The new millennium brought a great deal of change in the marketplace. As the financial scandals of the 1990s came to light, new regulations were drafted and put into place to avoid such occurrences in the future. U.S. financial institutions must comply with the Sarbanes-Oxley Act, which came on the heels of the Enron scandal, and the portions of the Basel II accords, which address the global impact of a credit crisis.

Most companies are already reviewing and documenting what processes to implement in order to meet the requirements of Sarbanes-Oxley regulations. Compliance is required this year. Financial regulators in the United States are adopting only some of the Basel II accords – but the adopted areas are very complicated. Institutions with $250 billion in assets or more than $10 billion of total foreign exposure on their balance sheet are required to comply. The compliance date for Basel II is 2007.

Applying Six Sigma to These Regulations

So how does Six Sigma apply to understanding and managing risk and complying with these regulations? Should the compliance effort be simply an audit task or should it be a best practice strategy?

Companies which do not have a framework in place to execute continuous process improvement are likely to treat Sarbanes-Oxley and Basel II requirements as a one-time project (a project which just integrates the minimum requirements of the regulations) or as one more just-in-time audit activity. But if a company makes compliance a best practices strategy, then that means alignment across the organization for people, processes and technology. Hence, Sarbanes-Oxley and Basel II become a part of the risk management philosophy that uses the best aspects of Lean Six Sigma.

Risk management is a discipline historically thought of as a way to avoid problems, not create new solutions. In a Lean Six Sigma culture, risk management issues become a way of improving processes and transcending functional tasks to allow for an improved customer experience.

The illustration below depicts how a company can best address its risk management capabilities. At the lowest levels of the continuous process improvement curve, companies are simply monitoring compliance requirements and being reactive at best. As a company moves up the curve, its ability to utilize Lean Six Sigma tools to address risk management capabilities increases. From a cultural perspective, the organization changes from one that is event-driven and constantly putting out fires, to one that utilizes an effective and proactive approach in a “project way of life,” and finally reaches the highest level where a Six Sigma culture attains a “process way of life.”

Treating Risk Management Like a Process

So what are the Lean Six Sigma tools that can best be applied to the risk management arena and help a financial institution gain competitive advantage in the process? There are just as many tools in the Lean Six Sigma tool kit as there are applications to the risk management process. The reason: To be successful risk management needs to be treated like a process just like mortgage loans and item processing. A great place to start making this happen is giving risk management an equal place in the strategy of the company. Some of the most successful customer-focused companies, such as Hewlett Packard, Xerox and Bank of America, do strategy in a Six Sigma way through Hoshin Kanri.

As the Hoshin planning process has evolved in financial services organizations utilizing Lean Six Sigma, it has developed into a business tool that influences best practices across numerous lines of business. Stemming from the utilization of operational risk dashboards with the definition of the proper operational risk metrics, the Hoshin planning process can be enhanced to track and improve performance in managing the aspects of risk that affect associates, customers and shareholders.

Hoshin planning plays a key role by allowing the operational risk planning team to concentrate on the most meaningful metrics that lead to successful strategic execution. The data collection process becomes more efficient through many software products now available to deal specifically with Sarbanes- Oxley and Basel II. As recently as three years ago, the process of collecting metrics and consolidating them into a functional scorecard could take weeks. Now, this process takes a couple of days, and allows all associates to access a scorecard via the company’s intranet. This timely enhancement allows teams to update strategic goals regularly, aligning them in accordance with changes in the business environment.

One Company-wide Six Sigma Operation Risk Plan

Also, lines of business progress towards established operational risk goals within the Hoshin plan can be presented through a vast amount of information. Reporting spreadsheets, a balanced business scorecard, and performance plans – once considered separate items – can all be captured under one company-wide Six Sigma operational risk plan. An operational risk Hoshin plan becomes the foundation of the review systems required by Sarbanes-Oxley and Basel II. The manageable, actionable metrics of the Hoshin plan provide structure and discipline in a highly dynamic environment. The flexibility of the Hoshin plan also is important, because metrics may take on new meaning if external risk factors shift a current business environment.

An operational risk management leadership team also should use Kanri as the second step to incorporate Hoshin planning into its regular management routines. While a Hoshin plan captures a team’s strategy, Kanri is a management process that focuses on the Hoshin plan and its tactical execution. Significant improvements in key process indicators around operational risk management occur with the inclusion of the Hoshin plan in monthly business reviews. The Hoshin plan should act as a means to judge business goals and drive operational risk decisions in the everyday, business-as-usual environment. By utilizing Kanri within an operational risk Hoshin plan, each of the strategies will be linked to their corresponding metrics, so financial institutions in a process-oriented and proactive-way can easily see how they are measuring up to the requirements of Sarbanes-Oxley and Basel II.

Conclusion: Reduce Risk/Be More Competitive

In summary, the Sarbanes-Oxley Act and Basel II are all about managing risk (financial, fraud, credit market or operational). Executives should understand that reducing risk will make their institutions more competitive. Banks that lower risks will be the winners in the marketplace. Risk management should become a “best practices strategy,” aligning data, technology, people and processes across the organization, and not an “audit compliance task.” Ultimately, companies should adopt a risk management philosophy that evolves from discrete events and projects into a risk management process that can become a key breakthrough strategy in a Hoshin plan and can leverage all the best aspects of Lean Six Sigma.