Major Management Challenges
Although not required by statute, the OIG recently compiled its first listings of major management challenges facing the Board and the CFPB. These challenges identify the areas that, if not addressed, are most likely to hamper the Board's and the CFPB's accomplishment of their strategic objectives.
Board of Governors of the Federal Reserve System
Management Challenge 1: Continuing to Implement a Financial Stability Regulatory and Supervisory Framework. Continuing to build a robust infrastructure for regulating, supervising, and monitoring risks to financial stability remains a strategic priority for the Board. In Supervision and Regulation Letter 12-17, Consolidated Supervision Framework for Large Financial Institutions, the Board outlined its updated framework for consolidated supervision of large financial institutions as a result of lessons learned during the financial crisis. While the letter provides a high-level description of the framework and priorities for consolidated supervision for large institutions, we understand that the supporting guidance necessary to fully implement the framework is forthcoming. We noted three additional challenges associated with implementing a financial stability regulatory and supervisory framework. Specifically, we noted the need for the Board to (1) cultivate effective relationships with other regulators, (2) finalize rulemakings required by the Dodd-Frank Act and transition to ensuring compliance with those regulations, and (3) develop the technology infrastructure and address the human capital challenges associated with monitoring risks to financial stability.
Agency Actions: Board officials have made significant efforts to coordinate with their counterparts at the OCC and the FDIC to align strategic objectives and minimize duplication of efforts with respect to the supervisory planning process. In addition, the Board has made considerable progress in fulfilling the regulatory mandates outlined in the Dodd-Frank Act and in finalizing other significant rulemakings supporting the financial stability framework. Management recently improved supervisory teams' search capabilities for informal supervisory information related to specific institutions and will implement a new technology platform for the regional and community bank portfolios using a phased approach over multiple years.
Management Challenge 2: Human Capital. The Board's success in achieving its mission depends on having the right number of people with the necessary technical, managerial, and leadership skills. The Board faces challenges in maintaining the necessary skill sets due to competition for highly qualified staff and the difficulties associated with replacing departing employees who have the specialized knowledge and skills needed to fulfill the Board's mission. In addition, the Board will face challenges as it implements a new performance management process and continues its efforts to recruit and retain a more diverse workforce.
Agency Actions: The Board has taken several actions concerning the human capital challenges, including establishing a leadership development workgroup, implementing management development programs, and beginning to use a succession planning tool. It has also obtained assistance to implement the new performance management process. To address the continued challenge of recruiting and retaining a diverse workforce, the Office of Human Resources plans to partner with divisions to design, develop, and implement an integrated Boardwide talent management strategy.
Management Challenge 3: Board Governance. Historically, the Board's divisions have operated largely autonomously in performing their specified mission functions, developing organizational structures, formulating budgets, and establishing management processes. As the Board's mandate expanded in the wake of the financial crisis and the enactment of the Dodd-Frank Act, so has the Board's need for strategic planning, management processes, and coordination across divisions. We believe that aspects of Board governance, including internal control, information technology (IT), and data, will continue to pose management challenges to the Board's efficient accomplishment of its mission. Currently, there is no organization-wide process for maintaining and monitoring the Board's administrative internal controls. The Board also faces governance challenges in both the centralized and decentralized management of IT services. Finally, as a result of expanded responsibilities under the Dodd-Frank Act, the Board is engaging in new data collection and analysis. The Board will be challenged to expand its technology infrastructure and processes to support the increased requests for and analysis of data, as well as to enable comprehensive, enterprise-level data governance and information management practices.
Agency Actions: The Board intends to develop and implement a policy on administrative internal controls. The Board recently approved new delegations of authority to the Director of the Division of Information Technology, who is working to increase coordination among the divisions. The Board hired its first Chief Data Officer, who is working to establish data governance policies and to facilitate coordination across data communities at the Board and between the Board and other regulatory agencies. A new Boardwide data governance and management structure is also planned.
Management Challenge 4: Capital Improvement Projects. The Board is currently managing two major capital improvement projects: the Martin Building renovation and construction and the relocation of the Board's data center. Both are multiyear projects that involve significant resources and pose challenges due to their size, complexity, and effect on the Board's staff members and mission. As currently planned, the relocation of the Board's data center will overlap with the Martin Building project, creating an additional challenge as the Board attempts to oversee and manage both projects. In addition to managing these projects, the Board will have to adapt its space-planning and leasing activities due to the Martin Building project. The Board is challenged with accommodating both the expected growth of its workforce and the placement of staff members in swing space due to the Martin Building renovation and construction project, while also effectively managing its existing real property assets.
Agency Actions: The Board has taken actions to improve its recordkeeping, cost estimation, and cost management processes for the Martin Building project. For the data center relocation, the Board has designated a program manager and a project manager to oversee the project, in addition to an Executive Oversight Group to oversee and provide guidance. Recognizing that it needs to take a more consistent approach to space planning, the Board is developing a standard process for allocating and managing its space. The Board is also developing a strategic master plan for space planning and has contracted for real estate advisory services to assist with this effort.
Management Challenge 5: Information Security. The U.S. Government Accountability Office continues to include as a priority for federal agencies the protection of information systems and the nation's cybercritical infrastructures. Because of the decentralized nature of IT services across Board divisions, implementing Boardwide continuous monitoring and risk management programs poses a challenge. In addition, the Board is challenged to ensure that information systems and services provided by third-party providers, including the Reserve Banks, meet the requirements of FISMA and the Board's information security program.
Agency Actions: Management has outlined plans for continuous monitoring and risk management and has made progress in implementing National Institute of Standards and Technology guidelines. In addition, the Board is working to ensure that information systems and services provided by third-party providers, including systems supported by the Reserve Banks while they transition to a National Institute of Standards and Technology–based information security program, meet FISMA requirements.
Consumer Financial Protection Bureau
Management Challenge 1: Improving the Operational Efficiency of Supervision. The CFPB has made significant progress toward developing and implementing a comprehensive supervision program for depository and nondepository institutions. While we recognize the considerable efforts associated with the initial development and implementation of the program, we believe that the CFPB can improve the efficiency and effectiveness of its supervisory activities. As of July 31, 2013, the CFPB had not met its goals for the timely issuance of examination reports, and a considerable number of draft examination reports had not been issued. Our evaluation work revealed that the CFPB has not established standards for the timely input of data in the Supervisory Examination System and does not have a formalized policy for scheduling or tracking staff member hours on examinations.
Agency Actions: We understand that management has taken a series of actions to improve its timeliness in issuing reports and reduce the number of examination reports that have not been issued. The CFPB has drafted and circulated for comment a policy that covers the timely input of data into the Supervisory Examination System. To maximize the effectiveness of its supervisory work, the agency continues to develop and expand the Supervisory Examination System and is conducting an internal analysis to evaluate the current processes for coordinating examination staff scheduling across regions and to identify areas of potential inconsistency regarding regional staff scheduling.
Management Challenge 2: Building and Sustaining a High-Performing Workforce. In 2012, the Office of Human Capital issued its Human Capital Strategic Plan FY2013–FY2015, which includes the goal of attracting, engaging, and deploying a workforce to meet dynamic challenges and to provide effective oversight of the consumer financial marketplace. The CFPB faces challenges in meeting this goal due to competition for highly qualified staff with the unique skill sets needed to fulfill its mission. Further, as the agency seeks to build and sustain a high-performing workforce, it will need to strengthen workforce planning, establish appropriate training and development programs, implement an effective performance management system, and put in place a comprehensive diversity and inclusion program. In addition, the Office of Human Capital will need to continue to focus on developing an effective overall human capital infrastructure, a critical step to ensuring alignment with the CFPB's outcomes and its goals of recruiting and retaining a diverse workforce.
Agency Actions: The CFPB has identified four categories of mission-critical occupations and has begun revising its competency model framework, which will be used for career development and training, as well as for clarifying career paths across job families. Additionally, the agency has conducted a structured organizational design analysis of each division. The CFPB has developed many policies and procedures, implemented a new position management process, and created a workforce planning handbook for leadership and hiring managers. For employee development, an individual development planning process has been instituted, and the CFPB has core competency courses and new learning projects underway to enhance technical expertise for all employees. In addition, CFPB employees are provided many workplace flexibilities in an effort to promote employee engagement and productivity. The agency is collaborating with the collective bargaining unit on compensation, benefits, and a new performance management system, among other aspects of its human capital infrastructure.
Management Challenge 3: Implementing New Management Operations. The CFPB continues to establish and implement its internal management operations as it seeks to provide effective oversight of the consumer financial marketplace. Establishing appropriate internal controls—including policies and procedures that clearly define roles and responsibilities—and effectiveness measures should continue to be an area of focus for the CFPB as the organization grows and the consumer financial products and services that the agency regulates evolve. In addition, the CFPB has acquired staff members from several federal agencies as well as from the private sector, resulting in different sets of practices and expectations across the organization. Key program areas that the agency should focus on include the Civil Penalty Fund (CPF) and the Consumer Complaint Database.
Agency Actions: The CFPB has established a team within the Chief Financial Officer's organization to review, monitor, and improve internal control. The CFPB has made progress in establishing new agency operations and will continue to define division-level performance goals and measures. With respect to the CPF, the CFPB has issued a final CPF rule; implemented internal controls; contracted with third-party administrators to identify, locate, and notify victims; begun distributing payments from the CPF to victims; and established a policy that describes procedures for identifying and developing consumer education and financial literacy programs under the CPF. With respect to the Consumer Complaint Database, the agency's Office of Consumer Response developed written procedures for reviewing and editing complaint data and for the daily refresh process of the public complaint database. In addition, the CFPB has enhanced the efficiency and timeliness of the daily refresh process by fully automating the steps to update the data.
Management Challenge 4: Providing for Space Needs. The CFPB is undertaking a major capital improvement project to fully renovate its headquarters building. The headquarters renovation project is a multiyear project that involves significant resources. The CFPB plans to make workplace and energy-efficiency improvements, including upgrades to the building infrastructure, and it plans to replace aging mechanical and electrical systems that have reached the end of their life cycles. This project poses several challenges for the CFPB, including managing and mitigating risks such as potential scope changes, schedule delays, unanticipated expenses, and cost overruns. In addition to the challenges related to the renovation, space planning during and after the renovation may also pose a challenge to the CFPB. In May 2014, the CFPB began moving into swing space needed to accommodate staff members displaced by the renovation. Once the renovation is complete, not all headquarters personnel will fit into the renovated building, and additional space will still be required. To address this issue, the CFPB plans to consolidate personnel currently located in the swing space and another building into one permanent space. Any delays in the renovation schedule could affect the CFPB's planning for both the swing space and the permanent space.
Agency Actions: To help mitigate risks during the renovation, the CFPB entered into a memorandum of understanding and obligated funds on a reimbursable work agreement with the U.S. General Services Administration. The CFPB is also coordinating with the U.S. General Services Administration to perform space-planning analysis.
Management Challenge 5: Ensuring an Effective Information Security Program. The U.S. Government Accountability Office continues to include protecting the federal government's information systems and the nation's cybercritical infrastructure as a priority for federal agencies. The OIG has likewise identified information security as a major management challenge for the CFPB due to the advanced, persistent threat to government IT infrastructure. CFPB management needs to continue improving its information security program through automation, centralization, and other enhancements to ensure that federal requirements are met. The CFPB relies on a variety of contractor-operated and contractor-maintained systems to meet its mission, including several cloud computing–based systems in which computing resources may be shared with other federal or commercial entities. The agency faces challenges in ensuring that contractors implement the required information security controls. Further, when the CFPB began operations in July 2011, it relied on the IT systems, IT infrastructure, and information security program of Treasury. Since then, the CFPB has made progress in transitioning from Treasury; however, the CFPB must address management and technical challenges in its transition to ensure the implementation of a robust IT infrastructure. Finally, the CFPB must continue to ensure that sensitive information is adequately protected within the systems it owns and maintains and within those maintained on its behalf by contractors and other entities.
Agency Actions: The CFPB has finalized its information security policy, developed information security procedures and standards in several areas, and developed an information security strategy. The agency has also implemented processes that are generally consistent with federal requirements for (1) continuous monitoring, (2) incident response and reporting, (3) risk management, (4) plans of action and milestones, (5) remote access management, (6) contractor systems, and (7) security capital planning. Further, the CFPB is developing an enterprise architecture that will include security architecture to help guide agency investments in information security. The agency has implemented a change control process whereby the security impact of changes to all systems, including contractor-operated systems, is analyzed and approved. The CFPB also has begun implementing a continuous monitoring process whereby security controls for systems are assessed on an ongoing basis. The agency has developed a phased approach to transition IT services from Treasury and develop its IT infrastructure and has designated a Chief Privacy Officer, who is responsible for the agency's privacy compliance and operational activities. The CFPB has developed privacy and breach notification policies, systems of records notices, and privacy impact assessments of various systems that collect or store personal information and has implemented a number of management, operational, and technical controls to ensure that sensitive information is adequately protected.
