The Emergence of Chief Controls Officers

TIAA focuses relentlessly on internal controls, including the role the first line plays in owning and managing risk via understanding and analyzing the processes of the business. Since setting up a new team at the beginning of the year that is fully dedicated to business controls and led by Head of Business Operations and Strategic Investments Pamela Feldstein, TIAA has built a 60-person practice that continues to expand and mature.

“We are the first eyes and hands on what we consider our key controls,” Feldstein says. “We complement audit and risk, and I expect there will be greater reliance on what the first-line team is responsible for in reviewing and understanding how our processes and controls are functioning.”

Acting as a true chief controls officer and reporting to the chief operating officer, Feldstein has been working closely with different parts of the firm to forge relationships, better grasp the risks and needs of the business, and ultimately strengthen operations to better serve customers.

“Service is an important, differentiating factor in financial services, which often can be commoditized,” she says. “To have a good handle on processes and controls that we are improving enables us to catch and prevent any downstream impact to the organization or an end customer, which is a true value add.”

“Chief controls officers are being anointed to address increasing challenges, such as complex control environments with inconsistent control approaches, in an attempt to bridge the gap with the second and third lines, while also strengthening the first line processes and controls,” says Adam Berman, a partner at Deloitte Risk & Financial Advisory, Deloitte & Touche LLP. “The task is to understand what all the relevant risks are that affect the organization and design an appropriate risk and controls framework to mitigate them.”

Feldstein speaks to Berman about the reasons chief controls officers are growing in importance in the financial services industry, the different skill sets she seeks as she builds her team, and how technology can enhance controls.

Berman: Why is the role of chief controls officer relevant today for TIAA and financial services institutions in general?

Feldstein: The world is becoming more complex, with firms moving at an increasing speed when trying to meet client and market demand. That means some products are launched to test the market in a beta-type situation. In those cases, it’s important to have a good understanding of why a product performs as it does and the new risks it introduces to the business.

Whether it’s a new product or an evolving one, it’s important to focus on a product as it matures to determine whether the controls grow with it. Even if controls mature at the right rate, ongoing testing is needed to check on the strength of controls in the wake of change. For example, if someone responsible for controls leaves the firm, then it is important that testing takes place to ensure a proper transition to a new owner. Many industries are being challenged by this scenario due to a shortage of specialized workers.

Would you explain the process of creating this controls function within TIAA and building the team?

When I came to this new role in January, TIAA had a diffuse model with risk and controls professionals embedded in different business areas within the firm. The first point of action was figuring out which model would work best. We landed on creating a center of excellence with centralized resources that maintain the right connection points to the different businesses. Now we’re moving from framework design to execution. We’re doing road shows to make sure people understand the new routines we’re putting in place and how they fit into their daily activities. We’re also continuing to assess the various skill sets and resourcing needs as we build our capabilities.

As we start to execute, we’re also working with our business partners to identify the risks that are first in their minds. Once we understand the risks, we identify the processes and controls that align to those risks. This helps us determine which controls are in place and which are manual versus automated controls as well as preventive versus detective.

Are there other drivers that prompted TIAA and other firms to reinforce their focus on controls?

Heightened regulatory activity related to consumer and institutional protections certainly plays a part in the emergence and growth of the chief controls officer role in financial institutions. It started with regulators asking questions and encouraging institutions to think about what their environments look like from a control perspective. But I don’t think that’s the only reason we are moving in a direction that elevated first-line controls leadership. At TIAA, our new chief executive and the executive committee were discussing how the company should be positioning for a rapidly evolving environment and whether we have the right controls in place on a continuous basis. There is a real focus on how TIAA operates and executes to make sure that we are driving towards operational excellence and that our internal control environment is keeping pace with business strategy and operations.

How is your team structured and what skills do you look for to fill the various roles?

The team is a real mix of skills including audit, operations, testing, and risk management backgrounds. Many on the team grew up in operations and understand business processes and controls, which is critical. In teams that cover enterprise remediations and new business initiatives, there’s a mix of engineers focused on analyzing problems and root causes and program managers with subject matter expertise. And we have a good mix of hires that are internal to TIAA with a few external hires as well.

At this early stage, there’s already a pressing need to do some targeted expansions, especially in areas where there’s a shared-service model regarding process review, assessment, and testing. We’re currently evaluating our specific needs, but in the short term we will probably hire people with testing and audit experience, and maybe a few more with operations backgrounds.

How does the chief controls officer work in concert with the second and third lines—the risk management and internal audit teams—respectively?

It’s a real partnership. It’s about information sharing and bringing people along on the journey to make sure there’s a good understanding of what we’re trying to accomplish, how everybody fits within that vision, and what are the right roles and responsibilities to make it happen. It’s also important to collect feedback, because if this model doesn’t work for some of my second- and third-line partners, I’m not going to be successful. Again, it is a team effort.

You have the backing of many of the company’s business leaders, but that doesn’t necessarily mean that a new first-line controls model is in their DNA. How are you managing the related change management challenge?

Communication is key. The more people understand what we’re trying to accomplish ̶ ̶ not just how they fit in, but also how it is going to help them at the end of the day ̶ ̶ the more successful we’re going to be. I head a function that can’t effectively deliver the intended results on its own. We need to have strong partnerships across the enterprise, including our first-, second- and third-line colleagues, so it’s very important that they understand how we want to interact with them, what information and insights we can provide, how we can help them achieve their objectives and what value-add service we might be able to provide.

What role does technology, particularly advanced tech tools, play in the controls function?

I’m very excited about the possibilities stemming from artificial intelligence, machine learning, and data analytics. Part of what the team needs to do is regular testing of controls, which might be better supported by technology and automation, with a minor level of human interaction. These advances can enable us to run more frequent and faster tests on larger data sets instead of having to hire a team to manually cull through data and identify insights. We haven’t yet reached the automation stage, but I expect we’ll start in the next six months or so.

How can a chief controls officer help position companies for the future?

The value-add is particularly visible when it comes to new business initiatives. The chief controls officer plays a role in the growth trajectory of new product or service investments, which can be a powerful tool for a company to have in its arsenal. It helps set up new initiatives for success that ultimately help the firm build strong relationships with its clients. Having good operational support for a new initiative when trying to enter or expand in a market is half the battle. Also, when I think about business-as-usual activities, understanding processes and controls and lowering errors improves efficiency, operational excellence, and client engagement, which are all critical for companies to thrive in a hyper competitive marketplace.

—by Marine Cole, senior writer, Deloitte Services LP, Deloitte Insights in the Wall Street Journal

Disclaimer and Copyright

This article is part of an ongoing series of interviews with executives. The executives’ participation in this article are solely for educational purposes based on their knowledge of the subject and the views expressed by them are solely their own. This article should not be deemed or construed to be for the purpose of soliciting business for any of the companies mentioned, nor does Deloitte advocate or endorse the services or products provided by these companies. This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Copyright © 2022 Deloitte Development LLC. All rights reserved.