Justin Pang Managing Director, Risk & Compliance Justin is a Managing Director in Protiviti’s Risk and Compliance Consulting practice specialising in the project management and delivery of anti-financial crime, regulatory change and risk management projects in the financial services industry. His strong practical experience across all three lines of defence allows him to assist clients to build and implement pragmatic strategies to mitigate a broad range of risks which impact their business, particularly during a period of change. He is the Process Mining lead for the UK working in partnership with Celonis, one of Protiviti’s global ecosystem partners. Major Projects TRANSFORMATION AND CHANGE Global Digital Retail Bank – First Line Controls Enhancement – Justin is currently leading the review of over 800 key controls across a firm’s retail and investment management operations to mitigate both financial and non-financial risks. To date, this control rationalisation and standardisation review has resulted in a reduction of key risks by 53% and a reduction of key controls by 63%. In addition, identification of key control gaps that require remediation and testing prior to transition into the firm’s Business Controls function. Justin also designed and delivered training to Process, Risk and Control Owners to realign roles and responsibilities, and to provide guidance on how to complete Risk & Control Self Assessments (RCSAs) more effectively in accordance with the Bank’s Control Standards.Global Bank – First Line Controls Transformation – Justin led Phase 1 of the transformation programme. This included the design of the approach to standardise the method which controls are articulated; to assess the design and rationalisation of controls to mitigate risk; and to collaborate with process and control owners to better understand their end-to-end process and their control environment. In addition, Justin led the design and delivery of a digital training module which provided guidance to Control Owners on how to review and validate control uplift recommendations through the controls validation tool which his team developed in collaboration with the client’s Controls Office. Justin continued to lead this project and partner with the project sponsor as controls move from a standardised to an optimised state.Global Bank – Next-Gen Internal Audit Transformation Programme – Justin led the design and delivery of over 170 Minimum Viable Products (MVPs) and over 200 Audit Supports globally in collaboration with the client. This included defining the ‘gold standard’ on how to apply enabling technologies such as process mining, data analytics and data visualisation throughout an audit lifecycle; designing and delivering a training programme for audit executives; and automating activities to support the Programme operating model. Key outcomes achieved for the client were savings in audit hours and increased capability to apply Next-Gen Internal Audit techniques.Global Retail and Commercial Bank – Financial Crime Prevention ProgrammeTarget Operating Model – Led the design and implementation of a target operating model (TOM) to centralise a Bank’s KYC operations across the UK. This includes the design of target state processes and key controls, capacity and competency planning, defining target service level agreements, and the design of a case management tool to support the TOM.CDD Assurance Function Set-up – Led the design and initial set up of this function. This included development and implementation of a QA Checklist based on the Bank’s current Instructions, recruitment of over thirty interim resources to support this function, and development of management information capability. The key outcome for the client is a managed service with a trusted partner. PROCESS MINING AND ENABLING TECHNOLOGIES Global Tier 1 Bank – Next-Gen Internal Audit Transformation Programme – Justin led the design and delivery of over 170 Minimum Viable Products (MVPs) and over 200 Audit Supports globally in collaboration with the client. This included defining the ‘gold standard’ on how to apply enabling technologies such as process mining, data analytics and data visualisation throughout an audit lifecycle; designing and delivering a training programme for audit executives; and automating activities to support the Programme operating model. Key outcomes achieved for the client were savings in audit hours and increased capability to apply Next-Gen Internal Audit techniques.Global Consumer Products Manufacturer and Distributor – Internal Audit – Justin led the pilot of an Order to Cash (O2C) implementation for a Global Internal Audit function as part of their Next-Gen agenda. This included collaborating with the client to transform traditional controls to analytic tests built within Celonis and action flows to automate control test results from Celonis into AuditBoard. Key outcomes achieved included continuous controls monitoring capability, user acceptance of process mining to inform data drive lines of enquiry and savings in audit hours for future reviews on the O2C process.Global Automotive Manufacturer and Supplier – Finance – Justin led the pilot of a Purchase to Pay (P2P) Celonis implementation for a Finance function incorporating internal controls from their SOX compliance programme. This pilot identified opportunities to strengthen the company’s internal control environment in the design of key controls, full population controls testing within SAP to enable continuous controls testing and automation of manual activities identified as rework activities automatically identified within Celonis.Global Luxury Brand – Finance – Justin led the implementation of an Order to Cash (O2C) of a Celonis implementation sponsored by the company’s Finance and IT function. This project identified opportunities to enhance customer experience, warehouse operations and working capital through a risk and controls lens and identified opportunities to automate manual activities using robotic process automation.Global Bank – Risk Operations – In collaboration with the client and one of Protiviti’s ecosystem partners, Justin led the design, build and presentation of a proof of value (POV) using process mining and execution management technology, with Transaction Monitoring Alert Handling as the use case. This POV demonstrated the art of the possible to effectively and efficiently manage, quantify and take action on operational risks in real time using data.UK Retail and Commercial Bank – Process Optimisation – Justin led the discovery and prioritisation on how robotic process automation can be applied across a traditional bank as part of their journey to move to a full digital bank. Key outcomes for the client include consensus on the opportunities to increase operational efficiency and customer satisfaction of the bank’s client onboarding process, and a prioritised road map.UK Challenger Bank – Internal Audit – Justin led the POV in collaboration with the client’s Financial Crime Internal Audit team, with suspicious activity reporting (SAR) as the use case. Key outcomes for the client include identification of an issue not identified through a previous audit and business wide awareness of the value of process mining across all three lines of defence. FINANCIAL CRIME PREVENTION, COMPLIANCE AND ASSURANCE Global Investment Bank – Global AML/KYC Framework Assessment – Justin led the review of a global bank’s AML/KYC Framework focusing on identifying gaps between the bank’s KYC Policies and Procedures against regulatory requirements and benchmarking against leading industry practice in key markets where the bank operates. This included an assessment of the bank’s governance arrangements (including the engagement model for AML/KYC), AML Client Risk Rating methodology, AML technology, tools and templates, training approach, quality assurance in the first and second line, deployment approach and implementation plans. Recommendations to remediate and enhance the bank’s AML/KYC Framework were presented to the client for implementation.Global Bank: Global CDD Standards – Deployment Support – Justin provided support to the deployment lead for a Global Financial Crime Compliance (FCC) function to design and deploy a suite of CDD standards globally. Key responsibilities include the design of a TOM for FCC processes, definition of a roadmap to implement the TOM, definition of business requirements, provision of FCC advice in working groups and leading business readiness activities (e.g. communications, training and capacity planning) for Global Banking FCC globally. Global Retail and Commercial BankBusiness Wide Risk Assessment (“BWRA”) – Led the BWRA for AML/CTF, sanctions and the facilitation of tax evasion for three BWRA cycles. This included development of the methodology for sanctions and tax evasion. Oversaw the BWRA for fraud. Key outcomes for the client included a BWRA methodology which drives the identification and assessment of new and emerging risks for management action, a methodology which is repeatable and a prioritised list of key controls that require remediation.CDD Instructions (KYC Minimum Standards) – Led the design and drafting across a range of core processes aligned with 4th EU MLD requirements, JMLSG and leading industry practices. This included definition of target state process maps, agreeing roles and responsibilities for key activities and engaging with Branch representatives to understand the impact to Branches. Instructions included KYC trigger event and periodic reviews, ID&V, ‘Unregulated’ Client Accounts and SARs.UK Retail and Commercial Bank – AML Quality Assurance Framework – Justin led the diagnostic and overall design and implementation of a quality assurance framework for Financial Crime activities within the Bank’s first line of defence. This included recruitment and training of permanent employees.UK Retail and Commercial Bank – Customer Screening and De-risking – Justin led the delivery of a project to reverse screen the Bank’s back-book against sanctions, PEP, SIP/SIE and RCA lists to enable a review of higher risk customers as part of the Bank’s wider customer re-risking activities. Key responsibilities included the delivery of a TOM for the project, definition of minimum standards for the review of alerts (including quality control and quality assurance), a case management and workflow tool (including MI reports), training and an agreed approach to effectively and pragmatically transition these enhanced processes to a business-as-usual function.UK Financial Institutions – Financial Crime Audit – Justin has led many Financial Crime audit reviews across a range of UK financial institutions. This includes an assessment on the design and implementation of Financial Crime frameworks against leading industry practices, deep dive audits into financial crime topics and reviews on how effective changes in Financial Crime Policies and Procedures have been embedded across the firm.Global Asian Commercial Bank – pre-Section 166 Financial Crime and Governance support – Justin led the business readiness for the firm prior to a regulatory visit. This included conducting mock interviews, assessing in scope areas to identify potential issues and leading remediation efforts prior to the Section 166. A key outcome for the client is ‘no surprises’ leading up to the regulatory visit. ENTERPRISE RISK MANAGEMENT AND OPERATIONAL RISK UK Private Bank – Risk Management Framework – Led the design and implementation of Risk Management Framework (RMF) across a UK Bank. Responsibilities included collaborating with Risk Owners within the organisation to design a RMF which included a Risk Appetite Statement; risk taxonomies with key risks, key risk indicators and thresholds; underlying processes, templates and guidance to perform risk and control self-assessments (RCSAs) and a refresh of governance arrangements.Multinational Financial Services Corporation – Justin led a jointly sponsored Compliance and Operational Risk project to develop a global programme to assess the firm’s compliance to legislation and/or regulatory requirements in each local market. Deliverables from the pilot phase include definition of an approach to identify the legal and regulatory inventory applicable to the firm, understanding the end-to-end processes and the first and second line key controls, and define the technology requirements to support the programme.Global Commodities Trader – Trading risk assessment – Justin implemented a framework to identify key risks to the organisation to meet corporate governance requirements. Responsibilities included:Leading risk identification workshops with senior management;Developing a tool to consolidate risk assessment results from 42 business units;Designing a dashboard to report on results at a group and at divisional level;Designing and implementing processes and templates to report on status of risk mitigation activities, issue tracking and risk event reporting; andAssisting in developing a strategy for the client’s risk management function.Global Construction Materials risk assessment – Justin lead the risk assessment workshop for the Cement division and was responsible for conducting interviews with key senior personnel, facilitating the risk assessment workshop, assist in developing mitigating strategies for risks identified and presenting a consolidated report to senior management.UK upstream oil producer pre-IPO assistance – Justin was the project lead to provide assistance to a firm in preparing for an IPO. Responsibilities included defining the key processes within the firm’s Finance function, identifying risks and controls within these processes, conducting a gap analysis of internal controls against better practice, providing recommendations to close gaps and identified a number of system enhancements which was used in a business case to upgrade the firm’s ERP system. Deliverables included process narratives, risk and control matrices and flowcharts, a gap analysis and a control gap tracker to actively manage remediation. OTHER UK Challenger Bank – Compliance Risk Assessment (CRA) and Monitoring – Led the design of the CRA methodology which included identifying applicable Laws, Regulations and Rules (LRRs); mapping of LRRs to applicable risks themes, policies, procedures, products and services, and customer outcomes; and developing a Compliance Monitoring Plan based on the outputs of the CRA.Development and implementation of an Assurance Programme – Justin designed and implemented an assurance program for the world’s largest vehicle glass repair and replacement company to identify key risks across various business units, develop and validate controls, develop test plans, pilot the program and develop an implementation plan across the Group. Justin has implemented this Programme globally across 20 geographic locations.Internal Audit and Sarbanes-Oxley Implementation – Justin has led many reviews in the financial services, manufacturing, retail and automotive industries across many core financial, operational and compliance related processes. Responsibilities included identifying key risks and controls for each process, conducting a gap analysis against industry best practice, working with management to mitigate gaps, testing the effectiveness of each control and implementing a tool to effectively manage these risks.Global Non-Financial Services Corporate – J-SOX Compliance – Justin was the European lead over a two-year engagement for a corporate owned by a Global Japanese Bank. Responsibilities included scoping of all reviews to be performed across all fourteen locations in-scope throughout Europe, challenging all risks and issues raised with the team prior to review with the client, overseeing the PMO function of this project team and liaising with the client’s external auditors as requested by the client.Business Process Outsourcing – Justin project managed the transition of over 300 processes to Bangalore, India. Responsibilities included identifying processes in scope for outsourcing, documentation of processes and controls, planning and facilitation of knowledge transfer, negotiating service agreements, liaising with the outsourcing partner, conducting workshops for senior management, preparing status reports to the Stakeholder Group and monitoring service levels when the project went live. Justin led a team of twelve people for this project. Areas of ExpertiseTransformation and ChangeTarget Operating Model Design and ImplementationProcess Mining and Enabling TechnologiesFinancial Crime ComplianceEnterprise Risk Management and Operational RiskIndustry ExpertiseFinancial ServicesManufacturing & DistributionConsumer Products & ServicesEducationBachelor of Commerce – Accounting, Finance, and Business Law (University of Western Australia)Professional Memberships and CertificationsCAMSChartered Accountant, Institute of Chartered Accountants in Australia (ICAA)Chartered Internal Auditor (IIA)Certified Internal Audit Quality Assessor (IIA)
