[Our final SteadyBank episode finds Ned in Jake's office. It's November 1 and the board meeting alluded to in our last episode is tomorrow. Ned has had some help from Paul Winkler and his staff and the GRC vendor on quantifying the system benefits. Next, Ned got the benefit estimates refined and blessed by SteadyBank's CFO, William (Bill) Cutter. As a final check, Ned wants to run the numbers by Jake to see if they pass Jake's "sniff test!"]
The $64,000 question!
Jake asks Ned the $64,000 question!
Ned announces to Jake "I've pulled the benefit numbers together, with help from Paul, Bill, and the vendor. I plan to tell the board how many months were required to recoup our investment in the enterprise GRC solution."
Jake replies, eyes wide open, "Let's hear it! Time value of money aside, what did you come up with for the total monthly dollar benefit? That is the $64,000 question, Ned!"
Ned's jaw drops. "This is unreal Jake! Wow, I was looking for confirmation, but I never dreamed of independent validation!"
Jake looks puzzled, and then his eyebrows soar. "Ned, did you say the monthly benefit is $64,000? I suppose that is not unreasonable for a $10 billion institution
. Still, that is a fast payback
for SteadyBank!! I assume you have the details to back up that number. What is our supporting data?" Jake inquires.
The $64,000 answer!
"Well," Ned begins, "our GRC solution is analogous to a Swiss Army knife, Jake. We initially bought it for its risk management capabilities, but once we had it installed and began using it, we realized that it could do much more. As a result, over the past two years, we have expanded its use into a number of additional areas. I have a table that shows the evolution, and by construction, how we evolved to the $64,000 monthly benefit, and here it is." [Ned shows Jake a table that illustrated the progression of benefits as the GRC system usage expanded over time.]
SteadyBank's answer to the $64,000 question!
"This is a doozey
of an exhibit for the board book! They'll love it!" exclaimed Jake, continuing, "Very interesting indeed!" Jake quickly runs through the numbers, and he observes, "Ned, it is interesting to note that the risk components implemented first in 2010 account for 40 percent of the ultimate benefit of the system as it is used today. I suppose that is the 'R
' in the GRC
"That's correct Jake," replies Ned, continuing, "Last year we determined to implement the audit, policy and regulatory change management components, which cover the 'G
' and the 'C
' parts of GRC!
So, this year we decided to add targeted areas where there was the greatest benefit and/or perceived risk that we wanted to address. Unfortunately the vendor management and IT Security portions were not begun until mid-year, which was after we had the big push on all of those changes, which combined to for a "perfect privacy, vendor, and change management storm
Jake nodded his head in agreement, saying "Ned, hindsight is always 20/20! The $2.5 million we need to explain tomorrow to the board is also a future "cost avoidance benefit" example that we need to underscore. The numbers you have shared above are conservative in that respect, because that annualized dollar benefit estimate for IT Security and TPP risk management alone are roughly $85,000, which says that if SteadyBank could avoid the type of incident we just experienced through the use of the GRC solution even once every 30 years it would be worth it to us!
Ned, I would call that out big-time! And, looking to the future, SteadyBank can continue to accrue even greater benefits from the enterprise GRC solution
as we discover more good uses for it!"
Ned smiled and nodded in agreement, replying, "Jake, I knew you would help me bring out the most important points, and with just the right emphasis on each one. You can truly make lemonade out of lemons! Furthermore, I think your point about:
'The future benefits to be accrued by SteadyBank due to our ever-expanding use of our enterprise GRC solution are unlimited!'
is precisely the quote that our vendor was looking for!"
"I am really looking forward to the board meeting now!" Ned added.
"That's a good thing," replied Jake, "because you will own center stage with you presentation."
"I certainly hope so," Ned said, beaming with delight, "I love to tell a good story
[Note: This concludes my nine-part GRC series featuring SteadyBank and its cast of characters. I encourage you to check out another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank. Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.]
Drawings © 2012 Brad Abrahams
A final word
My primary purpose of this blog series was to realistically illustrate the use and value of a GRC solution in a bank. I hope you found it to be both informative and entertaining. While I opted to inject some humor on occasion, the subject of GRC is no laughing matter. I am very passionate about principled achievement through a strong ethical culture, proper tone at the top, strong internal controls, mutual respect and collaboration among employees and a mindset of acting in the best interest of your customers.
The storylines and characters in each of the episodes were purely fictional, and any similarity to actual situations or real people is purely coincidental. If you liked this story-telling approach to illustrating the value of GRC please write me at firstname.lastname@example.org or post a comment and let me know. Thank you!