UX Researcher | Founder of Learn UX Seattle | Dive Bar Karaoke Star



Risk and Compliance UX: Re-thinking Risk Management


Evolving the way a global financial services provider performs critical Risks and Controls Self-Assessment (RCSA) through:

  1. analyzing a mountain of data to understand federal regulations;

  2. helping the client understand their user’s needs and motivations in context of compliance; and

  3. creating a unified risk management experience through evidence-based insights.

I - Project Brief
II - Methodology
III - Key Insights
IV - Personas and Journey Map
V - Design Targets
VI - Next Steps
VII - Conclusion

Note: this specifics of this project are on-going and are under strict NDA, so the following will be presented in more of a big-picture, process-driven narrative.


Project Brief

challenge: Risk and Controls Self-Assessment (RCSA)

USAA is a financial institution with a proud history of facilitating the financial security of their members, associates, and their families through a full range of financial products and services. Through a dedication to those who serve, USAA has been choice for the military community for insurance, banking, investments, and retirement products to over 12 million members.

As part doing business as a financial entity, USAA has to be in compliance with all federal rules and regulations governing their daily offerings and services. Ever since the Wells Fargo Fallout scandal of 2016, the Federal Government has kept financial institutions under a microscope. USAA embraced this and took it upon themselves to start a company-wide initiative to become a fully-compliant institution. This is where our UX team came in.

The process in which these institutions evaluate compliance with government regulations is called Risk and Control Self-Assessment (RCSA). We were to develop a tool for RCSA in order to facilitate a more user-friendly approach to their very complex and convoluted process of RCSA.

our team

Our agency team for this USAA engagement was:

  • me as core UX Research Lead,

  • a core UX Design Lead,

  • a Creative Director, and

  • a support UX Designer.

USAA at a glance

  • founded in 1922 by a small group of Army officers, currently employs over 33,000 employees worldwide

  • worth over $30 billion in net worth and serves over 12.4 million members

  • 2018 FORTUNE 100 Best Companies to Work For - No. 19



Discovery and Strategy

The strategy and discovery phase of this engagement was designed to gather user insights and evidence in order to inform design decisions for early conceptual directions. Through a series of increasingly specific user-centered design (UCD) research methods, we were able to deliver actionable user experiences, interaction, and visual designs.

USer research methods

During our discovery and strategy engagement, we used the following research methods:

  • on-site kickoff workshops

  • analysis of over 200 documents of data outlining federal regulation and USAA procedure

  • key stakeholder interviews

  • client employee interviews

  • direct observation

  • on-site immersive field studies of the entire RCSA process


The data we collected through interviews, observation, and federal regulation and documentation review generated enough for us to confidently move forward with analysis.


I consolidated all of our findings into one war room to efficiently collaborate, share ideas, and identify any gaps in knowledge. From here, I worked with the team to come up with a set of key insights that would help us drive our next round of interviews as well as persona and journey map development.


Key Insights

Again: due to the NDA tied to this project, these insights will be presented in broader context rather than the level of specificity the client got.

These are the cornerstone insights that would drive further UX initiatives.


Multiple, repetitive manual inputs were the root cause of inefficiencies across the board

I feel like we’re in spreadsheet hell.
— Experience Owner

Translating this insight to actionable UX: each and every manual input factors in human error, and any sort of error in this process creates major delays. While some inefficiencies are inherent within the process due to it being a government-mandated process, most of these inefficiencies are within our control to fix through User-Centered Design.


Inconsistencies in the RCSA process

Make sure communication for [users] across the enterprise the the same to everybody and that we’re all aligned.
— Risks and Controls Advisor

Translating this insight to actionable UX: there are a set of concrete federal regulations that govern RCSA, yet there are still different levels of RCSA maturity within the various organizations with USAA. Consistency across USAA is paramount to becoming a fully-compliant company, and we can use the tool we are creating to drive consistency.


Despite the very steep learning curve, users are intrinsically motivated to become experts

Before understanding the world of RCSAs, I would not have been able to get through this without a [Senior Advisor] helping me.
— Experience Owner

Translating this insight to actionable UX: novices understand they need guidance and mentorship at first, but they are eager to become self-sufficient as quickly as possible. USAA employees are extremely dedicated and are intrinsically motivated to do their best as they believe in what USAA is doing. We can develop built-in learning and coaching mechanisms within our software to promote a quicker understanding of RCSA, thus empowering our users to better develop their mastery own.

key insight #4

Collaboration is vital to the success of an RCSA

[A good RCSA is] when everyone is participating...when you get good dialogue going...good questions, good comments.
— Senior Risk and Controls Advisor

Translating this insight to actionable UX: within an enterprise as large as USAA, there is always bound to be fragmentation of tools and methods across departments. RCSAs often require departmental collaboration, yet the software and methods they currently use do not promote collaboration. We must build features that simplify and drive collaboration in the tool we create.

Upon presenting our progress to our clients and disseminating our research findings, we were able to continue with our next step of personal and journey development.


Personas and Journey Map

The biggest challenge here was that there were a lot of different users across various organizations, so we had to build concise and meaningful role-based personas.


We used personas as fictional characters created to represent a certain type/role of user who might use our product in a similar way. Through collaboration with the client design team, we reduced a broad range of behavioral and process variables into two categories with four distinct personas:

  • two Primary Personas that were heavily involved throughout the entire RCSA as part of every RCSA core team, and

  • two Secondary Personas that played more of support/oversight roles in verifying an RCSA was done correctly.

journey map

We used a high-level journey map as a collection of all of our insights organized in context of the scoping we did for this Discovery and Strategy Phase.


With the Discovery and Strategy Phase of the engagement coming to a close, we were ready to create North Star Design Targets for moving into subsequent Concept Exploration and Design phases.


Design Targets

As we moved forward with concept exploration, we created seven concise design targets to guide our thinking.

Evidence-driven Design targets

  1. Efficient - reduce the required for certification

  2. Empowering - help users assess risks and controls while building their own mastery

  3. Adaptive - support contextual variations as well as a range of proficiency

  4. Collaborative - involve necessary parties in an effective and productive way

  5. Consolidated - create a one-stop shop experience

  6. Robust - reduce risks of errors and increase confidence in usability

  7. Impactful - increase compliance across USAA

With our Discovery and Strategy phase complete, our Design Targets set, and our client happy, we were ready to move onto Concept Exploration and Design Refinement phases.


Next Steps

With Discovery and Strategy now behind us, we were now ready to start the next phases of our engagement.

concept exploration

Our team now explored design concepts and created prototypes. While this phase was more reliant on our Core Design Lead, I served in a advisory role as I had the most complete picture of the research through leading the Discovery and Strategy phase.

When concepts were ready to be presented I scheduled feedback sessions with stakeholders and users in order to get a sense of direction for subsequent task-based usability testing sessions.

usability testing

We took our prototypes back on-site and tested them with users from varying organizations within USAA as well as varying proficiency.

To make the most of our time on-site with the client, our daily cycle for a week of usability testing was:

  1. test with users on-site at USAA

  2. come together as a team and analyze

  3. refine prototypes according to insights and re-test

Through this we were able to rapidly hone our prototypes and document key design recommendations.

future scoping for unearthed universal pain points

Our team prided ourselves on being able to look at the problem from a holistic view in order to assure we were giving our client a complete solution. During this we unearthed a universal pain-point that was known to all those within USAA that had to do RCSA. This pain-point was an upload process that came after an RCSA was complete. This was extremely rare to find such a universal pain-point due to the fragmentation of tools currently used, so I brought this up to the attention of the team to see if I could do a deeper into it despite it being out of scope for my work. To help facilitate an informed conversation with the client, I created a user flow diagram that illustrates this convoluted process.


Upon presenting this user flow diagram to my team, we took it to the client. To our surprise, we found out that our key stakeholders didn’t even know this was a universal pain-point in the RCSA process.

While I am extremely proud of all of the work our team accomplished throughout this engagement, my personal high-point was unearthing this insight. My team supported me in digging deeper despite it being out of scope, and that was the catalyst to a dialogue that ultimately landed another large contract for the agency to help solve this problem.



This was a big engagement that required us all to quickly learn about the complex nature of the risks and controls that financial institutions have to consider in their everyday operation. As Research Lead, it was my responsibility to assure that our Discovery and Strategy phase provided a solid foundation of insights for Concept Exploration and Design Refinement phases while staying true to project timeline.

Learning risks Management

One of the biggest challenges of this project was quickly ramping up and learning as much as we could about regulatory risks and controls in context of USAA and the Federal Government. Analyzing over 200 documents of data to learn establish baselines, patterns, and trends was very trying team-effort. Every time we would learn something new, we were taking one step forward and two steps back when discovering we had found more questions with each new insight from the mountains of data. To help us maintain timeline, we kept in very close contact with the client through short, 20-minute rapid interviews to clear up questions that came up along the way.

Consistent, clear, and continuing client communications was paramount to this project’s success since we as a team has to learn all of this an aggressive project timeline.

re-thinking risk management

The way USAA was currently handling RSCA (Risk and Control Self-Assessments) were fragmented across organizations, inconsistent, and hindering much-needed collaboration. Not only were we able to pinpoint key areas where we could help USAA re-think how they approach risk management, we were also able to shed light onto larger issues within their RCSA process. Through the research we did to create an evidence-based tool for USAA to streamline their RCSA process, we also shed light onto both specific and broad pain-points within the process that the key stakeholders of the project had never heard of before.

closing thoughts

I couldn’t have asked for a better team to tackle such a complex project. At the core, this project was about taking a large amount complex federal regulatory information and distilling it down into an easily process workflow. We quickly became knowledgeable about regulatory compliance, we learned the USAA structure for compliance, and we delivered a tool to help with RCSA hit their strategic goal of being a fully compliant organization.

My team trusted each other, the client trusted our team, and it’s because of that trust that I was able to properly lead thorough research and deliver solid research. Furthermore, our thorough research unearthed a pivotal piece of the puzzle that ended up out of scope, yet crucial to the holistic solution of how USAA performs risk management.

In the end, we were successful in that we:

  1. rapidly on-boarded to how USAA handles the very complex process of federal regulatory compliance;

  2. designed a tool to make their RCSA process more understandable and cohesive to users; and

  3. unearthed a pivotal insight into a universal pain-point that the client was not aware of, thus allowing the agency to provide a much more complete solution.

For USAA, taking this evidence-driven design approach has both changed the way they think about their risk management, as well as unearthed underlying pain-points they never knew about. This is a win-win project as the client was thrilled to be a part of our evidence-driven design to deliver an intuitive and effective solution, and the agency has since developed a lasting relationship with the client because of the work we did.

Leo’s attitude would be an asset to any project. He’s charismatic and positive and hard-working and brings a team-first attitude that anyone would benefit from. He is a natural systems-thinker and is able to understand complex user processes and deconstruct them in a way that is meaningful and insightful. He’s also just a super nice guy!
— Kristy Sharkey, Sr. UX Designer and Design Lead on project