Transcript | Future of Operational Risk Listen Managing risks and strengthening controls associated with operations have become increasingly more complex for all organizations. Firms are expending significant time, money, and resources to implement required changes and prioritize operational risk management efforts. As costs continue to increase, it is clear that the overly manual, reactive, and siloed status quo is unsustainable. In this episode of Protiviti’s Powerful Insight’s “Future of Risk and Compliance” podcast series, Protiviti Risk and Compliance Director Bygie Dixon interviews Patrick Dillon, Executive Vice President and Head of Independent Testing and Validation at Wells Fargo. Bygie and Patrick share insights on successfully applying emerging technologies and leveraging an innovative mindset to reduce risks and strengthen controls. Listen Bygie Dixon Patrick, thanks for joining me today. Patrick Dillon Thanks for having me, Bygie. I’m happy to be here. Bygie Dixon Great. To start us off, Patrick, can you give us a little bit of background and share a little bit about yourself and the path that’s brought you to this point in your career? Patrick Dillon Sure. Thanks, Bygie. As you mentioned, I currently lead the independent testing and validation function at Wells Fargo. I’ve been a longtime risk and compliance professional. I got into risk and compliance first about 10 years ago, working with Bank of America, coming out of the financial crisis, focusing on a lot of the mortgage-remediation activities that were going on across the industry. I spent some time with Bank of America working in consumer risk and compliance regulatory relations. I spent a little bit of time in consulting, went back to Bank of America and worked in the payments industry, focusing on merchant acquiring. Where I really got my start, I was an attorney for five and a half years and focused on corporate transactional defaults, workouts, bankruptcy and a lot of the real estate-related default transactions that arose during the financial crisis. Definitely, I’ve had a diverse career that’s really led me to where I am, and I’ve enjoyed every step of it. It’s been a really great experience, and I’ve gotten to see a lot of different things and worked for a lot of different banks. But I really enjoy my job today at Wells Fargo as well. Prior to leading testing within IRM, I actually led consumer compliance for Wells Fargo and moved over there in 2018. Bygie Dixon So, you see it from front to back. Patrick Dillon Yes, it’s been a lot of different angles: compliance, operational risk, ERM, the legal profession. I’ve always been centered around compliance, risk, governance – and I’ve always spent a lot of time focusing on process-level risk management. Bygie Dixon Great. So, Patrick, tell us what you think are the biggest risks facing the financial services industry today, and how does your team help mitigate those risks? Patrick Dillon One of the biggest risks that I’ve seen in common themes over the years has really been just the pace of change. When you look at the last 10 years within the financial services industry, we’ve really seen the digital channels becoming front and center. Realistically, technology enablement and tech change management have introduced new risks that previously, financial services firms didn’t have to manage with nearly as much rigor because they weren’t nearly as reliant on these technologies in the digital channels for their success, for their exemplary customer experiences. So, I really think that one of the biggest risks we’ve seen, and that I’ve seen, in the industry is the pace of change, and needing to digitize how we deliver our products and services to our customers, and then, having to be agile in how we address those risks while still serving the needs of the customer. Bygie Dixon Yes, it sounds like quite a challenge. What are the biggest challenges that your teams face today, and where do you see opportunities within your testing and validation, or the risk management discipline, to transform in the future? Patrick Dillon Well, I think there are always going to opportunities to look at your risk management programs, and finding ways to balance appropriate risk oversight and control with the need to align with the pace of change within a business. And that pace of change right now is light speed. When you think about the changes that firms have had to make in the past year just to respond to the COVID-19 pandemic, the long, very antiquated risk management practices were really the ones that probably were the least effective in addressing risk management during the pandemic. So, I know, among industry colleagues and for myself, we’ve seen a lot of agile risk management programs that have balanced appropriate oversight governance with the need to, in many times, react quickly to make sure that the customer is protected. That’s really been where my team, I think, has excelled and where the industry has seen an introduction of another opportunity: to have agile testing, and being able to use data as a tool for us to be able to hone in on areas where we may need to dig deeper and where we need to perform additional transactional deep testing. A lot of that work can be leveraged by aggregating various data points across an organization, and that’s one of the areas where I think we still have a lot of opportunity. As organizations build higher-quality risk data sets and risk data processes that allow us to ingest and use that data to make decisions, we’re going to obviously see more effectiveness coming out of our risk management programs. And where we’ve had some pilots in this space and where, in the past few years and even across other organizations, we’ve seen successes, is when that becomes part of the DNA of an organization. Bygie Dixon Right. So, how do you enable effective and efficient ways of responding to the changing environment that you’ve described and determining what impacts the risks and controls? How do you do that in real time? Patrick Dillon One of the biggest building blocks is having a very robust data government structure that allows you to rely on the underlying existing data that you have. You have to have confidence that it’s going to be able to tell you what you need to know and that you can rely on the accuracy. That’s one. Two, you have to have really smart people who know how to interpret that data and use it to be able to identify indicators that might be indicative of something going wrong within a process – KRIs, KPIs. Those need to be quality indicators that help to identify areas where we need to deploy resources to go and dig and look at something more deeply to see if there’s a problem in achieving the outcomes that we want for a given process, a given product or even an experience with a customer. Bygie Dixon Pat, when you think about the future of managing risks and strengthening controls, what are you most curious about right now, and what industry trends really stand out to you? Patrick Dillon I guess one of the areas I’m most curious about and one of the areas I’ve been focusing on over the last few years is figuring out how to use RPA – robotic process automation – artificial intelligence and some of the other emerging technologies to increase the effectiveness of a risk management program. It’s something that’s core to the industry right now. It’s something that offers a huge opportunity for risk managers to be able to transform sample-based programs into continuous 100% monitoring coverage. It’s a lot more effective to be able to have a script running in the background continuously that tells us if we have a problem versus a couple of times a year deploying testing teams to go pull files and see if they can detect errors or potential issues with a given process. So, for me, finding ways and opportunities to implement automated testing, continuous monitoring, and generate intelligence that we didn’t have before, is where I’m spending a lot of my time. Bygie Dixon Well, in my experience, risk managers – no offense, I’ve been one myself – they can be somewhat hesitant to adopt new technologies. What effect do you think that digital transformation in the lines of business, like implementing bots and AI and machine learning, what do you think the effect is on risk management practices? Do you believe there’s enough proven success in the business space to convert skeptical risk managers into digital champions? Patrick Dillon It’s an interesting question, Bygie, because in theory, it’s easier to oversee a digital process than it is one that’s manually executed by a person. But what it requires to really effectively oversee digital processes is a new skill set for risk managers. Strengthening the UAT testing and engaging in our compliance teams upfront in system design, those are different skill sets than what we saw traditionally in second-line compliance and operational risk functions. You might have a few technology risk specialists in a given organization, but it’s starting to become a discipline that most risk managers need to have in their tool kit regardless of what space you cover. Becoming a digital champion, especially when we’re talking about the ability to automate a process that’s manual, risk managers should view that as a huge opportunity, because when I think about it, an ideal controlled environment is one that is well-documented and automated. So, being able to have automated process and controls, that’s a utopia for a risk manager. It’s understanding the unique risks that come with digital processes and automated processes. Those are sometimes a little bit harder to uncover and understand until something goes wrong. Bygie Dixon We’ve seen lots of financial services firms that have put a great deal of time and effort and money into developing and enhancing their risk management programs over the last decade or so. How do you see firms leveraging technology, like what you just described, where you’ve seen deployed in the businesses and that were learning to manage risk around? How do you see risk management leveraging technology to drive the advancement of risk management capabilities, automating their own processes? Patrick Dillon I think there are two big opportunities: Frontline businesses can use technologies to automate their processes, to get to monitor their processes, to automate controls. We’ve seen many firms have RPA and AI centers of excellence stood up that are solely dedicated to helping the businesses automate manual activities, and I think that’s great. In addition, though, there are also opportunities for your risk oversight partners to use automation to oversee the business, using RPA and AI in testing activities; it’s extremely efficient. But it’s also much more effective than manually looking through files and performing manual testing procedures and things of that nature. So, over time, it allows us to get broader coverage and it goes deeper. The other area is, both from an AI perspective and from using other technologies like natural language processing, it allows us to analyze data sets faster, to be able to identify where something is going wrong. It allows us to, hopefully, in more real time, address those issues so that we don’t have long-term, long-tailed issues that impact our customers that have negative customer experiences and that we find out about those in a much more real-time way. That way, we can course-correct and take action to make sure that a process is working the way that we want it to. Bygie Dixon Yes, and maybe even prevent them if you can learn to use machine learning to predict them, right? Patrick Dillon That’s right, absolutely. Bygie Dixon So, one area that we see firms spend a lot of effort in is their risk and control self-assessment processes, which I know you’re very familiar with. Do they still continue to fall short in enabling a windshield view versus the typical rearview mirror or point in time that take tons of human capital to complete and yield just that small view of business risk? First of all, do you believe that there’s enough evidence for banks and organizations to strive toward a new RCSA operating model? Second, what do you think it will take to transform or to modernize self-assessments to be more agile, as you mentioned before, and flexible – a more nimble process? Patrick Dillon Yes, so, in my career, I’ve led multiple risk and control self-assessment design and implementations across a number of organizations, and it’s an area that I am pretty passionate about because I do think that they help businesses to manage risk. They’re definitely a tool that frontline businesses should be using to effectively manage risk. But in order to do that, there are a lot of things that they’ve got to get right. Having quality underlying risk data, having good taxonomies that allow you to see similar risks across different areas of your company, having good documentation around your controls – those are all just the basics. When you want to start talking about enhancing RCSAs, where I think most organizations see opportunities is getting to real-time risk management – the historical RCSAs, many of which were legacy tools that were used coming out of SOX implementation to manage their financial reporting risks and controls. They’ve morphed into these very long, detailed operational risk assessments that are done annually, or a few times a year. Most organizations, at best, will have refreshes based on triggering events. Where I think most people want to get it to is having a set of metrics and indicators that would tell us that we either need to go and update our RCSAs, or the RCSA itself would tell us that something is not working as intended and that we need to go and take a deeper look at that process. In order to do that, I think we have to remove some of the assumptions around how an RCSA is even built and make it much more streamlined and focused on core risks, controls, appropriate metrics, and use it as an agile tool to allow firms to have a dashboard view, to be able to open it up and look and see, “What are my core risks?” and not just a bucket that we throw out everything into, which is historically how our RCSAs have been built. But I go back to what I said in the beginning: You have to have good risk data. In order to manage risks in real time, you have to understand your risks. Generally, that means you had to have documented them and identified them and put them somewhere. So, I would expect to have a very robust and mature risk identification process. You have to have information on when something is going wrong, whether it’s control failure, a negative process outcome, a breach of a metric. So, that means that you’ve got to have robust frontline and second-line and third-line oversight processes for those risks and the controls, so you have to know early on when something is not working in order to make this a real-time view. You have to link all of your risk data together too – issues, metrics, KRIs, monitoring, testing results. All of that needs to come together to inform an RCSA to make sure that it is. The more real-time each one of those processes and the results are, the more real-time your RCSA is going to be and the more of a dashboard view you’re going to get. In terms of other keys to success, you can’t try to boil the ocean. You really going to need to be very targeted. You need to have good definitions of what key controls are. You need to understand that not every single activity in your firm needs to be appropriately documented in an RCSA. Getting the leveling right at which you perform an RCSA is really crucial to being able to consistently execute those and to be able to update them in more real time. Bygie Dixon I couldn’t agree more. You gave some advice there, but what do you see as the first steps to real transformation and advice for others who are seeking a new operating model that drives innovation and advancement of risk management and control capabilities? Patrick Dillon Mine your data. That’s probably the best advice I can give. When we have, we find most of our opportunities for deploying automation and new technology, whether it’s when we have an issue or a project, we’re looking at our risk and control data. We’re looking at controls that are manual, we’re looking at high-risk processes that are manual, and continuously talking about opportunities to automate. Build connections, if you’re in risk, with the automation and AI teams that are within the organization. Even if they’re not directly aligned to your risk function, go build a relationship with those folks. I talk to our head of AI on a regular basis, and we sit down and have conversations about risk, about what he’s seeing, opportunities and things of that nature. At my old shop, I did the same with our automation COE leader, and figured out a framework for innovation of risk and how we could employ some of the same things that the COE was using to help the business and to help us make our risk management process more effective and automated. Other than that, there’s a lot of great material that Protiviti puts out in thought leadership about automation. I read a lot. I spend quite a bit of time reading about industry trends, and when I attend conferences and meet with some of my peers at other organizations, automation and innovation always ends up being one of the topics that we cover because we really do want to figure out the best way for us to deploy risk management programs and make sure that our processes are sound. In my opinion, the best way to do that is to continue to use new and emerging technologies that help us to get better at managing risk. Bygie Dixon I couldn’t have said it better, my friend. So, with the last couple of minutes, we’re just going to do some rapid-fire one-word answers. Sound good? Patrick Dillon Sure. Bygie Dixon So, what do you see as the top priority for the year ahead? Patrick Dillon Top priority is family. Bygie Dixon Good for you. What about you in one word? Patrick Dillon Happy. Bygie Dixon What did you want to be when you grew up? Patrick Dillon An attorney. Bygie Dixon And you did it. Patrick Dillon Yes. Bygie Dixon Who do you most admire? Patrick Dillon My parents. Bygie Dixon And tell us, what is your favorite podcast or book? Patrick Dillon Favorite book – I do listen to some podcasts. I like Joe Rogan’s podcast on Spotify. That’s a good one. There’s actually a couple of other risk and compliance podcasts that I listen to as well. I think my favorite book –it was a children’s book I read probably in my teenage years called The Giver. It was about a society that didn’t have colors, feelings, a lot of the senses that we have, and it was just a really good book that makes you think about all the good things in life. It’s always stuck with me. They made a movie about it several years ago. I didn’t think the movie did the book justice, but that was probably one of the only books that really stuck with me for many years.