Ned Thomas, CRO
Ned and Jake are of a common mind on next steps for dealing with the crisis. Ned realizes the fastest way to achieve desired results is to drive actions through the Enterprise GRC solution. In this way, Ned reasons that all appropriate stakeholders will be informed, status will be taken and reported, and accountability for meeting timelines on deliverables will be assured.
"Boy," Ned thinks out load, "I would be cooked if I had to rely on dreadsheets, unread e-mails, voice mail, and sneaker-net! I am going to get right down to business this minute!"
GRC solution is "system of record" for corporate issues
Ned logs onto the GRC solution, and immediately pulls up the issues he and others have been posting to the system.
- Ned uses a pre-defined view he created to zero in on the relevant issues
Ned has not wasted any time. While meeting with Jake, Paul, Andrew, and third-party provider management, he put the action plans and associated timelines into the solution as they were formulated, eliminating transcription time for him and ensuring that he was capturing everything that the system requires, thus avoiding the need to go back multiple times and quiz information providers on information gaps.
GRC solution links issues with action plans
Ned next reviews the action plan associated with the fifth issue on the list on the need to inform customers about the processing problems that occurred. For that, Ned will seek help from SteadyBank's Corporate Public Relations Department in order to craft an appropriate message.
Ned is satisfied with what he has put into motion, and he checks his plan for fixing the problem with the third-party provider over in the electronic payments area.
Action plan for Third-Party Provider (TPP) in SteadyBank Electronic Payments
Ned has the required actions - he just needs to initiate the approval process and he and Jake can report to Peter Principal, CEO, that they are dealing with all of the issues and that it appears they have headed off what could have been a major crisis and loss event. With a couple of button clicks, Ned has put into motion five action plans aimed at dealing with the crisis, and he will take status twice a day until the major hurdles have been overcome.
GRC solution captures and surfaces early warning signals
Ned knows that the Peter will ask if there had been any warning signals that such problems might occur. Ned decides that he will need to provide a backdrop of what internal control assessments and audits had indicated over the past 2 years. That will not take long.
Ned uses his "favorites" list to filter out the assessments of interest
Ned clicks on the GRC audit tab. He uses a "favorite" feature which allows him to view previously defined organizational entities within SteadyBank. He quickly finds the report he is seeking and displays it on his screen.
Audit scores and trends by SteadyBank operating units
Just as Ned suspected, there were some reasons to be concerned. They had indications from audit results that sooner or later the pressures and issues in technology, as SteadyBank rolled out its "modernization plan" would play out if not dealt with "head-on." Further, the upwards trend in HR reflected concerns around expected turnover and the challenges of ramping up staff who needed to expand their skill sets to handle the new web channel and electronic banking. The alternatives were to replace existing staff with new hires, or contractors, who possessed the needed skills, or outsource the function entirely.
Ned decided to examine the quarterly retail banking operations self-assessments that provided the operating unit's perspective. Ned clicked over to the GRC risk
tab in the solution and pulled up the last three quarterly assessments.
Operating unit assessments provide more data points
Ned concludes, "Clearly, the handwriting was on the wall, but due to cost control and other priorities the audit results were given low priority -- so much for plausible deniability!"
Ned knew that he and Jake would have very little time afforded to them, and the full management team, between dealing with the crisis and finding a more permanent fix. After all, the CEO would have to answer to Tom Scrutiny, their primary regulatory examiner, and also the Corporate Board.
"Yes," Ned thought, "Fixing the process
is the next task he will need to address with Jake."
Ned considered what role the GRC system would play in that chapter of the story, and it all started to come into focus. He is thinking that his next solution "mouse click" will be on the GRC compliance
Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank . Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.
Drawings © 2012 Brad Abrahams