Borrower versus iBorrower, more context please!

Clark Abrahams
Clark Abrahams|May 23, 2013

On Sunday I will travel to Ontario to present at the 20th Annual Conference of the Credit Scoring and Risk Strategy Association.  The conference agenda is action-packed!  My talk is on context preserved scoring, a term I recently coined to describe an enhanced credit scoring approach that is described in detail in the book Sunny Zhang and I co-authored on credit risk assessment.   

As you probably are aware, credit scoring buckets loan applicants into risk homogeneous score ranges, yet people occupying the same credit score bucket (or even having the exact same score) are not necessarily similarly situated.  With context preserved scoring, people with the same number are both similarly situated and have the same score.  As a result, context preserved scoring offers some significant advantages.

Borrower > iBorrower, so mind the gap!

Context preserved scoring (CPS for short)  leverages the best that data, scientific methods and judgment have to offer in granting credit.  CPS applies the same basic process and agreed to principles used at the highest levels in corporations and in boardrooms to loan underwriting.  Trust in that lending process is crucial, and it goes both ways.   Lenders seek assurance that they can trust a borrower’s pledge to re-pay the loan.  Borrowers want the lender to understand them and the context around their loan request, and they seek greater transparency into the credit qualification process and outcome.  CPS seeks a richer borrower context that includes alternative data and payment vehicles, insurance coverage, borrower traits, circumstances, behaviors, and even borrower values, wants and needs.

Borrower - iBorrower = Lending Information Gap

We must not lose sight of the people behind the numbers.  There is definitely a gap between what gets captured and what's relevant.  Knowing more about the borrower is an area of opportunity for lenders today.

Those lenders who can make inroads and incorporate more borrower information of the type described on the slide will find it is a win-win situation in many respects, not the least of which is that they could not only better predict, but actually influence, borrower behavior in a positive way for everyone!

For example, if having insurance were a factor in loan underwriting, borrowers might seek affordable coverage to better protect themselves and their family against financial strain if unforeseen adverse circumstances should materialize.  Or, if average monthly savings rate over the past year was a factor, borrowers might seek to save more regularly for a rainy day.

My presentation explores the nature of a CPS system, its development, distinguishing features, operation, validation, maintenance and uses.  Comparisons with traditional scoring systems are made and discussed.  CPS system advantages are noted relative to numerous points along the lending value chain.  Preserving and enriching context has far-reaching consequences, such as greater inclusion and credit access, elimination of system overrides, more effective marketing of credit products, improved credit account management strategies, and more effective loan portfolio management (including securitization, security rating and investor reporting) and more pro-active and accurate asset quality monitoring.

I hope to see you there!

Post a Comment

Buy HPA Now!

Clark Abrahams
Clark Abrahams|April 29, 2013

SAS Global Forum is taking place this year in my home town -- San Francisco.  I feel especially proud and moved by the words of Dr. Jim Goodnight, SAS CEO, who spoke at the event last night, telling customer attendees: "Our mission is to keep innovating to support the great work that you do."  A great example of the innovation that Dr. Goodnight is referring to is the SAS High-Performance Risk solution.  I have had the good fortune to support that solution from a product marketing standpoint, and it is amazing what it can do!  Among other things, it empowers risk professionals to quickly obtain precise answers to very tough questions concerning their current risk exposures so that they can make well-informed decisions.  Those decisions include what they must buy, sell, hold, or insure to properly lock-in gains or attractive funding and limit market and credit risk, while protecting liquidity of their positions -- even in highly volatile and stressed markets.  This is an area where I spent five years of my career as a balance sheet management analyst and fixed income portfolio strategist.  Boy, if only I could have had this solution back in the day! (Note: I explain why in video #4 in this post.)

Senior Vice President and Chief Marketing Officer Jim Davis also addressed the gathering, noting that: “This is a significant moment in SAS’ history as we introduce high-performance analytics in-memory capability. It is tremendous what we can do today with this technology.”  Yes, there are exciting times at SAS and very promising times for our customers who now able to harness the power of HPA in order to solve their most vexing and complex business problems.  Those companies who adopt this high-powered approach will be rewarded not only immediately with the means to re-think the manner in which they operate, but also by virtue of the fact that they will preparing for what the future will hold as excascale computing becomes commercially available in the years to come. 

In two past posts, I sought to explain what HPA means to modelers and what HPA means to CEOs.  I would like to invite you to check out videos 3-5 in a series, continuing from video number two on decision making and analytics, which appeared in my April 17th post entitled: Decision-making for the boardroom and beyond.  

In video #3, which follows, I talk about HPA and highlight the evolution of computing storage and power over the past three decades, which has led us to the brink of excascale computing. 

 HPA

 

In case you were still pondering the sort of HPA-enabled problem solving I alluded to in my earlier post on "What's in it for modelers?"  then the next video (#4) is for you!  It covers that ground and shares a real-world risk and financial problem that is as relevant and even more complicated now than it was back in the mid-80's when I first encountered it.

 HPA & Problem-Solving

 

I'll conclude this post with what I see as perhaps the greatest promise of HPA as a means to spur imagination and help executives not only develop better strategies for achieving their business goals, but also imagine goals which would prove even more fruitful to pursue in the first place!  I hope you find the final video (#5) in the series to be thought-provoking!

 HPA & Imagination

Post a Comment

Director decision making -- a sensible approach

Clark Abrahams
Clark Abrahams|April 26, 2013

Decision making in the board room is an interesting topic indeed!  In her blog post today entitled Guidance for Director Decisions, Alex Lajoux, NACD Chief Knowledge Officer, addresses the philosophical starting point for a new NACD publication entitled: Director Decision Making -- a Sensible Approach by putting a twist on the famous quote from Shakespeare's The Tragedy of Hamlet, Prince of Denmark :

"To decide, or not to decide, that is the question!"

Oftentimes decision makers feel that their situation, or company, is unique.  However, closer inspection and some reflection will most certainly expose some common threads.  That's where the realization occurs that a well-thought-out and carefully crafted process can advantageously come into play.  Decision-making lies at the heart of a company operating model, and the quality of decisions often spell the difference between a successful venture and a losing proposition. 

And, of course, everyone loves a winner and we congratulate leaders all of the time when they experience a successful outcome.  But consider for a moment:

Question: If we have a successful outcome, does that mean we made good decisions? 
→ Answer:Maybe, but maybe not.

Question: Conversely, if we have a bad outcome, does that mean we made bad decisions?  
Answer: Not necessarily.

Execution is a critical component to be sure, but the seeds of failure in execution can be sewn in flawed planning and decision making that fails to uncover any gaps between capabilities and capacity to perform versus the goals. 

 I have some additional questions for you! 

Question: Has anyone seen the national statistic on what bad decisions cost annually?

  • Question: What would it mean of you could make 2% more good decisions and 3% fewer bad decisions at your company?
  • Question: Would that be a big number?

Why do directors need an approach to decision making?

In the limited time they spend meeting face to face at board and committee meetings directors may make many important decisions that affect shareholders and other stakeholders, such as employees, customers, regulators, and local communities.  Despite the board’s vital role as a decision-making body, directors rarely employ tools to support the decision-making process. At the same time, we know that:

1. Collective wisdom, even if qualified, does not always ensure good decisions.
2. Experience and common sense will not always be sufficient to see the Board through.
3. There is a tendency to define the quality of a decision by its outcome.

Some additional points about this publication

This publication is structured as a series of progressive questions for decision makers’ consideration. There is a worksheet listing the questions located in an appendix. Not all the questions will be applicable to all situations, but together they form a systematic approach to board decision making.

Directors can work on the questions independently and compare notes at a meeting, or they can answer them collectively with the board chair or lead director facilitating. Directors can also use these questions in reviewing management’s decision-making process.

The process described in this book is intended to chart a practical path for reasoning through decisions in a deliberative manner. We offer it as a sensible approach that can help directors make the best possible decisions for their organizations in a changing and challenging world.

The role of technology

Naturally, technology can play an enabling role in situations where decisions are highly complex, involving may rules, assumptions, constraints, multiple objectives, and a considerable variety and quantity of relevant information that should be considered.  In my prior post on "Quality information for the  board"  I pointed out that asking the right questions leads to better decisions.  That's where the  process comes in, as described in the NACD publication on decision making.  But what about the answer to the question I posed:  " How can Boards more effectively make decisions, such that all relevant factors and attractive alternatives are identified and taken into account, and so that risk, value and time preferences are weighted, and all information, models and probability assignments are validated and well-documented?"  Well, on that front, SAS has solutions in the area of SAS® Decision Management that afford:

  • Integrated decisions. By embedding rich information and analytics services directly within operational applications, SAS brings the value of information and analytics to the point of decision. In addition, SAS provides a closed loop continuum that cycles analytical results back into the information and decision life cycle.
  • Rich analytics. While there are many solutions available that help organizations manage their processes, none include the depth and breadth of SAS Analytics. Decisions based on analytics applied at the moment they are needed can lead to superior results that enable competitive advantage.
  • Ability to manage business processes, workflow and collaboration. With SAS, you can streamline interactions that relate to the decision process or analytics life cycle through the use of business rules, including the ability to make investigative processes more efficient to reduce costs or prevent fraud and waste.
  • Shortened response times to real-time events. By monitoring and analyzing real-time streaming events, SAS is able to identify anomalies, threats and opportunities faster than ever. Real-time analytical capabilities automatically provide the most appropriate responses to mitigate risks or exploit opportunities. The ability to correct for events relies on analytics being embedded into organizational processes.

I welcome any/all comments or questions on this topic.  Don't be shy!

Post a Comment

Decision-making for the boardroom and beyond

Clark Abrahams
Clark Abrahams|April 17, 2013

Last Friday I co-presented a session on decision-making in the boardroom at the Research Triangle Chapter, NACD Directors College. There was a great line-up of speakers on a number of topics that corporate directors must deal with on a day-in and day-out basis. The NACD Directors College Agenda consisted of the following sessions:

I was able to attend the full day, which proved to be a great learning experience. I am a firm believer in continuing education. In fact, I picked up several points from the first presentation relating to duty of care, business judgment rule, and duty of loyalty that I referred to as I delivered my portion of the second session!

Decision-making and the value of process

 Good decision-making is a key driver of sustainable success for any company.  Companies possess vision, they seek to instill a core set of  values and they set performance goals. 

The question is "How do they achieve those goals?" -- The answer is "One decision at a time!"

How decisions are made is of great importance and that is where process comes into play.   A process can help where memory fails, or attention wanes or is interrupted, or when thoroughness falls short of sufficiency.  A process for decision-making can ensure that necessary and sufficient questions are addressed before a decision is rendered.  It can be customizable, so that only certain questions may apply in a particular situation, but it forces the decision makers to make a conscious choice of what is, or is not, required. 

No process can guarantee a good decision, but a good process can reduce the likelihood of a bad decision.
Charles Re Corr

So, you may be wondering "What would a good process for decision-making look like?"  Well, actually I have been working on a project for three and a half years to devise a sensible and practical approach for making decisions. 

Decision-making book due out in May

Many years ago, Charles (Chuck) Re Corr conceived to write a book that would set forth a high-level characterization of a simple, yet comprehensive process, including a checklist of basic decision-making steps that any decision-maker or decision-making body could easily comprehend and follow.  If born of experience, Chuck’s thinking was that a simple, well-thought-out process could help people navigate complex situations.  At his invitation, I joined him in his effort to come up with a decision-making methodology that was simple and high-level, yet thorough and effective.  The result was a sequence of twenty questions that decision makers need to consider.  The first ten questions deal with defining the problem and the remaining ten questions deal with making the decision.  In our session at the NACD Directors College, Frank Gozzo covered problem definition, and I focused on the ten questions around making the decision. 

The entire process is described in an NACD e-book publication that is  scheduled for May 2013.  The book also delineates those decisions which are the boards alone to make.  It will be available online from the NACD Bookstore, and possibly also on Amazon (not confirmed).  Be on the lookout for another post in May with some additional thoughts about the importance of good decision-making in the boardroom  (and a link to where you can download the e-book). 

Connecting the dots between decision-making and credit scoring

It turns out that the same basic principles that apply to good decision-making in the boardroom also apply beyond that realm to the C-suites and right on down to the fundamental business operating units.  In future posts, I will tie these results back to my earlier work, including the pioneering approach Dr. Zhang and I have described in our books on lending, and advances in the area of credit scoring and loan decisioning.  I am actually presenting on this subject in Ontario, Canada in late May.  My talk is entitled: Context Preserved Scoring -- Enhancing Loan Decision Quality and Transparency.  Expect to see a mid-May post with more details on that subject!

 Decision-making and analytics

It seems appropriate to close with part two of my five-part Buy HPA Now! video series that deals specifically with the topic of decision-making and analytics.  The video explores the give-and-take between data-driven decision-making, analytical decision-making, and judgmental decision-making.  Sometimes there are decisions in business and in life that have extreme consequences.  In those situations, it may come down to answering the fundamental question: 

Which do you trust, science or your gut?!

The video explores alternative answers to that question and makes the case for balanced decision making that leverages the best that science and experience-based reasoning and knowledge can provide. 

 

 Please invest a little time to view this and let me know what you think based on your own analysis or straight from your gut -- your choice!

Post a Comment

Imagine HPA in an exascale world!

Clark Abrahams
Clark Abrahams|March 8, 2013

I will be sharing thoughts about high-performance analytics (HPA) next week in Southfield Michigan at the Great Lakes BI & Big Data Summit.  In particular, I will point to advances in computing technology that offer opportunities to re-think how people, processes, data, and systems can combine to create better outcomes for an organization. High performance analytics enables clearer vision, better and more timely decisions, and improved execution.

My talk provides a glimpse into the future where exascale computing (billion-way concurrency) will enable corporate executives to more fully understand and optimize all aspects of their operations and form decisions based upon a unified interactive and near real-time system that captures the essence of the business reality.  This has implications for business leaders today, who must either prepare to leverage this major development or risk losing market position to those who invest sufficient time and resources  to understand, acquire and begin using HPA now, versus down the road.

What my HPA talk will cover...

 

HPA -- it's about more than speed

I will illustrate with real world examples the numerous benefits of HPA that extend beyond pure solution speed.   The ability to conceptualize and communicate complex and large-scale business problems is a key challenge that I will also address and illustrate with a very concrete example.

The upshot of HPA in an era of exascale computing will be a new generation of decision-makers who, liberated from their waiting-for-answers mode, will experience far greater operational agility as they exercise their ability to re-frame problems on-the-fly, and gauge the joint sensitivity of results to a multitude of assumptions and big data.

HPA offers more business options and opportunities

The implications for how executives will operate are significant and their emphasis shifts from figuring out how to achieve goals to conceptualizing an even better and yet achievable set of goals to pursue.

It’s envisioned that this type of high-performance-enabled analytic system might function for a business leader much like a walking stick that, after a period of time, the brain fully accepts as part of the anatomy!

This has the potential to greatly accelerate learning cycles, speed decisions and execution, and facilitate the sort of imagination and innovation that results in greater vision. This, in turn, opens up a larger set of options and opportunities for organization as they strive to achieve their goals.

I will share perspectives and several examples drawn from SAS solution successes and personal industry experience.

I look forward to seeing those of you who can make it to this event, so please come over and introduce yourself!

 

Post a Comment

Enterprise GRC payback for SteadyBank

Clark Abrahams
Clark Abrahams|November 1, 2012
[Our final SteadyBank episode finds Ned in Jake's office.  It's November 1 and the board meeting alluded to in our last episode is tomorrow.  Ned has had some help from Paul Winkler and his staff and the GRC vendor on quantifying the system benefits.  Next, Ned got the benefit estimates refined and blessed by SteadyBank's CFO, William (Bill) Cutter.  As a final check, Ned wants to run the numbers by Jake to see if they pass Jake's "sniff test!"]

.

The $64,000 question!

Jake asks Ned the $64,000 question!

 
Ned announces to Jake "I've pulled the benefit numbers together, with help from Paul, Bill, and the vendor.  I plan to tell the board how many months were required to recoup our investment in the enterprise GRC solution."
.
Jake replies, eyes wide open, "Let's hear it!  Time value of money aside, what did you come up with for the total monthly dollar benefit?  That is the $64,000 question, Ned!"
.
Ned's jaw drops.  "This is unreal Jake!  Wow, I was looking for confirmation, but I never dreamed of independent validation!"
.
Jake looks puzzled, and then his eyebrows soar.  "Ned, did you say the monthly benefit is $64,000?  I suppose that is not unreasonable for a $10 billion institution.  Still, that is a fast payback for SteadyBank!!  I assume you have the details to back up that number.  What is our supporting data?" Jake inquires.

.
The $64,000 answer!

GRC metaphor!

"Well," Ned begins, "our GRC solution is analogous to a Swiss Army knife, Jake.  We initially bought it for its risk management capabilities, but once we had it installed and began using it, we realized that it could do much more.  As a result, over the past two years, we have expanded its use into a number of additional areas.  I have a table that shows the evolution, and by construction, how we evolved to the $64,000 monthly benefit, and here it is."  [Ned shows Jake a table that illustrated the progression of benefits as the GRC system usage expanded over time.]

.

SteadyBank's answer to the $64,000 question!

.
"This is a doozey of an exhibit for the board book!  They'll love it!" exclaimed Jake, continuing, "Very interesting indeed!"  Jake quickly runs through the numbers, and he observes, "Ned, it is interesting to note that the risk components implemented first in 2010 account for 40 percent of the ultimate benefit of the system as it is used today.  I suppose that is the 'R' in the GRC solution, right?"
.
"That's correct Jake," replies Ned, continuing, "Last year we determined to implement the audit, policy and regulatory change management components, which cover the 'G' and the 'C' parts of GRC!  So, this year we decided to add targeted areas where there was the greatest benefit and/or perceived risk that we wanted to address.  Unfortunately the vendor management and IT Security portions were not begun until mid-year, which was after we had the big push on all of those changes, which combined to for a "perfect privacy, vendor, and change management storm!"
.
Jake nodded his head in agreement, saying "Ned, hindsight is always 20/20!  The $2.5 million we need to explain tomorrow to the board is also a future "cost avoidance benefit" example that we need to underscore.  The numbers you have shared above are conservative in that respect, because that annualized dollar benefit estimate for IT Security and TPP risk management alone are roughly $85,000, which says that if SteadyBank could avoid the type of incident we just experienced through the use of the GRC solution even once every 30 years it would be worth it to us!  Ned, I would call that out big-time!  And, looking to the future, SteadyBank can continue to accrue even greater benefits from the enterprise GRC solution as we discover more good uses for it!"
.
Ned smiled and nodded in agreement, replying, "Jake, I knew you would help me bring out the most important points, and with just the right emphasis on each one.  You can truly make lemonade out of lemons!  Furthermore, I think your point about:
 
 'The future benefits to be accrued by SteadyBank due to our ever-expanding use of our enterprise GRC solution are unlimited!'
 
is precisely the quote that our vendor was looking for!" 
.
"I am really looking forward to the board meeting now!" Ned added.
.
"That's a good thing," replied Jake, "because you will own center stage with you presentation."
.
"I certainly hope so," Ned said, beaming with delight, "I love to tell a good story!"
.
[Note: This concludes my nine-part GRC series featuring SteadyBank and its cast of characters. I encourage you to check out another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!)  For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank.  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.]
.

Drawings © 2012 Brad Abrahams

A final word

My primary purpose of this blog series was to realistically illustrate the use and value of a GRC solution in a bank. I hope you found it to be both informative and entertaining. While I opted to inject some humor on occasion, the subject of GRC is no laughing matter. I am very passionate about principled achievement through a strong ethical culture, proper tone at the top, strong internal controls, mutual respect and collaboration among employees and a mindset of acting in the best interest of your customers.

The storylines and characters in each of the episodes were purely fictional, and any similarity to actual situations or real people is purely coincidental. If you liked this story-telling approach to illustrating the value of GRC please write me at clark.abrahams@sas.com or post a comment and let me know. Thank you!

Post a Comment

Keeping a watchful eye

Clark Abrahams
Clark Abrahams|October 25, 2012
 

This week's episode is installment number eight in a nine-part series aimed at fostering understanding of GRC solutions.  It's now October 25, 2012, and it has been six months since the problems cropped up at SteadyBank. The full financial impact of the loss events that have occurred has now been realized.

Ned Thomas, SteadyBank CRO, and Jake Jabber, COO,  have spent the better part of the morning reviewing the financials and the details behind them, which were accessed through their GRC system.  Our episode begins with Ned briefing Jake on what he plans to tell the board, which has had many sets of watchful eyes on mounting financial, regulatory and customer relationship fallout.

Informing the board

Jake tells Ned, "SteadyBank's GRC solution captured all of the results. Bill Cutter told me it was amazingly easy to prepare his summary for the upcoming quarterly board meeting. Essentially Bill will simply provide the financial facts, and you and I will follow, and they provide any answers to questions from the board." Jake shares, "Bill's key points are:

__________________________________________________________________________________________

Incident                                            Financial Effect     Direct Recovery      Ins. Recovery   Net Loss     
1.  change in check posting order,
misplaced mail, tardy disclosure      $  8,000,000             $  1,200,000               $  4,300,000     $  2,500,000
2.  TPP customer information loss   $     700,000             $     150,000               $     550,000     $                0
__________________________________________________________________________________________
.
and I think the only new information is the insurance claim payment of $4,300,000 that should put the board in a good mood after 22 weeks of perspiration and worry about the possible rejection of the claim for the reasons initially raised by our insurance carrier when we first filed in May."
.

Ned and Jake huddle and strategize on what to do!

"Listen Jake," explains Ned, "there will be plenty of blame to spread around in the board meeting.  After all, the last quarterly risk assessment prior to the incident clearly showed trouble was brewing," Ned emphasizes.

Ned continues "Had management paid closer attention to the GRC Quarterly Risk Assessments we could have done a better job of managing the communications around the processing change."  Ned points to the screen on his laptop (shown below).
 
 
 

GRC signal of coming trouble

“We also would have been more on our toes to spot issues associated with the downsizing initiative, as employee risk was rated high in the risk self-assessment!" Ned notes wistfully.  Jake responds "Well, you're right Ned, of course. If I recall correctly, Cutter's loss figure of two and a half million dollars does not include damaged customer morale, a strain in our regulatory relations with examiner-in-charge Tom Scrutiny, or the inevitable increase in next year's insurance premiums. We need to tell the board about the monitoring program you put in place, Ned, which will ensure that SteadyBank will not have any repeats of this sort of trouble."  "Yep!" is Ned's reply.
.

Two key points

Ned shares, "In addition to control strengthening around our outsourcing and system change management process, I am going to emphasize two other key aspects of our GRC process enhancements to our board."  Ned continues, “The first is better management of project concurrence risk. I created a slide to portray what we had going, and, in hindsight, it was a "perfect storm" waiting to happen.
.

Perfect operational storm in the making!

.

"That is a great depiction of the risks associated with all of the change that was occurring at the time Ned -- I like it!" remarks Jake. "So tell me, Ned, what is the other thing you had in mind to share with the board?" Jake inquires.

"Continuous assurance!" exclaims Ned, continuing "Check out the next slide where I lay out conceptually the “big picture” of how we leverage our GRC solution to achieve on-going monitoring of our risk exposures and control strength!"  Ned goes on to highlight for Jake what he intends to present in the board meeting in greater detail.

Assurance for the board!

Continuous monitoring consists of processes that your people, Jake, have put in place to assess whether your policies, procedures, and business processes are doing what they’re supposed to do.  By identifying the control objectives and test conditions and by establishing automated risk exposure tests based on KRI benchmarks, trends, and correlations, SteadyBank has found 3 activities and two dozen transactions that are non-compliant and/or posed unacceptable risk over the past two months,” Ned explains.  “I like the fact that you are providing some good information on the progress we’ve been making—the board will find it reassuring,” Jake interjects.

Ned provides more highlights, saying, “Continuous auditing provides for real-time automated monitoring and review of the business, and it incorporates analysis involving the use of rules-based reasoning, predictive and statistical modeling, and other software tools.  Our internal audit team's charge is control of all controls  in the bank.  The board needs reassurance in the wake of this year's problems that our internal controls are effective and sufficient to avoid any repeats.  SteadyBank’s internal auditors collaborated with our solution provider, SAS, to devise over 300 risk indicator measurements and several dozen new daily control checks that will afford more timely assurance that our data is good and our business processes are under control.  this was the end result of applying a very strong CAVT control testing regimen that verifies our internal controls are:

  • Complete (accounting for all scenarios of transactions),
  • Accurate (well-maintained and designed to ensure business processes and practices are compliant with current policies, laws and regulations).
  • Valid (checking that controls effectively limit compliance risk and continue to perform their intended function),
  • Timely (ensuring controls are run at sufficient frequency to prevent significant failures from occurring).”

“This is excellent,” responds Jake, saying “Ned, you have prepared well and have put things in the best possible light, given the circumstances.”

Measuring GRC system value

“We couldn’t have done it without the help from our GRC solution vendorThey took an ownership interest in the risk management, compliance and governance challenges faced by SteadyBank.   They really helped us to better appreciate and leverage the tremendous value in their solution.  As a result, I am preparing some information for them relating to return on investment (ROI) for their Enterprise GRC solution that we agreed to share as a success story.  As soon as I pull that information together, I will run it by you, Paul, and Bill Cutter,” Ned promises.  “I look forward to reviewing it Ned, and let me know if the vendor wants a quote from a CCO.  I will gladly prepare one for you to pass along,” offers Jake.

As Ned is leaving Jakes office, Jake notes, “In addition to our keeping watchful eyes on things, we have the benefit of our GRC solution that is automatically, and continuously monitoring SteadyBank’s operations!”

 

A few of SteadyBank's most watchful eyes!

 

Note: Their GRC solution will help the SteadyBank Team keep risks in check and more effectively monitor and control the operation. As a result, they will likely avoid similar loss events in the future, and they will be alerted earlier in the process when there is a problem. This will enable them to take swifter corrective action.  If you are interested in this nine-part GRC series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank Keep a lookout for the final post in this series that will go live on Thursday,  November 1st Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

Drawings © 2012 Brad Abrahams

Post a Comment

Fixing the process

Clark Abrahams
Clark Abrahams|October 18, 2012

Ned Thomas, CRO

Ned sees several layers in the process for "fixing the process." SteadyBank's enterprise GRC solution will factor into them all, and will serve to not only affect the needed changes, but also communicate what is expected, and monitor and report on performance relative to those changes.

At the top layer, there is needed improvement to the internal controls. That will entail modifications to policies. The next layer involves changes to business processes and procedures associated with the affected policies and related to the recent loss events and communication issues and execution failures (these represent additional layers).  In addition, there needs to be stepped up audit frequencies and/or validation requirements to ensure that policies are being followed. Ned decides to deal first with the immediate process fixes and deal with the monitoring aspects afterwards.  For exposures that cannot be well managed and pose too great a threat, either risk transfer should be sought or the activities causing those exposures should be either scaled back or eliminated.

SteadyBank's GRC system -- Ned's biggest asset!

Ned sees the GRC solution as his biggest asset as he attempts to button things down.  This is because linkages between all of the GRC components have already been created within the system in order to ensure that nothing slips through the cracks.

Ned quickly pulls up the causes of the problems and notes them:

  • Lack of communication/ miscommunication
  • Lack of management attention and monitoring
  • Failure in planning and risk assessment
  • Insufficient monitoring of third-party provider
  • Inadequate software testing prior to deployment
  • Malfunctions in software or hardware

Ned is also interested in any regulatory violations, plus business disruption and customer impact. He decides to examine incidents related to disclosure and information privacy.  To do so, Ned simply clicks on the incidents tab, applies a defined filter, and selects only those incidents that are under current investigation.

Ned uses a pre-defined view he created to zero in on the relevant disclosure issues

Next, Ned is easily able to trace through the linkages, which he opts to do through the tabular sections under each incident which he clicks through in turn. He maps out the information and he probes deeper into an apparent lack of management attention and monitoring by Tech & Ops when passing non-public customer information to third-party providers (TPPs). This is a clear violation of SteadyBank's Gramm-Leach-Bliley Act (GLB) Policy. "Boy, we're looking at some additional fines for SteadyBank -- that will certainly put some salt on our wounds," Ned told himself. Ned calls Tech & Ops Manager Paul Winkler to get the straight scoop.

Process fix or people fix?!

Paul Winkler, SVP, Tech & Ops Manager

"Ned, I have determined that this was brought on by turnover of key resources and lack of motivation due to the staff reduction initiative which hurt employee morale in the division and caused longer working hours for those who retained their jobs," reported Paul. Hearing no response, Paul continued, "I had a conversation with Pete, who has been one of my most trusted lieutenants. Pete was very upset over having to let go a couple of his long-time staff due to the corporate ten percent staff reduction initiative."

Paul's voice trembles a bit as he relates, " I pressed him pretty hard, and he finally admitted that he and his remaining two system programmer/analysts failed to exercise careful oversight of the TPP consultants who were brought in to handle the system conversions for check payment posting and electronic (checkless) payment processing. They blamed Bill Cutter, CFO, for the layoffs and I suppose Pete thought it might teach Bill a lesson. I am very angry with Pete, but the fact is that we do not have his area well-documented and I can't really discipline him until the situation stabilizes." "It is a royal mess over here," Paul concluded.

"Thanks for your candor, Paul. I will take this up with the management team and Jake Jabber will circle back with you. By all means, try to get going on a knowledge transfer initiative before all of the walls go up," Ned advised and he ended the call. Ned could see that, at the root, there were serious people issues, which he proceeded to note in the system.

A fix will entail some people-related controls!

Putting heads together

Ned heads down the hallway to Jake’s office. When he arrives, Jake is sorting through some conference material on his desk and he pauses as Ned appears in his doorway. “Can I buy you a cup of coffee?” Ned inquires. “No thanks Ned.  Come in and have a seat!” Jake replied. Ned shares what he has learned from the GRC system and his subsequent conversation with Paul.

Jake Jabber, COO

“Just as I suspected,” Jake remarked, and he continued, “I attended a conference on governance and risk management and two of the top five risks were human capital risk and third-party risk. Hence this comes as no surprise.” Jake punched the speaker phone button and speed-dials to bring Paul into the conversation.

Paul answers the call, saying “Hi Jake! Ned told me I would be hearing from you. I must confess that I have been racking my brain trying to decide whether I need to use the carrot or the stick at his point with these knuckle heads. What do you think I should do?”

Without a pause, Jake answered, “Paul, I suggest you use the frozen carrot!”

“What’s the frozen carrot?” asked Paul.

“You give them the frozen carrot and you tell them they have to eat it or give it back," replied Jake, concluding, “And in the latter case, you then use it as a stick!”

Ned inserted himself into the conversation at this point, insisting, “Listen, all kidding aside, I have worked hard to foster an open and honest culture at SteadyBank where we all listen to each other’s opinions respectfully, we hold ourselves and other accountable for results, and we trust the judgment of our leaders.”

Jake agreed, and chimed in saying, “We can and must do better Paul, and you need to make it a top priority to set the proper tone and instill those values throughout SteadyBank’s Tech & Ops workforce.”

Giving direction

Jake tasks Paul to get answers to the following five key questions on the third-party front:

  1. Are our contractors obligated contractually to abide by our policies and regulatory requirements?
  2. Do our risk assessments cover third-party risks, and if so, what risk areas are covered?
  3. How do we supervise third-party activities and what structures, key performance measures (KPIs) and incentives/penalties do we have in place to control TPPs?
  4. How thoroughly do we check out TPPs before hiring them?
  5. Do we have insurance coverage for outsourced activities and is it adequate?

Jake advised Paul, “Call Bill Cutter to find out about the insurance, and please coordinate with Ned on the rest of the items.” Paul agreed and Jake ended the call. “SteadyBank has some significant third-party risk exposure, and I have no doubt that we need to strengthen our governance around third parties ASAP,” he told Ned.  Ned agreed with Jake and he returned to his office.

Policy management a la GRC!

Ned immediately clicked on the compliance tab in SteadyBank’s GRC system to do some policy creation and revision, which he plans to circulate with the management team prior to next week’s monthly risk management committee meeting.

Fixing the process involves policy management -- an integral part of the GRC solution!

Thankfully, his GRC solution provider, SAS, provided some very helpful templates "out-of-the-box" to assist him, such as a policy on policies, a procedure for creating and updating procedures, a companion template procedure, a procedure for creating and updating policies, and a template policy, a procedure for creating forms, and so on. Also, there were lots of example procedures that addressed banking regulations.

Ned pulls up #10301 SteadyBank Guideline Policy (policy on policies) to review core elements in light of the five questions Jake posed to see if there was something that could possibly be generalized and added to the policy template.

 

 

 

Policy on policy!

In terms of structure for policy documents, Ned sees the core elements as follows:

Policy

  • Purpose
  • Scope
  • Critical Parameters
  • Citation to Companion Procedure
  • Penalty for Non-compliance

Jake decides, based on Jake's first question that the structure needs to be added to allow for citations, or linkages, relating to specific contracts and corporate agreements where the policy in question comes into play. That way:

  • SteadyBank Procurement will be more "policy aware" when negotiating contracts, and
  • Risk Management will be more "contract aware" when reviewing proposed changes to policies and gauging their impact.

"This is great!" Ned tells himself. Just then, Ned's cell phone rings, and it is Paul.

Customer data compromised

"Hey Ned," Paul beckoned, "There has been a development on the TPP front. It turns out there is a missing portable storage device that a TPP programmer took home to work on the computer processing development. It has an image of half of our credit card customer billing records, complete with social security numbers, addresses, birthdates, and the whole works! The individual in question has having home remodeling performed and there have been a dozen different workers in and out of his home on a constant basis over the period, and he suspects one of them made off with the external drive, but he has no idea even when it occurred because he got pulled out of town for several days and left the house key under the doormat, only to return and discover the device was gone."

Ned responds, "Paul, this is important. Was the device password -protected? Also, was the customer data encrypted?" "No to both!" was Paul’s reply.

"This is potentially a "worst nightmare scenario," said Ned, palm on forehead. “Paul, you need to get with Jake, Legal and our physical security department and take immediate action. By tomorrow, I need to contact our primary regulator and by then I want to know precisely which half of our cardholder customer base is affected and what your plans are to issue new cards, freeze the ones they have, and so on. We could be looking at identity theft, worst case." Ned wonders how thing can get this far out of control and he pulls up the schematic for customer data flows he work on with Paul earlier in the year.

Customer data flows through SteadyBank!

Ned thought he had everything covered, but now he knows better.  Systems are one aspect, but Ned now realizes that he forgot to consider the human element.  Ned and Paul not only needed to consider how customer data flows through SteadBank, but they also need to consider how it could flow out of SteadyBank--in other words how to make customer data secure!

More fixes needed

Two policy changes we need to make immediately are to revise our GLB and TPP policies to require device passwords and data encryption on all bank data with application to all third-party contracts going forward, and retro-actively on any projects "in play." In addition, we need to ensure that any data transmitted or "shipped" is also covered. "I don't want to worry about hackers intruding into our network and servers, nor do I want to sweat it out if any FedEx trucks getting hijacked with our data on them!" Ned tells himself.

Next, Ned calls Jake and brings him current on the situation. "Ned," Jake advises, "we need to look into the insurance side, especially to examine our financial/professional (FINPRO) insurance coverage and find out what our TPP has on their end. If identity theft is involved, the consequences might not materialize until sometime in the future, meaning we may need tail coverage on these occurrences, or set additional capital aside, i.e. self-insure. So, let's engage Bill Cutter and our friends over in the Finance Department, who can carry the water on these aspects."

[Narrator: A general realization creeps over Ned, Jake, Paul and others at SteadyBank that "fixing the process" is going to amount to much, much more than originally imagined. Fortunately, the majority of the information required and processes to achieve the desired end result reside in SteadyBank's GRC solution. Fast forward six months, the next episode takes place on October 25, 2012! At that time, we will see the full financial impact of the loss events that have occurred. We will also witness how the GRC solution can help the SteadyBank Team keep risks in check and more effectively monitor and control the operation. As a result, they will likely avoid similar loss events in the future, and they will be alerted earlier in the process when there is a problem. This will enable them to take swifter corrective action.]

Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank .  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank. 

Drawings © 2012 Brad Abrahams

Post a Comment

Dealing with the crisis

Clark Abrahams
Clark Abrahams|October 11, 2012
 

Ned Thomas, CRO

Ned and Jake are of a common mind on next steps for dealing with the crisis.  Ned realizes the fastest way to achieve desired results is to drive actions through the Enterprise GRC solution. In this way, Ned reasons that all appropriate stakeholders will be informed, status will be taken and reported, and accountability for meeting timelines on deliverables will be assured.

 "Boy," Ned thinks out load, "I would be cooked if I had to rely on dreadsheets, unread e-mails, voice mail, and sneaker-net!  I am going to get right down to business this minute!" 
 

GRC solution is "system of record" for corporate issues

Ned logs onto the GRC solution, and immediately pulls up the issues he and others have been posting to the system.   

Ned uses a pre-defined view he created to zero in on the relevant issues
 Ned has not wasted any time. While meeting with Jake, Paul, Andrew, and third-party provider management, he put the action plans and associated timelines into the solution as they were formulated, eliminating transcription time for him and ensuring that he was capturing everything that the system requires, thus avoiding the need to go back multiple times and quiz information providers on information gaps. 
 

GRC solution links issues with action plans

 
Ned next reviews the action plan associated with the fifth issue on the list on the need to inform customers about the processing problems that occurred.  For that, Ned will seek help from SteadyBank's Corporate Public Relations Department in order to craft an appropriate message.
 
 

 

 

 

 

 

 

Ned is satisfied with what he has put into motion, and he checks his plan for fixing the problem with the third-party provider over in the electronic payments area. 

Action plan for Third-Party Provider (TPP) in SteadyBank Electronic Payments

Ned has the required actions - he just needs to initiate the approval process and he and Jake can report to Peter Principal, CEO, that they are dealing with all of the issues and that it appears they have headed off what could have been a major crisis and loss event.  With a couple of button clicks, Ned has put into motion five action plans aimed at dealing with the crisis, and he will take status twice a day until the major hurdles have been overcome.

GRC solution captures and surfaces early warning signals

Ned knows that the Peter will ask if there had been any warning signals that such problems might occur.  Ned decides that he will need to provide a backdrop of what internal control assessments and audits had indicated over the past 2 years.  That will not take long. 

Ned uses his "favorites" list to filter out the assessments of interest

Ned clicks on the GRC audit tab.  He uses a "favorite" feature which allows him to view previously defined organizational entities within SteadyBank.  He quickly finds the report he is seeking and displays it on his screen.

Audit scores and trends by SteadyBank operating units

 Just as Ned suspected, there were some reasons to be concerned.  They had indications from audit results that sooner or later the pressures and issues in technology, as SteadyBank rolled out its "modernization plan" would play out if not dealt with "head-on."  Further, the upwards trend in HR reflected concerns around expected turnover and the challenges of ramping up staff who needed to expand their skill sets to handle the new web channel and electronic banking.   The alternatives were to replace existing staff with new hires, or contractors, who possessed the needed skills, or outsource the function entirely. 
 
Ned decided to examine the quarterly retail banking operations self-assessments that provided the operating unit's perspective.  Ned clicked over to the GRC risk tab in the solution and pulled up the last three quarterly assessments.
 

Operating unit assessments provide more data points

Ned concludes, "Clearly, the handwriting was on the wall, but due to cost control and other priorities the audit results were given low priority -- so much for plausible deniability!"
 
Ned knew that he and Jake would have very little time afforded to them, and the full management team, between dealing with the crisis and finding a more permanent fix.  After all, the CEO would have to answer to Tom Scrutiny, their primary regulatory examiner, and also the Corporate Board. 
 
"Yes,"  Ned thought, "Fixing the process is the next task he will need to address with Jake." 
 
Ned considered what role the GRC system would play in that chapter of the story, and it all started to come into focus.  He is thinking that his next solution "mouse click" will be on the GRC compliance tab.
 

 Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank .  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank. 

Drawings © 2012 Brad Abrahams

Post a Comment

Press release today announcing launch of SAS High-Performance Risk Release 2.2

Clark Abrahams
Clark Abrahams|October 10, 2012

Today marks the announcement of the latest release of the SAS® High-Performance Risk solution at The Premier Business Leadership Series in Las Vegas. Nevada.  In today’s environment, financial institutions need to make timely and well-informed decisions on a range of portfolio moves from individual security positions through to firm-wide exposures of credit, market and liquidity risk, and possibly macro-hedges.

 SAS High-Performance Risk empowers risk professionals to ask questions – and get fast, precise answers – to address business issues that normally entail significant time delays before results can be obtained.

Risk managers in banking and capital markets need the power to know, and fully understand the implications of, their:

  • exposures
  • price volatility of financial assets held
  • earnings as risk
  • aggregate risk position
  • loss potential
  • appropriateness of limits in risk policies
  • minute-to-minute conformance with limits
  • compliance with regulations

Meeting the challenges

The faster response times made possible by SAS High-Performance Risk enable firms to meet their significant business challenges head-on, while the solution’s scalability ensures the firm’s ability to meet the ever-increasing scope, scale, complexity and pace of change well into the future. Customer issues include real-time risk aggregation, dynamic portfolio valuation, continuous limits monitoring, liquidity management, and counterparty and concentration risk.

Benefits include:

  • Faster, more accurate portfolio risk and exposure measurement
  • More targeted and profitable reaction to market events
  • Ability to plan ahead, anticipate outcomes and formulate contingencies.

Accurate quantification of millions of correlations spanning marketable securities, market indices, economic indicators, and counterparties is no small feat. Aggregating results and calculating interest rate, liquidity, and counterparty exposure based on the full distribution of market states, all in near-real time, is an even greater challenge.  Leveraging patent-pending in-memory technology, the SAS® High-Performance Risk solution achieves dramatically reduced run times, where results are maintained in-memory, enabling instantaneous stress testing, scenario analysis and interrogation of results on multiple portfolios. 

Regulatory pressure a factor

 

In the aftermath of the financial crisis, regulators have come to view markets as more interconnected, with growing transactional volume across borders and ever-increasing complexity.  Regulatory compliance pressures have stepped up to deal with a more systemic view that recognizes the linkages between institutions and across stock exchanges and country/regional jurisdictions that previously were supervised in a more micro-prudential fashion.  Where previously there were silos in local jurisdictions due to differing requirements, different markets and market structures, we now see more of a blend with greater commonality and unification through to asset classifications. 

This movement towards systemic regulation will not likely abate over the coming years.  Consequently, global banks and capital markets firms must continue to evolve and hasten the ways in which they analyze big data for risk and compliance to meet Basel III, Dodd-Frank and other regulations.  Basel III is a) requiring banks to increase Tier 1 capital, b) changing how firms assess, measure and report their liquidity, and c) requiring that they account for their  counterparty credit risk via the credit value adjustment (CVA) metric.  In addition,  the US Dodd-Frank Act's mandate for central clearing and standardization of the synthetic securities market will require all firms that engage in swaps and derivatives transactions to transform their processes in order to achieve compliance.  Yes, there is much work to be done on the regulatory front!

About SAS High-Performance Risk Release 2.2

 The latest release affords users with demonstrably superior capabilities in the marketplace, such as:

  • Fast distributed calculation for quick risk monitoring and decision making
  • End-to-end risk analysis for complete risk exploration
  • User or third-party risk methods and pricing model interface for openness
  • On-demand in-memory reporting for flexible slice-dice view
  • Integrated view of independently updatable information for enterprise aggregated risk analysis
  • Event driven risk information update for quick and automated data orchestration

 The new release enables large scale simulations, portfolio pricing, and portfolio aggregation in minutes or seconds.  Optional support for event stream processing rapid data injection and event orchestration is now available.  For more information, please visit the SAS High-Performance Risk solution web page.

Post a Comment