Cathy Lemieux Ph.D. a Senior Advisor with Treliant, has over 30 years of experience in financial services regulation, corporate governance/enterprise risk management, international banking regulation, and the Community Reinvestment Act. Cathy has helped banks of all sizes aligning their internal controls with their regulatory obligations, assessing their compliance and enterprise…
The dawn of the 2020s is a challenging time for banks. Low interest rates are compressing margins, customers’ and regulators’ expectations for data privacy and security continue to increase, and nonbanks have encroached on all business lines once considered sacred to banks. Technology is often the answer to help banks manage costs, ensure privacy and security, and compete effectively with nonbanks. But there’s a catch.
To leverage new technologies, organizations need to fill new roles in such areas as compliance and risk, software development, data mining and analytics, information security and privacy governance, and forensic scenario audits and testing at a time when these skills are in high demand in many industries. Banks will have to think more broadly about how to acquire the talent they need to take full advantage of technological advances coming from FinTech and RegTech. They should also consider new resource management strategies across classic bank functions, to avoid being caught short-handed in today’s tight employment market.
There are a number of flexible resource management strategies that involve migrating from banks’ traditional reliance on full-time employees and an “all in a physical location” mindset. Gig economy approaches can be used by any kind of company, even regulated banks, with the right controls and processes in place. There are three approaches banks can use to help deal with their complex staffing needs: remote work, temporary resources, and managed services. These are not “new” by any means, but many institutions are still uncomfortable with some or all of them due to risk or regulatory compliance concerns that can easily be overcome.
Approach 1: Remote Work
The first approach is to recruit outside physical office locations and allow for remote work. With internal employees, the change involved doesn’t have to be a big bang. You can begin by simply evolving recruitment and on-boarding processes for selected positions. These small changes can increase the number of qualified candidates you identify.
However, allowing people to work remotely does require setting up slightly different workstreams in the human resources (HR), technology, and security functions.
- On the HR side, it is critical to make sure face time is scheduled, manager oversight is occurring, required training is completed timely, and performance objectives are clear and concrete.
- On the technology support side, availability must be expanded to account for time zones, and remote equipment (laptops, smart devices) should be standardized to specific configurations. Communications tools like video chat and conference calling are required. Use of mobile devices should be tested and hardened according to the requirements of a remote employee.
- On the security side, equipment and communications security must be maintained on all allocated devices. System monitoring must cover all personnel, regardless of location or status.
Once these protocols are in place, you can use the same processes to hire and onboard any employee, whether permanent or temporary.
Approach 2: Temporary Resources
The second approach to resource management is staff augmentation for specialized positions. With the help of a vendor, temporary skilled resources can be identified to supplement and work under the direction of an internal team for a fixed period of time on a specified deliverable. This is also particularly appropriate for repetitive functions that require “surge” capacity at particular times of the year. Using this approach, you can rely on someone else to do the primary recruiting and potentially all the backoffice administration for the resources, such as payroll, tax, and benefits.
This approach isn’t about “temps”—it is about finding resources who can “fit” into your team on a periodic basis and effectively perform a high-level specialized function for a specific length of time. It is best to identify which providers are “best in class” for a particular type of resource. For example, the best staff augmentation pool of risk or compliance resources would not likely be found at a firm that also provides software development resources. You also want to look for providers who offer advisory and project-based services to clients in your market segment, because that means their resources will be more current and active on the latest issues affecting the specialized
knowledge you require.
Such providers may offer a mix of their own permanent and contracted resources. Resources offered by each vendor, regardless of status, will be vetted to the provider’s full-time standard and should meet all employment law requirements. Still, you will have to demonstrate vendor risk compliance as part of regulatory exams. So, you will want to assemble a group of tried and true providers, be able to describe why you chose a particular resource provider, and document how its performance is monitored.
One additional thing to remember when using staff augmentation resources is to establish conflict management protocols. The same resources cannot design controls or processes and then later audit their own work—or handle regulatory monitoring work at the same time as regulatory remediation work. Your internal processes and the provider’s processes need to include collecting information on the prior work of individual resources, so conflicts can be cleared right at the start of a staff augmentation assignment.
Again, once these processes are in place, they open up a wide range of possibilities for flexible and lower-cost human resource management.
Approach 3: Managed Services
The third approach is managed services, which differs from staff augmentation mainly in how long the resources are needed. These contracts provide flexible staff resources on an ongoing schedule over a much longer time frame, often a multiyear arrangement. Staff can be remote or on-site as required by different engagements, since statements of work can be customized under a master services agreement. Clients can be more or less involved as needed to provide oversight or review work on any particular assignment. A managed services contract can include tailored service level metrics for each type of assignment.
Two great examples of managed services are co-sourced audit and compliance testing teams and network or security monitoring support staffing. Co-sourced audit or compliance testing teams can be deployed for special audits or reviews (for example, to do a deep dive for a merger or portfolio acquisition) or to handle lower-risk audits or testing efforts that occur on a less frequent basis. By establishing an on-going working relationship with a provider, these SWAT teams become part of the rhythm of the audit and testing calendar. In this way, managed services provide a great way to maintain internal staff focus on the higher-risk audit and compliance areas without neglecting to cover the low- and medium-risk areas. Another example is network support staffing or security monitoring, which is also good for disaster recovery redundancy, personnel risk reduction, and the ability to operate across even more time zones than you already do. There are particular times of year when “surge capacity” may be needed in these functions, for example when a new company is being integrated and the normal staff would otherwise be stretched too thin.
Managed services can also involve outsourcing an entire function—call/support centers and routine settlement procedures are two examples. Other examples include specialized financial or risk reporting and business intelligence development. We have even seen whole artificial intelligence groups being managed on an outsourced basis, providing access to best-in-class resources who also learn and support client strategies over time.
Interim Executive Management and Virtual Executives-as-a-Service
A variation on staff augmentation that warrants specific mention is using a managed services approach to fill executive management positions. Banks have often left key positions vacant, like Chief Compliance, Risk, or Information Security Officers, while they struggle to find the right external candidate or develop a promising but inexperienced internal candidate. The risk of leaving a key leadership role vacant for the three to six months or more that it takes to recruit a qualified person is not worth the “cost savings” of that vacancy, particularly in regulated businesses such as banking.
Instead, an interim executive can be hired under contract to fill a full-time executive vacancy in a key position, while an external search is being conducted. Or, an external mentor could be brought in to get an internal candidate up to speed. Or, a senior specialist executive can be assigned to an incumbent leader to perform business-as usual functions and assist with a significant project deliverable, to ensure success of the incumbent in delivering during a period of heavier responsibilities.
Unlike a staff augmentation position, the “executive” nature of such a role requires a specialized contract for the position that this interim executive will hold. The contract should spell out clear parameters for independence and decision-making authority, including reporting relationship, directors and officers insurance, expense management, related governance/oversight, and performance requirements and objectives.
The interim executive may be involved with interviewing and identifying his or her replacement, and staying on past a new hire for a period to ensure a seamless transition. If serving as a temporary mentor, the interim executive may be given a time frame for supporting the demonstrated leadership readiness of his or her “mentee.” The interim executive could also have performance-based requirements for additional compensation, in order to align incentives for any challenging deliverables that might have to be met during the interim period.
Interim chief financial officers (CFO) have been around for long time, but more recently we have seen the chief compliance officer (CCO), chief risk officer (CRO), and chief information security officer (CISO) roles and related risk positions filled by interim executives with great success. Demographics favor this trend, since there are many qualified senior retirees available with experience in traditional risk and control roles. For less traditional or more technology-oriented roles, such as CISO and chief data privacy officer (CDPO), very senior full-time leaders with the necessary skills may either be really hard to recruit or very price-competitive depending on geography orbank size/scale. Often a bank is left with filling leadership positions with technically capable but leadership-inexperienced people on a permanent basis.
One solution for this particular issue is to deploy a “virtual executive-as-a-service,” which is somewhat different than an interim executive. This option is used in a situation where an organization may have an internal resource filling an executive role, for which he/she meets the minimum requirements on a business-as-usual basis, but does not have the credentials or experience to navigate higher-profile or leadership issues. We see this not only in roles such as CISO and CDPO, but also where the scale of a business may not warrant the higher-level leadership or experience all the time—only periodically.
Rather than either over-paying or under-skilling the full-time position, one option is pairing your less-costly internal CCO, CISO, or CDPO with a part-time, steady executive advisor. This advisor can provide the higher-order leadership or analysis required in difficult situations, board or regulatory interactions, or specialized initiatives that are high-risk for the enterprise, such as preparing for or overseeing a regulatory exam. Selecting the right provider and advisor involves due diligence, particularly on background, conflict, and any regulatory reputational issues for the individual involved. Having a highly skilled resource “on retainer” or “on call” can yield cost savings in the long run, since this resource will be familiar with the organization’s infrastructure, policies, and procedures.
De-risking Flexible Resource Management Strategies
While all of these approaches offer opportunities to cut costs and reduce certain risks, they may also introduce new risks or increase some other risks your organization already faces. As you consider each approach, a risk assessment is in order, and below are some of the questions you should consider:
- Strategic Risk. Is the approach and any third-party arrangement in line with the bank’s strategy and business plan? Does the relationship support the bank’s business requirements? And culture?
- Compliance Risk. Does the service provide staff that have the necessary training in U.S. laws and regulations? And does the provider conform to state employment regulations? Will the organization need to train staff in the bank’s policies, procedures, and ethical standards?
- Operational Risk. Do the service provider’s internal controls expose the organization to increased risk?
- Reputational Risk. Does the service provider do adequate background checks and monitor conflicts? Can the staff provided by the service provider meet bank customers’ expectations? Could errors, delays, fraud, omissions, or breaches on the part of the service provider impact the reputation of the organization if they became public?
- Legal Risk. Could the service provider expose the bank to increased legal fees or possible lawsuits?
- Cyber Risk. Does the service provider have adequate defense against cyber disruptions and malware?
There are additional considerations if the service provider or any of its subcontractors operates in foreign countries that are not already in the bank’s footprint. It is important to consider whether the political, economic, and social environment of the country is conducive to business or presents increased operational risks. Other jurisdictions have different rules concerning the privacy of confidential supervisory information as well as personally identifiable information, which may present increased compliance risk.
As we enter the 2020s, flexible resource management has become a strategic competitive advantage that regulated industries such as banking can embrace. The speed of technological change is only accelerating and the demand for talent to leverage new technologies will only increase. Banks will face competition for top talent from a broad array of industries, not just other banks. Additionally, recruits are interested in flexible work arrangements and the opportunity to live where they want and still do interesting work. The approaches we have discussed are proven ways that other organizations have adapted to these changes. As always, when evaluating change, it is essential to evaluate new risks and make a full assessment of the potential costs and mitigating risk controls available to key constituents.