Keeping a watchful eye

 

This week's episode is installment number eight in a nine-part series aimed at fostering understanding of GRC solutions.  It's now October 25, 2012, and it has been six months since the problems cropped up at SteadyBank. The full financial impact of the loss events that have occurred has now been realized.

Ned Thomas, SteadyBank CRO, and Jake Jabber, COO,  have spent the better part of the morning reviewing the financials and the details behind them, which were accessed through their GRC system.  Our episode begins with Ned briefing Jake on what he plans to tell the board, which has had many sets of watchful eyes on mounting financial, regulatory and customer relationship fallout.

Informing the board

Jake tells Ned, "SteadyBank's GRC solution captured all of the results. Bill Cutter told me it was amazingly easy to prepare his summary for the upcoming quarterly board meeting. Essentially Bill will simply provide the financial facts, and you and I will follow, and they provide any answers to questions from the board." Jake shares, "Bill's key points are:

__________________________________________________________________________________________

Incident                                            Financial Effect     Direct Recovery      Ins. Recovery   Net Loss     
1.  change in check posting order,
misplaced mail, tardy disclosure      $  8,000,000             $  1,200,000               $  4,300,000     $  2,500,000
2.  TPP customer information loss   $     700,000             $     150,000               $     550,000     $                0
__________________________________________________________________________________________
.
and I think the only new information is the insurance claim payment of $4,300,000 that should put the board in a good mood after 22 weeks of perspiration and worry about the possible rejection of the claim for the reasons initially raised by our insurance carrier when we first filed in May."
.

Ned and Jake huddle and strategize on what to do!

"Listen Jake," explains Ned, "there will be plenty of blame to spread around in the board meeting.  After all, the last quarterly risk assessment prior to the incident clearly showed trouble was brewing," Ned emphasizes.

Ned continues "Had management paid closer attention to the GRC Quarterly Risk Assessments we could have done a better job of managing the communications around the processing change."  Ned points to the screen on his laptop (shown below).
 
 
 

GRC signal of coming trouble

“We also would have been more on our toes to spot issues associated with the downsizing initiative, as employee risk was rated high in the risk self-assessment!" Ned notes wistfully.  Jake responds "Well, you're right Ned, of course. If I recall correctly, Cutter's loss figure of two and a half million dollars does not include damaged customer morale, a strain in our regulatory relations with examiner-in-charge Tom Scrutiny, or the inevitable increase in next year's insurance premiums. We need to tell the board about the monitoring program you put in place, Ned, which will ensure that SteadyBank will not have any repeats of this sort of trouble."  "Yep!" is Ned's reply.
.

Two key points

Ned shares, "In addition to control strengthening around our outsourcing and system change management process, I am going to emphasize two other key aspects of our GRC process enhancements to our board."  Ned continues, “The first is better management of project concurrence risk. I created a slide to portray what we had going, and, in hindsight, it was a "perfect storm" waiting to happen.
.

Perfect operational storm in the making!

.

"That is a great depiction of the risks associated with all of the change that was occurring at the time Ned -- I like it!" remarks Jake. "So tell me, Ned, what is the other thing you had in mind to share with the board?" Jake inquires.

"Continuous assurance!" exclaims Ned, continuing "Check out the next slide where I lay out conceptually the “big picture” of how we leverage our GRC solution to achieve on-going monitoring of our risk exposures and control strength!"  Ned goes on to highlight for Jake what he intends to present in the board meeting in greater detail.

Assurance for the board!

Continuous monitoring consists of processes that your people, Jake, have put in place to assess whether your policies, procedures, and business processes are doing what they’re supposed to do.  By identifying the control objectives and test conditions and by establishing automated risk exposure tests based on KRI benchmarks, trends, and correlations, SteadyBank has found 3 activities and two dozen transactions that are non-compliant and/or posed unacceptable risk over the past two months,” Ned explains.  “I like the fact that you are providing some good information on the progress we’ve been making—the board will find it reassuring,” Jake interjects.

Ned provides more highlights, saying, “Continuous auditing provides for real-time automated monitoring and review of the business, and it incorporates analysis involving the use of rules-based reasoning, predictive and statistical modeling, and other software tools.  Our internal audit team's charge is control of all controls  in the bank.  The board needs reassurance in the wake of this year's problems that our internal controls are effective and sufficient to avoid any repeats.  SteadyBank’s internal auditors collaborated with our solution provider, SAS, to devise over 300 risk indicator measurements and several dozen new daily control checks that will afford more timely assurance that our data is good and our business processes are under control.  this was the end result of applying a very strong CAVT control testing regimen that verifies our internal controls are:

  • Complete (accounting for all scenarios of transactions),
  • Accurate (well-maintained and designed to ensure business processes and practices are compliant with current policies, laws and regulations).
  • Valid (checking that controls effectively limit compliance risk and continue to perform their intended function),
  • Timely (ensuring controls are run at sufficient frequency to prevent significant failures from occurring).”

“This is excellent,” responds Jake, saying “Ned, you have prepared well and have put things in the best possible light, given the circumstances.”

Measuring GRC system value

“We couldn’t have done it without the help from our GRC solution vendorThey took an ownership interest in the risk management, compliance and governance challenges faced by SteadyBank.   They really helped us to better appreciate and leverage the tremendous value in their solution.  As a result, I am preparing some information for them relating to return on investment (ROI) for their Enterprise GRC solution that we agreed to share as a success story.  As soon as I pull that information together, I will run it by you, Paul, and Bill Cutter,” Ned promises.  “I look forward to reviewing it Ned, and let me know if the vendor wants a quote from a CCO.  I will gladly prepare one for you to pass along,” offers Jake.

As Ned is leaving Jakes office, Jake notes, “In addition to our keeping watchful eyes on things, we have the benefit of our GRC solution that is automatically, and continuously monitoring SteadyBank’s operations!”

 

A few of SteadyBank's most watchful eyes!

 

Note: Their GRC solution will help the SteadyBank Team keep risks in check and more effectively monitor and control the operation. As a result, they will likely avoid similar loss events in the future, and they will be alerted earlier in the process when there is a problem. This will enable them to take swifter corrective action.  If you are interested in this nine-part GRC series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank Keep a lookout for the final post in this series that will go live on Thursday,  November 1st Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

Drawings © 2012 Brad Abrahams

tags: steadybankgrc

2 Trackbacks

  1. [...] SAS Blogs Home > The Principled Achiever > Enterprise GRC payback for SteadyBank « Keeping a watchful eye Enterprise GRC payback for SteadyBank Clark Abrahams|November 1, 2012 30Tweet [Our final [...]

  2. By Homepage on November 22, 2012 at 1:26 am

    ... [Trackback]...

    [...] Informations on that Topic: blogs.sas.com/content/betterdecisions/2012/10/25/keeping-a-watchful-eye/ [...]...

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <p> <pre lang="" line="" escaped=""> <q cite=""> <strike> <strong>