Weak Governance

Strong governance is the foundation of effective remediation. Yet many firms begin with ill-defined structures, muddled roles and responsibilities, and a lack of programme-level authority. This failure of governance is not abstract, it directly impairs decision-making, creates ambiguity over ownership, and leaves teams without the clarity needed to execute under pressure.

Remediation governance differs from BAU oversight. It requires a discrete, elevated governance model, with executive sponsorship, a dedicated steering committee, and cross-functional escalation protocols. Without these, issues linger unresolved, interdependencies are mismanaged, and reporting becomes fragmented. Governance requires clearly defined accountability lines, mapped not just to functions, but to outcomes and KPI’s.

Regulators increasingly expect this. The FCA’s engagement with firms post-enforcement often focusses on how the remediation programme is governed: who owns it, who monitors it, and how progress is tracked. A well-run programme provides clear answers to these questions. A poorly-run one leaves regulators seeking answers, updates and losing confidence.

Beyond structure, governance is also about tempo.  For example, are decisions made fast enough?  Are they escalated to the right authority level?  Are regulators kept informed? Programmes that answer “yes” tend to succeed. Those that hesitate can unravel.

Ultimately, governance in remediation is about trust and confidence. Regulators want to know that the programme is being run by people who understand the risk, have the mandate to resolve it, and can evidence every step along the way. Good governance builds that trust. Poor governance breaks it.

Flawed Programme Execution

Remediation efforts can collapse, not because the problem is misunderstood, but because the response is poorly executed. Firms can underestimate the complexity, overpromise on timelines, and underinvest in delivery capability. The result is predictable: missed milestones, spiralling costs, poor outcomes and deteriorating morale.

Execution failures often start with planning. Programmes can be scoped too broadly or narrowly; resource models built around optimistic assumptions; interdependencies, especially between operations, technology, and legal, misunderstood. In high-pressure environments, these oversights compound quickly.

Best practice involves treating remediation like a change programme. That means structured governance, sequenced delivery, and a focus on both pace and quality. It also means resourcing properly, not just with volume, but with relevant experience. The people delivering remediation need to understand regulation, customer outcomes, and programme management. One without the others is not enough.

Finally, traceability is crucial.  If this is unclear, regulators will assume the worst. Transparency in delivery, through documentation, QA artefacts, and audit trails, is an essential element of the redress journey.

Unstable Policy Foundations

Policy instability is one of the most overlooked risks in remediation. There are multiple examples on the FCA’s Final Notices register of regulatory sanctions where appropriate policies have failed to be established. Firms often start programmes before the underlying redress or eligibility policy has been properly defined, tested, and agreed. The logic changes mid-flight. Teams are left rewriting rules, reworking outcomes, and re-engaging with customers who thought their case was closed.

This undermines programme credibility. Customers question the fairness. Staff question the process. Regulators question the firm’s control environment. In some cases, firms have had to rerun entire programmes because policy design was inadequate.

To avoid this, policy must be treated as a formal artefact. It should be developed early, with input from Legal, Compliance, Risk, Customer Operations, and where possible the regulator. It should be tested against real cases and stress-tested against edge scenarios. It should be version-controlled and subject to formal governance.

Importantly, policy must be explainable. If a customer or regulator asks why a decision was made, the firm should be able to show the rule, its interpretation, and its application. Anything less invites scrutiny.

Firms should avoid over-engineering the policy. The best designs are clear, defensible, and customer-centric. Complexity may seem precise, but it often leads to inconsistency. Clarity and simplicity win trust.

Finally, policy must be stable. This doesn’t mean it can never change, but that change must be controlled. Amendments should go through governance, be transparently communicated, and applied with consistency across the programme. Without this, remediation becomes a moving target, and that’s when outcomes unravel.

Shallow Root Cause Analysis

Root cause analysis (RCA) is a core component of any serious remediation. But too often, it is treated as a obligation rather than a strategic opportunity. Firms go through the motions, listing surface-level issues without exploring the deeper systems, behaviours, or decision frameworks that allowed the failure to occur.

Superficial RCA has two consequences. First, it risks ineffective remediation, because it fixes the effect, not the cause. Second, it signals to regulators that the firm hasn’t fully understood its failure, increasing the likelihood of further scrutiny.

A robust RCA process goes beyond immediate triggers. As a minimum, it asks questions of governance, incentives, culture, and controls. Again, there are multiple examples in the FCA’s Final Notice register of firms being aware of issues but failing to take appropriate and timely action.

Good RCA blends data, testimony, and judgement. It is tested against prior incidents and benchmarked across the organisation. And it results in specific, actionable change, not vague commitments to “raise awareness.”

For firms already under investigation or enforcement, RCA is also reputational, and boards always ask “How did we get here?”. A thoughtful, transparent analysis can restore credibility. A shallow or self-serving one can destroy it. Regulators know the difference.

Insufficient Quality Assurance

Quality assurance (QA) in remediation is the safety net that ensures redress is fair, accurate, and defensible. Yet too often, QA is under-scoped, under-skilled, or introduced too late to add value.

Effective QA starts with design. The QA model should reflect the complexity and risk of the remediation, whether that’s checking 10% of cases or 100% of specific types. It should be risk-weighted, and it should be embedded from day one, not bolted on after customer contact begins.

The QA team must be independent from delivery teams, trained in both policy and process, and empowered to challenge outcomes. They must track trends, identify systemic issues, and escalate accordingly. Their findings should drive programme improvement, not just error correction.

Technology can support this, particularly in large-scale reviews. Workflow tools, redress calculators, and QA dashboards can automate checks, surface anomalies, and provide a clear audit trail. But the core remains human judgement.

Firms should also engage second-line and internal audit early. Too many programmes view assurance as a “phase” rather than a parallel track. The sooner assurance functions are aligned with QA, the stronger the overall control environment.

Ultimately, QA is not a regulatory checkbox, it’s a reflection of programme integrity. It demonstrates that the firm cares not just about closing cases, but getting them right.

Data Integrity Failures

Remediation success or failure rests on data. Without accurate customer records, product histories, and transaction logs, it becomes impossible to identify who was affected, how they were harmed, and what redress they are owed.

Yet lack of data integrity remains one of the most damaging sins. Legacy systems, fragmented sources, poor data lineage, and manual extraction all contribute to inaccuracies. In some cases, firms have had to exclude affected customers simply because they could not identify them with confidence.

Data risks must be tackled early. That begins with a discovery exercise, what data exists, where it lives, how complete it is, and whether you can rely on its accuracy. Where data is missing, firms must determine a defensible approach, whether that means extrapolation, assumptions, or direct customer outreach. But these choices must be transparent, consistent, be based on sound rationale and be approved through governance at the appropriate level.

Technology can help, particularly data matching tools, case management platforms, and automated redress calculators. But tools are only as good as the logic behind them. Data quality and redress calculator efficacy must have clear ownership, which cannot be outsourced.

Finally, firms should build in data QA. Just as outcomes must be tested, so must inputs. Without this, even the best-designed policy can produce poor results. In remediation, bad data is not just a risk, it’s a liability.

Unsustainable Remediation Outcomes

Too many remediation programmes talk sustainability but in reality treat closure as the goal. Cases are resolved, letters are sent, regulators are updated, and the team disbands. But without embedding lessons learned into business-as-usual, the same issues risk repeating.

A sustainable remediation programme looks beyond redress. It asks: what permanent fixes are needed? How will we monitor for recurrence? Who owns this risk going forward?

This requires formal handover plans, from programme to business, from policy to control, from issue to monitoring. Controls must be updated. MI must be configured. Training must be refreshed. These are not secondary tasks, they are the bridge to future compliance.

Where appropriate, firms should revisit the root cause. Did the remediation truly fix it? Have incentives changed? Has culture evolved? Sustainability isn’t about one-and-done fixes, it’s about system-wide reinforcement.

Regulators are watching for this. Increasingly, they assess not just whether redress was paid, but whether the risk has been mitigated. If the answer is no, expect scrutiny to continue.