This week's episode is installment number eight in a nine-part series aimed at fostering understanding of GRC solutions. It's now October 25, 2012, and it has been six months since the problems cropped up at SteadyBank. The full financial impact of the loss events that have occurred has now been realized.
Ned Thomas, SteadyBank CRO, and Jake Jabber, COO, have spent the better part of the morning reviewing the financials and the details behind them, which were accessed through their GRC system. Our episode begins with Ned briefing Jake on what he plans to tell the board, which has had many sets of watchful eyes on mounting financial, regulatory and customer relationship fallout.
Informing the board
Jake tells Ned, "SteadyBank's GRC solution captured all of the results. Bill Cutter told me it was amazingly easy to prepare his summary for the upcoming quarterly board meeting. Essentially Bill will simply provide the financial facts, and you and I will follow, and they provide any answers to questions from the board." Jake shares, "Bill's key points are:
"Listen Jake," explains Ned, "there will be plenty of blame to spread around in the board meeting. After all, the last quarterly risk assessment prior to the incident clearly showed trouble was brewing," Ned emphasizes.
Two key points
"That is a great depiction of the risks associated with all of the change that was occurring at the time Ned -- I like it!" remarks Jake. "So tell me, Ned, what is the other thing you had in mind to share with the board?" Jake inquires.
"Continuous assurance!" exclaims Ned, continuing "Check out the next slide where I lay out conceptually the “big picture” of how we leverage our GRC solution to achieve on-going monitoring of our risk exposures and control strength!" Ned goes on to highlight for Jake what he intends to present in the board meeting in greater detail.
“Continuous monitoring consists of processes that your people, Jake, have put in place to assess whether your policies, procedures, and business processes are doing what they’re supposed to do. By identifying the control objectives and test conditions and by establishing automated risk exposure tests based on KRI benchmarks, trends, and correlations, SteadyBank has found 3 activities and two dozen transactions that are non-compliant and/or posed unacceptable risk over the past two months,” Ned explains. “I like the fact that you are providing some good information on the progress we’ve been making—the board will find it reassuring,” Jake interjects.
Ned provides more highlights, saying, “Continuous auditing provides for real-time automated monitoring and review of the business, and it incorporates analysis involving the use of rules-based reasoning, predictive and statistical modeling, and other software tools. Our internal audit team's charge is control of all controls in the bank. The board needs reassurance in the wake of this year's problems that our internal controls are effective and sufficient to avoid any repeats. SteadyBank’s internal auditors collaborated with our solution provider, SAS, to devise over 300 risk indicator measurements and several dozen new daily control checks that will afford more timely assurance that our data is good and our business processes are under control. this was the end result of applying a very strong CAVT control testing regimen that verifies our internal controls are:
- Complete (accounting for all scenarios of transactions),
- Accurate (well-maintained and designed to ensure business processes and practices are compliant with current policies, laws and regulations).
- Valid (checking that controls effectively limit compliance risk and continue to perform their intended function),
- Timely (ensuring controls are run at sufficient frequency to prevent significant failures from occurring).”
“This is excellent,” responds Jake, saying “Ned, you have prepared well and have put things in the best possible light, given the circumstances.”
Measuring GRC system value
“We couldn’t have done it without the help from our GRC solution vendor. They took an ownership interest in the risk management, compliance and governance challenges faced by SteadyBank. They really helped us to better appreciate and leverage the tremendous value in their solution. As a result, I am preparing some information for them relating to return on investment (ROI) for their Enterprise GRC solution that we agreed to share as a success story. As soon as I pull that information together, I will run it by you, Paul, and Bill Cutter,” Ned promises. “I look forward to reviewing it Ned, and let me know if the vendor wants a quote from a CCO. I will gladly prepare one for you to pass along,” offers Jake.
As Ned is leaving Jakes office, Jake notes, “In addition to our keeping watchful eyes on things, we have the benefit of our GRC solution that is automatically, and continuously monitoring SteadyBank’s operations!”
Note: Their GRC solution will help the SteadyBank Team keep risks in check and more effectively monitor and control the operation. As a result, they will likely avoid similar loss events in the future, and they will be alerted earlier in the process when there is a problem. This will enable them to take swifter corrective action. If you are interested in this nine-part GRC series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank . Keep a lookout for the final post in this series that will go live on Thursday, November 1st. Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.
Drawings © 2012 Brad Abrahams