Senior engineer talks through this advanced process with his diverse team

Why enhancing banks’ controls needs to be priority for the COO

Bank COOs need to optimize controls to improve customer experience, simplify end-to-end, reduce cost and accelerate transformation.

In brief

  • Modern, technology-led controls offer significant customer experience benefits, can materially accelerate change delivery and enable a simpler, safer bank.
  • As bank COOs transform operations, there is an opportunity to enhance controls in parallel, working closely with the CRO and across the three lines of defence.
  • Bank controls remain mainly manual, costly and duplicative, reflecting a cultural and historical trend for adding, not removing, controls.

Working in an environment of intense uncertainty and continually high regulatory scrutiny, bank leaders are being constantly challenged. The Chief Operating Officer (COO), along with their C-suite peers, must focus on navigating this volatility, while delivering successful transformations, that save costs, focus on customer and employee satisfaction, all while making the bank more resilient.

In a previous article, we wrote about the importance of people in helping COOs achieve success. In this piece we wanted to focus on controls. This is a critical topic for COOs given they typically own the majority of controls in their organizations, and in some cases have formal regulatory responsibilities.

The COO’s focus is aimed at the strategic necessity to deliver seamless end-to-end performance and transformation execution. This allows them to drive a more holistic view of control optimization, capturing the true business case across customer, colleague, change, cost and control benefits. Execution should be embedded within broader transformation initiatives, as well as through discrete pieces of work. This will be even more important as banks focus on product simplification and rationalization.

Benefits from enhancing controls

Controls remain a fundamental element of the compliance and risk infrastructure of a bank. As technology and demands have evolved, it’s clear that standardising, eliminating, enhancing and automating controls and testing methodologies offers several wider advantages.

  • Materially improving customer experience - Optimizing a bank’s control estate is a key, sometimes overlooked, element of making a customer journey slicker and friction free. Ensuring retail, corporate, commercial and institutional customer experience across journeys is not needlessly impacted by duplicate, excessively manual, or unnecessary controls, will deliver material tangible business value. Clearly, this needs to be in context of not being to the detriment of managing risk within the appetite of the board.
  • Accelerated change - Optimized controls, over both change execution risk and delivered risk (being new or modified risk from the delivery of material change initiatives), should enable faster change delivery, whether being delivered through waterfall, iterative or hybrid delivery methods. This lowers the change delivery cost and shortens the time to business case realization.
  • Increased board confidence - An enhanced control framework should give bank leaders confidence they have a robust control regime to handle new markets, more sophisticated products, large and more complex transformations, or indeed any other significant change which might materially shift the risk profile of their organization.
  • Enhancing profitability - Savings arise as banks de-duplicate and de-layer controls that have been ‘bolted-on’ over the years. This includes the costs associated with the performance of the manual controls, the ongoing testing and monitoring that manual controls require, as well as potential remediation costs around controls which have failed.
  • Resilience - Increased use of technology, as well as increased automation of end- to-end processes themselves, will allow banks to effectively identify, monitor and respond to risks in real-time, allowing them to quickly act around any new and emerging risks and issues.
  • Better colleague experience - Reducing the time spent on performing manual controls, and their manual testing, increases the ability of talent to focus on deeper customer centricity, move toward world-class execution of ongoing transformation initiatives, and contribute to a shift in culture.

Why cultural change is central to enhancing controls

The control landscape in banks today is analogous with the state of their IT legacy systems a decade ago. There was little strategic planning involved, as tactical additions were “bolted on”. Today, in many instances, control and oversight are now arguably more onerous than the execution of the process or journey itself.

Banks have tried to address the many challenges around controls. In many cases, they have introduced a Chief Control Officer (CCO), as a direct report into the COO. In other institutions, the ownership of most controls has been centralized into the primary operational function. Yet many of the control issues remain. One of the main reasons for a lack of progress is a cultural lack of appetite to remove controls. This has often been caused by a sustained historic reluctance to remove controls in case of an unintended downstream impact somewhere, an understandable concern in a highly regulated environment.

Even when a COO has identified controls those are not needed, successfully cascading that top-down through a bank has proven to be difficult. This reinforces a key point from our previous article – organizations that put humans at the centre of transformations are 2.6 times more likely to succeed than those that don’t.

We have seen some limited progress, such as piecemeal de-duplication and some increased automation, but it is yet to be expansive or bank-wide. Expanding across major end-to-end value streams, underpinned by a holistic business case is the logical next step. Ensuring organization alignment and empowerment end-to-end, with integrated involvement across the three lines of defence, is critical and will require strong leadership and cultural change.

Typical challenges around banks’ controls

  • Multiple owners:
    There are multiple owners end-to-end, all with varied risk and control maturity. This means the COO does not currently have ownership, or even a single view, for all controls across an end-to-end journey or process. This is a major source of worry for banking COOs as they typically have accountability for significant operational activity.

  • Inconsistent and duplicative:
    We often see processes duplicated across business lines and geographies, resulting in an exaggerated number of typically manual controls.

  • Siloed risk assessments:
    Risks are frequently considered in isolation – often resulting in either duplication or under-utilization of existing controls. This also means it can be challenging to effectively identify and manage new risks.

  • Expensive:
    Bank control suites often do not provide the full value that they should, with high reliance on policies, procedures, governance, and supervision.

  • Highly manual:
    There is significant dependence on manual intervention and execution, leading to key person risks and human error; driving control failures as well as being time-consuming and expensive to maintain.

Transformation – enhancing the control environment and reducing costs

The COO, partnering with the CRO, therefore faces a delicate balancing act – peel back layers of duplicate controls to improve the customer and colleague experience, reduce costs and help simplify the bank, while still keeping the bank safe and resilient.

Any COO, and other control owners, looking to tackle the control estate, must look through several interconnected lenses - customer, operations, operational efficiency and risk and resiliency to name just a few. Nowhere is this challenge more critical than in transformation.

As banks continue to undertake significant, ongoing transformation, there is a material opportunity to enhance and innovate across the end-to-end control estate. This can be done in parallel to understanding and appropriately mitigating delivered risk. This involves validating the need for existing controls, enhancing those that remain and ensuring any new controls are optimal through maximising automation.

We see this opportunity not fully leveraged by many banks, and indeed broader financial institutions. Often control owners and related stakeholders are not appropriately engaged early enough in the change delivery lifecycle for transformation initiatives. Failure to consider control at the outset means banks lose the opportunity to include the optimal control model in the design process. Instead, the consequence is that further down the track only a narrower, and therefore more challenging to justify, business case for control optimization is available. We see controls typically only being considered as the design phase closes, at times bringing incomplete control coverage.

Two-thirds (67%) of senior executives have experienced at least one underperforming transformation in the past five years. Recent EY research identified a lack of commitment to customer centricity as a key factor. Control optimization can make a significant impact here, e.g., by analyzing the point at which customers typically drop out of a product application process, banks can potentially streamline controls while seizing broader opportunities to optimize the customer experience.

What banks can do

We frequently see the business case for elimination of duplicate controls not given enough attention, especially considering the potential size of benefits. There is greater opportunity to deploy technology, such as data mining and natural language processing (NLP), to accelerate the creation of a robust business case through more quickly identifying duplicate and potentially duplicate controls. Machine learning can also be leveraged to learn from root cause analysis data and augment the construction of evolved risk and control taxonomies.

Working in partnership with global banking clients; we have seen the impact. This includes rationalization of 20% of one bank’s entire control population and an effectiveness review of over 2,000 controls by a handful of individuals in a matter of weeks. While there is no silver bullet that works for every bank, there are some key principles that should help guide banks’ thinking ahead:

  • Assessing all controls in a bank is almost impossible given the sheer volume. They cover every single process journey, and customer interaction, typically running to the tens of thousands in large global banks. Taking a coherent view across the first and second line of defence is very difficult. The key is for banks to break it down into manageable chunks and prioritise efforts through designing and leveraging clearly defined prioritization logic. This considers factors such as materiality of the end-to-end value stream, business risk, the number of control instances and the extent to which controls are clustered around specific processes.

  • Banks should challenge themselves as to whether the way in which they control in today’s operating model is future proofed. Given the rapid rollout of AI and other transformative technologies, ignoring future trends could see controls rapidly outdated. This will be true in a diverse range of priorities, including managing cyber risk, the number one concern of banks’ CROs, and achieving success in a bank’s sustainability strategy.

  • The rise of hybrid working and digitisation since the pandemic means banks now have access to much more data; across their clients, counterparties and employees. That means they have an enhanced ability to take a data led approach when defining and automating their evolved control suite.


Chris Richardson, Financial Services Risk Management, Ernst & Young LLP has co-authored this article.


COOs are typically the owners of an increasingly large proportion of a bank’s control estate, arguably running the control “nerve center” of their organization. Working in partnership with the CRO and across the three lines of defence, they can unlock significant value, at scale from control optimization. This can make a material contribution to the acceleration of transformation while simplifying operations. This process needs to be combined with a deep focus on both customer experience and the risk appetite of the board. Ultimately, optimizing controls is another key element of banking operations becoming better, faster, cheaper, safer and more sustainable.

Related articles

Why bank COOs need human-centered leadership to be successful

COOs that create a culture that puts people first, will drive an uplift in productivity and help banks manage change and uncertainty better. Learn more.

24 Jan 2023 Andy Gillard

If transformation needs to be bold, do banks have the right tools for success?

EY discussions with banking transformation leaders across the globe uncover six recommendations for overhauling organizational change. Learn more.

10 Jan 2023 Jan Bellens + 4

How bank COOs can unlock value at scale and speed with zero operations

Chief Operating Officers (COOs) can accelerate transformation through embedding a "zero operations" mindset in their organizations. Learn more.

21 Jul 2022 Andy Gillard