1. What went wrong?
I identify what went wrong by reviewing incident and problem tickets, recurring incident trends, SLA breaches, and ageing work items and then linking them with findings from internal audits, surprise checks, customer disputes, dashboards, reports, and stakeholder feedback. I also look closely at day-to-day compliance and behavioural gaps such as missing approvals, incomplete sign-offs, stamps not being affixed, manual changes to amounts, registers not being maintained, or policy steps being skipped because they seem minor. To understand whether an issue is an isolated oversight or a wider problem, I check if the same gaps appear across teams, if guidance is unclear or undocumented, or if controls are not built into the workflow. I also consider practical factors like awareness levels, process complexity, time pressure, resource constraints, and long-standing ways of working. The outcome is a clear and evidence-based problem statement that highlights control breakdowns, compliance risk, behavioural causes, and decision points for leadership.
2. Why did it go wrong?
I analyse why an issue occurred by looking beyond the surface and examining human handoffs, policy versus practice gaps, process design, and control points. In regulated banking environments, I often find that controls exist but are not consistently followed, are outdated or unclear, rely too heavily on manual steps, or are missing altogether. I also assess whether systems and workflows allow non-compliant actions, such as approvals being bypassed or manual steps not being supported by system checks. I factor in operational realities like peak volumes, short staffing, and manual work piling up, which can quietly weaken controls over time. To validate root causes, I ask why multiple times, trace work end to end, and confirm findings with different teams rather than relying on assumptions. I pay close attention to cultural patterns such as normalised workarounds and long-standing ways of working. Where multiple causes exist, I document primary and contributing factors across process, system, people, reporting, and ownership. I then clearly capture control weaknesses, risk severity, compliance impact, and required leadership decisions, and ensure follow-through by sharing findings, discussing corrective steps, documenting clear process flows, making them accessible, and putting checks in place to confirm the changes are actually implemented.
3. How do we fix it?
Once the root cause is clear, I focus on immediate risk containment and clear communication with stakeholders, especially where there is regulatory, reputational, customer, or financial impact. I put stop-gap controls in place where needed and then define corrective actions based on the nature of the issue, which may include process changes, system or workflow updates, additional approvals or controls, automation, policy updates, training, or clarifying roles and ownership. In regulated banking environments, fixes are made audit-safe by ensuring gaps are explicitly corrected, such as affixing missing seals, seeking required approvals, updating registers, documenting process gaps, and providing regular progress updates until implementation is complete. Where rules are not followed, explanations are formally captured, and where constraints are due to workload or staffing, HR and leadership are informed. Accountability is ensured through named owners, clear timelines, tracking in ITSM or delivery tools, and governance reviews. I validate effectiveness through post-implementation checks, monitoring, reduced recurrence, and audit confirmation. All changes are documented through SOPs, wiki pages, process flows, and control matrices, with impact assessments, cross-team validation, and gradual rollouts to ensure fixes resolve the issue without creating new risks.
4. Prevent recurrence
To prevent issues from recurring, I focus on strengthening governance and embedding controls into day-to-day operations rather than relying on manual checks. This includes implementing control checks, system validations, mandatory approvals, periodic reviews, automation, system-enforced rules, and checklists built into workflows for processes such as registrations, incident management, and problem handling. I ensure updated processes are clearly documented and supported through training sessions, walkthroughs, written communication, onboarding updates, and dedicated communication channels where notes and updates are shared. Ongoing adherence is monitored through periodic audits, dashboards, sample checks, and exception reports. Repeat non-compliance is addressed through escalation, additional controls, role clarification, and performance discussions. I maintain visibility through risk reviews, steering committees, and compliance reporting, especially following internal issues, customer complaints, audit findings, or performance reviews. To balance governance with efficiency, I work closely with process improvement managers and senior leadership, clearly explaining both the benefits of adopting controls and the risks of not doing so. Reduced recurrence, cleaner audit outcomes, and stable operational metrics are the key indicators I use to confirm that controls are working effectively.
