise risks to the next level for decision-making or communicate risk decisions back to the source or target level.
  • Information security: Risk records should be visible only to the permitted level/personnel.
  • Risks requiring SSL intervention should be raised and recorded in TPS.
  • Risk retention: All risk lifecycle records should be retained.
  • The next level Risk Reaction Lead Time (RRLT) should be shortened to 1-2 weeks.
  • All levels of the organization should have access to a risk management framework/tool.
  • The new risk operational model should be easily portable and scalable across domains and global jurisdictions.

 

SOLUTION

Since all levels of the organization/stakeholders were using JIRA and business verticals were centered around products reflected in JIRA Themes & Epics, we decided to use JIRA as the main risk management platform.

 Based on a clear understanding of the bank's ecosystem limitations, we defined and piloted a risk management ecosystem consisting of three major parts: a new ticket type dedicated to risk, components as state markers, and Information Radiators as flow and communication visualization.​

 

IMPLEMENTATION

Alex Gas began the transformation by defining and initiating a 7-phase approach tailored to suit our client's unique needs and objectives:

Phase 1: Define Component Driven Model

A comprehensive assessment was conducted to understand the company's strengths, pain points, JIRA-supported capabilities, and opportunities for customization.

Components were selected as the main driving vehicle for this model because components' spaces are controllable and allowed customization by project admins, including assigned scrum masters.

Detailed directional status metrics were designed to prove the concept and visualize changing states. 

Phase 2: Create Custom JIRA Issue Types for Risk

Issue types based on the Task issue type schema and reflected a logical short lifecycle such as: Created-In Progress-Closed. Custom fields reflected required TPS fields for potential risk progression from team to TPS integration.

 Phase 3: Build JQL JIRA Filters for Querying Risk

An extensive set of generic JQL filters was created to support visualization of all risk lifecycle stages and communication directions. For example:

  • JQL – Risks created and visible by the level/team
  • JQL – Risks escalated to the next level
  • JQL – Risk decisions communicated to the level/team
  • JQL – etc.

 Phase 4: Visualize & Optimize

To gauge the success of the risk management transformation, we established Information Radiators (IR) dashboards for each level of the organization that aligned with the organization’s risk management operational model:

  • PTS
  • Initiative
  • Program
  • Team

We utilized JIRA's “Reach widget” to provide an additional edge in rich data visualization, sub-sorting, and colorization to achieve Information Agitation/Irritation. Each IR showcased a distilled and focused subset of risks aggregated by direction/ownership logic:

  1. Risks on hand at this level
  2. Risks escalated to the next level
  3. Decisions communicated to this level

 Each data widget visualized the following irritators:

  1. Type
  2. Ownership
  3. Time since created/escalated
  4. Details
  5. Delegation

Risk Management Dashboards were also standardized and used to monitor the risk state, creating a huge impact on team dynamics, collaboration, and customer satisfaction.

Phase 5: Risk Management Meeting Cadence & Schedule

A new risk meeting cadence based on the Lean-Kanban model was introduced, with the schedule shifted to a semiweekly cycle.

The expected Risk Reaction Lead Time (RRLT) should shift from 6-9 weeks to a maximum of 2 weeks.

Phase 6: Coach, Track, Measure

Recognizing that an Agile & Risk transformation demands continuous guidance and support, Alex Gas provided demos, coaching sessions, workshops, and 1:1 training to Agile coaches, Scrum Masters, and Agile PO/PMs responsible for creating sets of risk management IRs across verticals and tying up cross-vertical risk dashboards together.

The new risk management model was communicated and approved by Internal Audit and embedded into the LACE playbook for future scaling.

Extensive coaching and collaboration with our client's leadership teams during the initial implementation phase shortened the process further. These experienced individuals assumed the roles of mentors and facilitators, guiding teams through the adoption of new risk management practices and helping them navigate the complexities of the transformation. The coaches also guided team members and the leadership through retrospectives and feedback loops to assess progress, gather insights, and make informed decisions to optimize the new risk management transformation.

Phase 7: Measure & Optimize

To gauge the success of the risk transformation, we established benchmarking and a monthly Risk Reaction Lead Time (RRLT) report that included RRLT and rejection rate trends.

Dashboards were also standardized and used to monitor the progress of the Agile transformation. The findings helped to make data-driven decisions, enabling continuous improvements, and fine-tuning of Lean Agile practices.

In addition to quantitative metrics, the organization collected qualitative feedback from team members, stakeholders, and customers. This comprehensive approach allowed the organization to evaluate the Agile transformation's impact on team dynamics, collaboration, and customer satisfaction.

  

RESULTS

The Agile transformation and new Lean Risk Management implementation profoundly impacted our client's product development, software development, and Internal Audit departments. It revolutionized the organization's approach to Risk Management and established a safe space for stakeholders.

 

The new Lean Risk Management implementation showcased remarkable changes and improvements in various aspects of our client's operations, positioning the company to close the Risk Management Consent Order directive.

 

All levels—Team, Initiatives, and Program—received a safe space to manage their own risks without fear of repercussions. They gained the ability to escalate risks to the next level of decision-makers when necessary and receive clear notifications when risk decisions should be communicated to their level. Small concessions were made to preserve the PTS gatekeeper practice by delegating decisions on raising serious risks requiring SSL intervention from Initiative to a consent order or high-level leadership support.

 

After two months of use, the longest Risk reaction time from team-level initiation to an Initiative-level risk review meeting dropped from RRLT = 9 weeks to RRLT = 1.5 days

 “We have finally seen the clarity and reliability of the Risk Management process improve significantly over recent months. Teams have started using it daily as part of their operational model without enforcement, giving us the confidence to present it to financial regulators as complete.” – Enterprise Customer

 

Key results

1-Improved Safe Space across organization

One of the most significant outcomes of the Agile transformation and the introduction of the new Risk Management model was the substantial change in behavior across all levels of the organization. People regained trust in a safe space. As a result, teams started actively recording and managing risks at each level, across vertical and organizational boundaries.

2- Effective Adoption of new Risk Management

The adoption of the new Risk Management model enabled teams to implement effective risk management practices, naturally integrating it into Daily Stand-ups, Big Room Planning, Backlog Refinement, and Risk Review. Consequently, teams were able to implement real-time risk management and monitoring, set realistic and achievable goals, and provide a clear roadmap for SLA ‘Shift Left’ analysis. Risk Reaction Lead Time (RRLT) efficiency increased by 97.5%.

 3-Clear Roles, Responsibilities and Meeting Cadence

The Agile transformation and new Risk Management model also addressed long-standing challenges related to role ambiguity and accountability within our client's organization. The new model exposed Risk IR, promoting a real-time view of risks across all levels of the organization. Coaching sessions defined clear roles for Risk Managers (Program, Initiative), Business PMO, Scrum Masters, Product Owners, Developers, and other team members. This clarity empowered team members with specific responsibilities and decision-making authority, promoting the creation of Risk management ownership RACI.

4-Heightened Cross-Team Collaboration and Risk Sharing

The Lean Risk Management and Safe Space transformation fostered a culture of collaboration and knowledge sharing across the organization’s product development teams. Risk IR facilitated seamless visualization, communication, and alignment of Risk Management among different teams and verticals, promoting collective risk-solving and risk awareness.

5-Strengthened Consent Order Directive Delivery

The new Risk Management model placed a strong emphasis on streamlining risk management across the organization. It effectively exceeded all directives, benchmarks, and expectations from federal regulators.

7-Emphasis on monetary benefits

A comprehensive analysis of the fiscal impact showed substantial benefits, including cost savings, business retention, human capital time saving, human capital retention, and reputational gains.

CONCLUSION

  • The new Risk Management model transformation initiative has been a resounding success for our client.
  • The results are evident in the improved 97.5% Risk Reaction Lead Time (RRLT).
  • The fiscal impact could be extrapolated to approximately $57 million, along with significant benefits in business retention, human capital retention, and reputation.
  • The Lean Risk Management transformation results are evident in the improved predictability, productivity, stakeholder engagement, and organizational agility.

 

Categories

All Categories

Alex Gas

Author

An experienced Agile coach and transformation leader with over 20 years of expertise in guiding professionals to success in major global companies.