For that, Ned turns to his GRC system (SAS Enterprise GRC), which tracks all policy changes, operational incidents or process failures, and shows status on issues and their associated action plans. By virtue of the number of customers affected and the estimated cost per account, Ned can get estimates of the loss per incident. Clearly there are controls that failed and some new ones that need to be added. When it comes time to fix the process, Ned will review risk and control assessments and decide what to do. But for now, he needs to make sure he has everything covered.
Ned decides to huddle again with Jake, so he scurries down the hallway and appears unannounced. Jake looks up and sees Ned in the doorway and invites him to take a seat.
Ned advises, "Jake, we need to formulate a good response and get the ball rolling quickly. By next week’s Board Meeting, we’d better have this buttoned down completely, including making the customer’s “whole,” and putting together a solid communication around what transpired."
Jake nods in agreement with a concurrent blank stare out the window.
The operational failure by the third party has potentially thrown the change in overdraft pricing into the public spotlight, and it is likely that Ned and Jake will see something soon on the popular Channel 5 Evening News Action Hotline featuring a one or more of SteadyBank’s unhappy customers with some complaints. It sure would have played in SteadyBank’s favor to get the word out early to customers and in advance of any negative publicity.
Ned suggests, "We need to get with Corporate PR right away to decide on an appropriate message."
"Ok Ned, but do we have our arms around all of the issues yet?" Jake inquires.
"Yeah, let me show you what I have pulled and analyze from our GRC system," Ned replies and he shares an export of the 360 degree view that he has annotated.
"This is really great Ned," is Jake's response, continuing, "The pieces are all beginning to fall into place now." Jake further examines the 360 degree view, and notes, “We also need to make the third party reimburse us for the damage done, even though we have financial/professional insurance coverage.”
"You leave the insurance notification to me," Jake replies, "And as for the quantification of the damages, I am putting that squarely on Paul's shoulders!"
Jake recalls the earlier phone call, and tells Ned, "Paul threw Andrew under the bus on the checkless payment problem to take heat off of himself, and I think he needs something more to do this weekend than his usual routine!"
Jake wraps up the meeting, telling Ned, “We need to check with Legal to see what would be reasonable damages to include, such as value of the customer relationship over expected account lifetime. With several hundred customers impacted, the word of mouth effect could snowball to thousands of customers, and the financial impact could be in the millions for us on an annual basis. In addition, the impact on our share price and reputation could prove to be our biggest headache.”
[At this point, Ned and Jake have a plan and have decided what needs to be addressed. In next Thursday's post, they will take appropriate actions to deal with the looming crisis.]
Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank . Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.
Drawings © 2012 Brad Abrahams