Jake invites Ned down to his office. Ned grabs his laptop and heads down the hallway to share what he has found and his concerns. Ned was able to quickly bring Jake up to speed via the SteadyBank Enterprise GRC solution, which he masterfully navigated to substantiate the facts he had been able to assemble so far. Ned is struggling with a difficult puzzle. He believes that with information provided by Jake, he can use the GRC solution to both confirm what Jake tells him and enable him to quickly fit the pieces together to solve it.
Jake listens intently. After hearing all that Ned has to say, he zeroes in on the “change in terms” event, telling Ned “The customer notification on that one did not go smoothly at all. Our new third-party provider (TPP) had been tasked to access confidential customer information and perform the notification, but it turns out that they had a processing failure on their end that went totally undetected.”
“Undetected!” Ned blurted out, “How so?!”
“Well,” began Jake, “The operations person charged with responsibility at SteadyBank to oversee TPP knew he was going to be laid-off. He did not effectively manage the transition, probably because he was more engaged in networking activities and finding a new job. He also overlooked adding the vendor to the approved TPP Information Privacy Approval List. As you know, because your people developed it, SteadyBank has a very thorough Gramm-Leach-Bliley (GLB) Procedure, as directed by GLB Corporate Policy 10101. Problem is, it simply was not executed properly.”
Ned is now thinking that the attrition has to be due to a mounting customer backlash on the posting order decision. “Listen Jake, I think I’m on to something,” Ned shares, “We’re hitting some of our customers with higher fees and they don’t like it!”
Not wanting to consume more of Jake’s time until he has a more complete picture, Ned excuses himself and heads back to his office.
He first zeros in on the KRIs, where he has risk identifiers that break out regular from premier checking accounts for the east versus west regions on a rolling four day window.
Ned verifies that the related summary KRI looks at attrition over the past 4 days for checking accounts in total for each region separately.
Ned glances down at his watch and notes the time. It's nine o'clock. By now the call center and branch offices are open for business. Ned goes to the monitoring tab in his EGRC solution and examines key risk and key performance indicators to see if the problem is widespread, or specific to particular business units. To his surprise, he finds that the eastern region is hit three times harder than the west! Perhaps the change in terms is not the culprit after all! Moreover, Ned sees that there was a dramatic increase in complaints and attrition just in the past four business days.
Ned decides to have another cup of coffee while he ponders his next move. Nothing like a few challenges on his first day back from vacation!
Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank . Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.