Component: Controls (Preventative, Detective, and Monitoring Controls)

Description

Many existing controls within the collections environment rely on Virtual Worklists (VWL) as a reporting mechanism to identify breaches or potential breaches. Examples include:

• Accounts not actioned within required timeframes

• Missed or delayed treatments

• Incomplete activities or documentation

• SLA breaches identified after the fact

These VWLs are detective controls only, typically operating as post-event extracts rather than embedded system safeguards.

The PCC upgrade creates a critical opportunity to:

• Move away from VWL-dependent controls

• Strengthen preventative controls where possible

• Replace brittle extracts with robust, explainable control reporting

Option 1: Continue on PCC Upgrade Plan

Rebuild existing controls using PCC 2.4 reporting and VWL-style extracts

Action

• Recreate existing VWL-based controls using PCC 2.4 reporting or equivalent extracts.

• Preserve current control logic and thresholds.

• Treat controls as reporting artefacts rather than system behaviour.

• Make minimal changes to control design beyond technical migration.

Target State Score

2 / 5

Change Impact

3 / 5

• Control operation changes under the hood, but remains conceptually the same.

• Operational teams must learn new reports and extraction methods.

• Limited change to how breaches are identified and managed.

Business Benefit

1 / 5

• No material improvement in control effectiveness.

• Controls remain largely reactive.

• Existing weaknesses are carried forward into a new platform.

What this option gets

• Controls technically operable in PCC 2.4.

• Continuity of existing compliance monitoring.

• Short-term comfort for audit and assurance.

What this option does not get

• No reduction in reliance on VWL-style constructs.

• No shift toward preventative controls.

• No improvement in timeliness of breach detection.

• Limited ability to demonstrate proactive risk management.

Key Risks and Considerations

Business Risk

• Continued reliance on manual or semi-manual breach identification.

• Breaches detected after customer harm has occurred.

• Ongoing audit findings due to weak control design.

Delivery Risk

• VWL equivalents may not behave identically in PCC 2.4.

• Reporting logic becomes harder to maintain and explain.

• Risk that controls are rebuilt late and tested lightly.

Accelerator

• Cursor can assist in:

  • documenting current VWL-based controls

  • translating logic into PCC 2.4 reporting requirements

• Limited ability to uplift control design without broader architectural change.

Option 2: Pivot to Target State

Redesign controls using control reporting and preventative mechanisms

Action

• Redesign controls as part of the target-state architecture.

• Replace VWL reliance with:

  • control reports

  • event-based monitoring

  • embedded preventative controls where feasible

• Shift controls upstream into:

  • decisioning

  • task creation

  • activity enforcement

• Align controls to enterprise control frameworks and reporting standards.

Target State Score

5 / 5

Change Impact

4 / 5

• Change in how breaches are identified, escalated, and prevented.

• Reduced operational effort over time.

• Controls are embedded into BAU rather than layered on top.

Business Benefit

5 / 5

• Material reduction in post-event breach management.

• Earlier detection of emerging risk.

• Demonstrable movement from detective to preventative control design.

• Stronger regulatory defensibility and audit outcomes.

What this option gets

• Ability to eliminate most VWL-style controls.

• Preventative controls embedded in system behaviour, such as:

  • enforced timeframes

  • mandatory activities

  • blocking invalid actions

• Clear, auditable control reporting.

• Alignment with risk appetite and regulatory expectations.

What this option does not get

• Immediate one-for-one replacement of all legacy VWLs.

• Some complex scenarios may still require detective monitoring.

• Requires upfront design and risk engagement.

Key Risks and Considerations

Business Risk

• Requires clear risk ownership and design decisions.

• Risk of over-engineering controls if not prioritised.

Delivery Risk

• Dependency on segmentation, tasks, and event design.

• Controls must be designed early or risk becoming bolt-ons.

• Requires tight coordination between risk, ops, and technology.

Accelerator

• Cursor can:

  • catalogue existing VWL-based controls

  • classify controls as preventative vs detective

  • design target-state control reporting

• Opportunity to embed controls into Mini Apps and dashboards rather than PCC screens.

Option 3: Tactical Legacy Hybrid

Retain VWL-based controls with minimal change

Action

• Continue using VWLs or equivalent extracts to identify breaches.

• Make minimal changes to control logic.

• Accept detective controls as the primary mechanism.

Target State Score

1 / 5

Change Impact

1 / 5

• No meaningful change to control operation.

• Minimal retraining or process change.

Business Benefit

1 / 5

• Short-term continuity only.

• No improvement in risk posture.

What this option gets

• Avoids redesign of controls.

• Maintains familiar reporting artefacts.

• Minimal disruption to compliance teams.

What this option does not get

• No uplift in control effectiveness.

• No move toward preventative controls.

• Continued reliance on fragile, manual extracts.

• No improvement in timeliness or customer outcomes.

Key Risks and Considerations

Business Risk

• High likelihood of ongoing audit and regulatory issues.

• Breaches detected too late to prevent customer harm.

• Reinforces weak control culture.

Delivery Risk

• VWLs may become harder to support or less reliable over time.

• Increased manual reconciliation and interpretation.

• Control logic becomes opaque and hard to defend.

Accelerator

• None material.

• This option deliberately avoids improvement.