Managing Through Change – How to Survive and Succeed

“If you don’t like change, you’re going to like irrelevance even less.” – General Eric Shinseki

“New ideas pass through three periods: (1) It can’t be done; (2) It probably can be done, but it’s not worth doing; and (3) I knew it was a good idea all along!” – Arthur C. Clarke

Everybody – and every organization – reacts differently to change, whether incremental, small changes such as a tweak to a policy or procedure; or massive organizational changes such as the elimination of a business or the imposition of a public order. Understanding these dynamics is critical in managing change. The notes below are taken from three books I’ve read on change management: Kotter’s “A Force for Change: How Leadership Differs from Management”; Kruger’s “Change Management Iceberg”; and Trice & Beyer’s “The Culture of Work Organizations”. Some of these points are obvious and known, others are not so obvious … but keeping all of these in mind as you personally navigate change or are responsible for leading a project implementing organizational change will help you, and your team and organization, succeed.

Change must occur in eight phases, in order:

  1. Establish a sense of urgency
  2. Create a coalition
  3. Develop a clear vision
  4. Share the vision
  5. Empower the people in order to clear obstacles
  6. Secure short-term wins
  7. Consolidate and keep moving
  8. Anchor the changes

There are four reasons why people resist change:

  1. Parochial self-interest
  2. Misunderstanding due to poor communication or lack of communication
  3. Low tolerance to change (physiological, cognitive, emotional)
  4. Different assessments of the situation

The way(s) to deal with change can be put into six buckets:

  1. Education and communication – inform and educate about the change before trying to implement it to keep the noise down
  2. Participation and involvement – particularly of those that are or are expected to resist
  3. Facilitation and support – to deal with fear and anxiety during the change process, particularly where there will be, or perceived to be, lost jobs
  4. Negotiation and agreement – with the people/group(s) that will be most adversely impacted by the change and can influence the outcome
  5. Manipulation – when nothing else works. Caution!
  6. Coercion – explicit and implicit … where speed is essential but only as a last resort

There are four groups of people in any change management effort:

  1. Known Proponents/Promoters – positive general attitude about change and a positive behavior towards the change
  2. Potential Promoters – positive general attitude about change but not yet convinced that this change effort is positive
  3. Known Opponents – negative general attitude to change and negative behavior to this particular change effort
  4. Hidden Opponents or Opportunists – a negative general attitude but they act like they’re supportive, and otherwise actively or passively resist and obstruct change

There are eight reasons why many change efforts fail:

  1. Allowing too much complexity
  2. Failing to build a sustainable coalition
  3. Not understanding the need for a clear vision
  4. Failing to clearly communicate the vision
  5. Permitting roadblocks against the vision
  6. Not planning for short-term results and then not realizing them
  7. Declaring victory too soon
  8. Failing to anchor the changes into the company’s culture

Managing Meetings – How to Increase Your Effective Staffing Level by 25% … Without Adding Any Staff!

How many of us dread those needless conference calls where the first ten minutes are spent re-capping what was just said to those that dial in late, and the host asking time and time again, “hi, I heard another beep, who just dialed in?”? And how many of us have thought “I just spent an hour in a meeting that could have been handled in an e-mail?”

Meetings, whether in-person, on conference calls, or the hybrid Skype or WebEx call, take up an enormous amount of any risk management professional’s time. Here’s a rough estimate:

You average four, one-hour meetings a day, five days a week, fifty weeks a year. That is 1,000 hours of your time. If your risk management team is made up of 100 people, all with roughly the same experience, that is 100,000 hours of your risk management time spent in meetings and on conference calls, leaving 100,000 hours for really managing risk.

If you could eliminate just one of those four daily meetings, and reduce two of them from the standard one hour to 45 minutes, and reduce the fourth to 30 minutes, you’d add 50,000 “real work” hours to your team’s year. That is the equivalent of increasing your effective staffing by 25%, without adding any staff.

“Time is a large company’s most poorly managed resource”, writes Michael Mankin of Bain & Co. in a May 2014 Harvard Business Review article titled “Your Scarcest Resource”. Mr. Mankin also writes that while all organizations carefully manage their capital and liquidity, most organizations do not manage their time, which is often squandered on long e-mail chains, needless conference calls, and countless unproductive meetings.

Mr. Mankin offers some wonderful ground rules for how many people to have at a meeting. He writes that meeting size depends on purpose:

  • Weighing a problem – 4 to 7 people. Each person should have a purpose, and neither spectator nor color commentator count as being purposeful
  • Making a decision – 4 to 7 people. And Mr. Mankin admonishes the reader to follow the Rule of Seven: for every additional meeting participant over seven, the likelihood of making a sound decision goes down by 10%
  • Setting the agenda – 5 to 15 people. These should be limited to huddles or stand-up meetings (less than 15 minutes) are best for setting an agenda for a project or initiative. There is no need to get comfortable
  • Brainstorming – 10 to 20 people. Also huddles or stand-up meetings

In an article posted online, Leda Glyptis writes “we spend time calculating how much time we will need to do things we haven’t spent the time understanding. We spend time to question our colleagues’ good intentions. We spend time (heaps and heaps of time) to discuss and mitigate risks, syndicate decisions and allocate resources. We spend time as if it wasn’t money, doing the one thing that is not irreversible for fear of doing a dozen things that are. We squander the one resource that can never be replenished to protect those that can.”  (https://www.bankingtech.com/2018/04/waste-not-want-not-time-as-the-most-undervalued-resource-in-banking/?utm_medium=email&utm_source=fintechweeklycom, “Waste not want not: time as the most undervalued resource in banking”, by Leda Glyptis. Accessed April 12, 2018).

What can you do to squander less time, become more productive, and start enjoying your work more? Here are some ideas to help with meetings and with the main focus of meetings, the dreaded PowerPoint deck:


  1. Only accept meeting invitations where there is an agenda, purpose, and you have a defined role. Otherwise, you are a spectator (or, even worse, the dreaded color commentator) to your own loss of that time. By the way, sending a note or calling a meeting organizer to question the purpose of the meeting and your expected role and deliverable is a tough thing to do … but it’s worth doing. I once sent a “decline” response back to a meeting organizer with a note that I was declining the meeting for me and one of my team members because (1) another team member was invited and could speak for the entire team, and (2) I had no discernible role. The meeting organizer angrily called me up, accusing me of being disrespectful of his meeting: I told him that I was simply trying to be more efficient and, with fewer people cluttering his meeting, making his meeting better. He had no response.
  2. If there is more than one person from your team invited to the meeting, look very closely at whether both (or all) of you are required participants. If not, decline with an explanation that X can handle it for your team. This also empowers your team members: they’ll appreciate that the boss has put them in charge, even if just for that meeting!
  3. Why are most meetings an hour long? Make all of your meetings 15, 30, or 45 minutes long. If you can’t solve something in less than an hour, you’re not going to solve it. And, as a host of a meeting with some or all of the participants on the phone, remind participants before the meeting that it will start on time, and anyone coming in late will simply have to catch up on their own. Avoid the trap of having the first 10 minutes of every call spent re-capping the first 2 minutes for the people continually dialing in 2, 4, 6 minutes late.
  4. End your meeting 5 minutes early – people will love you for it. And don’t be afraid to end a meeting 10 minutes in if you’ve accomplished what you need to accomplish, or necessary participants aren’t there.
  5. Your meetings should be true to the Mankin Rule of Seven. I’ve tried this – it works.
  6. Don’t invite anyone without telling them the purpose of the meeting, his/her role, and what is expected for preparation, and the deliverables expected to come out of the meeting. People perform better if they are prepared, have a purpose, and know their role.
  7. Look at your calendar: back-to-back (and back-to-back-to-back) meetings are less productive than meetings spread out enough to give you time to prepare before the meeting and act after the meeting (and get to, or dial into, a meeting). So avoid back-to-backs when you can.
  8. Standing meetings are generally less productive than ad hoc meetings.
  9. If you’re a slave to your Outlook calendar, block off time to think each day. Don’t allow yourself to be backed into the back-to-back-to-back days that are becoming all too common.

“Decks” or Presentations (PowerPoints)

  1. PowerPoint may be one of the worst ways, or at least one of the most inefficient ways, to communicate. What takes 10 pages in a PowerPoint deck can be reduced to 1 page in Word.  And in Word, people tend to use things like sentences, and express complete thoughts. We’ve all read that meme about “if Lincoln’s Gettysburg address was done in PowerPoint” … https://norvig.com/Gettysburg/ is the best one I’ve found.
  2. Instead, follow the Amazon/Bezos rule, where it/he has banned PowerPoints for executive meetings and uses narrative-styled, 6-page maximum memos (2017 Annual Report shareholders’ letter, Bezos writes “We don’t do PowerPoint (or any other slide-oriented) presentations at Amazon. Instead, we write narratively structured six-page memos. We silently read one at the beginning of each meeting in a kind of ‘study hall.’”). At worst, impose a 10-page rule on PowerPoint presentations. And, when possible, print double-sided and in black and white: help save the planet.
  3. Insist on an Executive Summary that has a problem statement, presents at least two and no more than four options, and a suggested solution. And then understand that few people will go beyond that summary.

The Paretto Principle, or the 80/20 Rule, tells us that 20% of our time provides 80% of the value … which means that 80% of what you do provides very little value. So begin to track what you do, how much time you spend, and whether it really adds value and makes a difference.  But pay special attention to the time you spend in meetings. My guess is that if you worked at it, and gave discipline to your team and those using your team’s time, you could be much more efficient, effective, and happy.  Try it!

(another good resource for learning how to better use time is Laura Vanderkam’s book “Off The Clock: Feel Less Busy While Getting More Done”)

Subject Matter Experts vs. Subject Matter Enthusiasts

Like most industries, the financial crimes risk management industry is rank with jargon, axioms, and hackneyed phrases we all toss around with plenty of abandon but little discipline.  Rising to the top of this heap is “Subject Matter Expert” or “SME”.

More important to the success or failure of any endeavor than the self-styled Subject Matter Expert is the dreaded Subject Matter Enthusiast.  The Expert is just that: someone with talent, training, subject matter knowledge, environmental knowledge, and years of experience (and not just one year of experience many times, but many years of experience). The true Expert doesn’t see him or herself as an expert, won’t call himself (I’m going single pronoun from here on, if that’s OK) an expert, probably doesn’t see himself as an expert, but he possesses those traits, or enough of them, to truly be, and be seen as, a Subject Matter Expert.  The Enthusiast, on the other hand, often calls himself an Expert when he isn’t, or thinks of himself as possessing enough of as many of the traits needed to pass himself off as an Expert. The Enthusiast overcomes his lack of true expertise with just enough confidence, hubris, and (frankly) enthusiasm to move a project ahead or design a monitoring system just long enough to allow auditors, regulators, and prosecutors to catch up … and for the experts to bail him (and the project or monitoring system) out.

A Subject Matter Enthusiast usually means well but isn’t the “expert” he thinks he is. Unwittingly, he can cause all sorts of damage (note that the word immediately after “enthusiasm” is “entice” … indeed, Enthusiasts often entice people into doing things they wouldn’t otherwise do). And as a rule, a business person in a typical financial institution is a Subject Matter Expert in their business and a Subject Matter Enthusiast in your business (financial crimes risk management), and risk management professionals are Subject Matter Experts in risk and Subject Matter Enthusiasts about the businesses. The trick is to be respectful of and acknowledge where each other’s expertise begins and ends, and enthusiasm begins and ends, and somehow meet in the middle.

Oddly enough, most of us in the financial crimes risk management industry are a little bit of both: we may be an Expert in technology and an Enthusiast in AML, or an Expert in auditing and an Enthusiast in AML, or an Expert in AML and an Enthusiast in technology … the key is to recognize where (whether) your Expertise begins and ends, and where your Enthusiasm begins and ends, and to know where your colleagues fall on the Expertise/Enthusiasm spectrum.  And the most successful financial crimes risk management efforts are those where everyone involved in the effort knows where his and everyone else’s expertise and enthusiasm begin and end, and where everyone is respectful of and accepts others’ expertise.

This seems particularly important in this new age of disruptive fintech. I’ve seen some great fintech companies that are technology experts but financial crimes enthusiasts but aren’t aware (or aware enough) of their lack of financial crimes expertise and are not respectful enough of the financial crimes expertise of those they’re trying to sell to.

So, the next time you’re pulling together a team to solve any financial crimes problem – and that team can include fintech companies looking to sell you a “solution” – make sure everyone on the team recognizes and is aware of every team member’s Expertise/Enthusiasm spectrum. Knowing, and admitting, where/whether your expertise begins and ends, and your enthusiasm begins and ends, will make your team, and project, a success.

(Thomas Friedman had a different twist on subject matter enthusiasts in a NYT Op/Ed from April 24, 2001, where he wrote: “The well-intentioned but ill-informed being led by the ill-intentioned but well-informed.”)

“The Courage To Change” Podcast has been published


Please take the time to listen to Jo Ann Barefoot’s podcast. The notes provide:


We’re moving into a new era of regulation and compliance that will be driven by new technology. Most of our listeners know I’ve co-founded a regtech firm, Hummingbird, to help bring this new model, first, to anti-money laundering, which is widely seen as the arena where the old compliance model is most broken, and where new technology could go the farthest, fastest, to solve everyone’s problems — by both improving outcomes and cutting costs. There is a growing global “regtech” community, in both the public and private sectors, aiming to transform financial regulation and compliance, and specifically to make them both digitally-native, with all the power of digitization to make everything better, faster, and cheaper, all at once.

Executing this transformation will take imagination, vision, wisdom and even courage, which is why I invited today’s guest to join us.  He is Jim Richards, founder of the new firm, RegTech Consulting, and I think he used the word “courage” six times, in our talk.  We sat down together at this year’s LendIt conference in San Francisco, just a few days after Jim had retired from his position as the Bank Secrecy Act Officer and Global Head of Financial Crimes Risk management at Wells Fargo, a job he held for more than twelve years. He’s also an attorney and a deep expert in financial crime.

Jim is famously outspoken. He’s also funny (he says the book he wrote on transnational financial crime sold more copies in Russian than in English. Most of all, though, he’s frustrated. He thinks we can do better in fighting financial crime.

I do too. According to the United Nations, there’s about $2 trillion in global financial crime each year, and we’re catching less than 1 percent of it. To achieve these paltry results, the financial industry spends around $50 billion a year. In other words, launderers can fund terrorism and amass wealth by trafficking in drugs, weapons, and human beings, with very little risk of getting caught. No wonder financial crime is a growing global business.

Jim says that the heart of this problem is that incentives are misaligned, which means resources are too. He thinks we’ve built a regulatory system that does not reward effectiveness but instead prizes compliance “hygiene.” The theory of the system, of course, is that banks’ careful compliance with the AML regulations should lead to high levels of effectiveness in helping law enforcement stop financial crime. Possibly, in an earlier era, it did. Today, though, there is a massive mismatch between the compliance activities required by our regulations and the desired outcomes — partly because the technology of both money laundering, and anti-money laundering, has shifted under our feet. And today’s methods can’t scale up.

Like many people in the AML world — including me — Jim envisions a better system in which, mostly through newer technology, we could take some of the thousands of people and billions of dollars devoted to this effort and redirect them to drive better results, and cut the costs, too.

He has lots of ideas. They include updating the rules on Currency Transaction Reports; fixing the Know Your Customer process through more information standardization, prescreening, and data sharing; addressing the new beneficial ownership requirements (which he calls a tsunami hitting banks and their small business customers; and resolving what he calls “The Clash of the Titles” — the four titles of the US Code that govern financial crime. He suggests getting law enforcement input into financial regulators’ enforcement efforts. He has thoughts on how AML and fraud detection overlap and differ. He says there’s a lot to learn from how fintech companies do AML since they generally have good data and new systems. Like our previous Barefoot Innovation guest, Ripple’s Chris Larsen, Jim sees a useful model in how global trade was transformed by the advent of standardized shipping containers, as explained in Marc Levinson’s book, The Box.

A key issue is transaction monitoring (although Jim vigorously argues that term is obsolete). The law requires banks to monitor their customers’ activity and report suspicious patterns.  Today, this process, systemwide, produces huge over-reporting of meaningless alerts that drown both bank personnel and law enforcement in low-value information they don’t have the tools to analyze. It’s a perfect use case for AI, which Jim says Wells Fargo began using in AML as early as 2008 and is now building further under his successor, Graham Bailey (whom Jim calls a genius, the best AML technologist in the industry).

Jim says that banks like Wells Fargo devote less than ten percent of their AML compliance people to working on sophisticated, complex crime, while the other 90+ percent do regulatory compliance, just “crunching through the volumes.”  This is at a time when the crime itself is getting more and more sophisticated because the worst criminals are adopting new tech and are building global networks, most of which we can’t find with current methods. He makes the case that it would be good to flip that and deck the 90 percent against the big problems. We already have the technology to do that, both in process and analytics. We just need to enable the system to adopt it, for both government and industry.

The original AML law in the United States, the Bank Secrecy Act, is approaching the half-century mark. It’s been modernized and automated along the way — FinCEN has brought in a lot of automation — but the system doesn’t yet leverage the newest technology. It needs to shift to digitally-native design, probably with open source technology that can enable new, efficient, effective approaches, system-wide. A few weeks after we recorded this episode, I hosted a roundtable in Washington where experts from across the AML ecosystem — large and small banks, fintechs, regtechs, bank regulators, trade groups, Congressional staff, academics and, crucially, law enforcement — spent a day together thinking through next-generation AML. The new Comptroller of the Currency, Joseph Otting, has made AML modernization a top priority. Change is coming.

And it’s attracting great people, including great tech people, into solving these problems, including many who, a year ago, would surely have laughed to hear Jim Richards say, as he did to me, that BSA Officer is “the most fascinating job you can have in banking.”  People think compliance is boring. They’re wrong. It’s fascinating, and it’s important.

Jim has founded his new firm, RegTech Advisors, to, as he puts it, “develop the next generation of professionals, technologies, programs, and regimes and really make a difference.” He thinks doing that will take courage… including the courage to make some mistakes. That’s a type of courage that doesn’t come easily to the regulatory sector, but we’re going to have to develop it.

Jim Richards featured in two podcasts

Thomson Reuters Legal Executive Institute podcast on the beneficial ownership rule, with Holly Sais Phillippi, Partner Director in Governance, Risk & Compliance for Thomson Reuters Legal; Brett Wolf, Reuters senior financial crimes correspondent; and Jim Richards.

American Bankers Association/American Bar Association (ABA/ABA) Financial Crimes conference podcast with Ryan Rasske, Senior VP, Risk & Compliance, ABA’s Professional Development Group, available at https://www.youtube.com/watch?v=gDCnAujJHMA&feature=youtu.be (“Jim Richards, former BSA Officer at Wells Fargo and currently the Principal at RegTech Consulting LLC, talks with ABA’s Ryan Rasske about the synergy between BSA/AML, fraud and cyber-enabled crimes, including the focus on clean data to fight financial crimes. Learn more about the ABA/ABA”)

For all of the great ABA/ABA Financial Crimes podcasts, go to the “Experience Page” at https://www.aba.com/Training/Conferences/Pages/fce-podcasts.aspx

Dress Appropriately – AML Policies, Procedures, and Policedures

“As chief executive at General Motors, Mary Barra practices what she preaches. Her management philosophy is epitomized by GM’s workplace dress code—which is equally brief, and also an antidote to the restrictive, wallet-draining policies at many large corporations. It reads, in full: ‘Dress appropriately.’”

Much can be learned from this when it comes to writing BSA/AML policies (what you must do), procedures (how you must do it), and policedures (those bridge-too-far documents that describe what to do and how to do it).  Tremendously detailed and prescriptive policies and procedures are usually impossible to adhere to on a day-to-day basis, invariably ignored in times of stress, and often turned against you by regulators and prosecutors.  Granted, a two-word policy may not cut it with regulators or those in the implementation trenches, but a general rule to follow may be that you keep your policies below 1,500 words: after all, if the US Colonies can declare their independence from Britain in 1,458 words, a decent BSA Governance team can declare that a bank adhere to customer due diligence regulations in 1,458 words (or less).

A common policy drafting mistake is to assume that the theory of the policy will translate into sound practice in the front line units. As the great philosopher Yogi Berra said, “in theory there is no difference between theory and practice: in practice there is.” So give your policies and procedures (and your policedures) to those people in your organization that are supposed to be following them, and have them tell you whether the practice of implementation meets the theory of compliance.

And on a related note, if your program is replete with “Roles & Responsibilities” documents and intra-company service level agreements, take another look at your corporate policies and line of business procedures: R&Rs and SLAs are often manifestations of the failure to write policies and procedures that can actually be understood and followed.

Public/Private Sector Partnership in Combating Financial Crime: The More Things Change, The More They Stay The Same

“Operationalizing the provisions of the Bank Secrecy Act and USA PATRIOT Act has been and continues to be a complex endeavor.  From the policies, procedures, and practices for know your customer or enhanced due diligence; to the systems and tools to monitor transactions and conduct surveillance of high-risk customers or classes of customers; to the ability to analyze, investigate, and report suspicious activity; and to trending, training and testing for and of those programs, the tasks of individual financial institutions are daunting.  As daunting is the task of the regulatory community to set standards for and examine those programs.  Continued cooperation and dialogue between the regulatory community and the institutions it regulates is critical to understanding and controlling the unique risks posed by money laundering and terrorist financing.”

This is an excerpt from Congressional testimony of Jim Richards almost fourteen years ago, yet it remains true today.

See attached testimony of James R. Richards on behalf of Bank of America before the House Financial Services Subcommittee on Oversight and Investigations on “Improving Financial Oversight: A Private Sector View of Anti-Money Laundering Efforts”, May 18, 2004

2004-05-18 Richards Testimony House Financial Services