# Enterprise GRC payback for SteadyBank

[Our final SteadyBank episode finds Ned in Jake's office.  It's November 1 and the board meeting alluded to in our last episode is tomorrow.  Ned has had some help from Paul Winkler and his staff and the GRC vendor on quantifying the system benefits.  Next, Ned got the benefit estimates refined and blessed by SteadyBank's CFO, William (Bill) Cutter.  As a final check, Ned wants to run the numbers by Jake to see if they pass Jake's "sniff test!"]

### The \$64,000 question!

Jake asks Ned the \$64,000 question!

Ned announces to Jake "I've pulled the benefit numbers together, with help from Paul, Bill, and the vendor.  I plan to tell the board how many months were required to recoup our investment in the enterprise GRC solution."
.
Jake replies, eyes wide open, "Let's hear it!  Time value of money aside, what did you come up with for the total monthly dollar benefit?  That is the \$64,000 question, Ned!"
.
Ned's jaw drops.  "This is unreal Jake!  Wow, I was looking for confirmation, but I never dreamed of independent validation!"
.
Jake looks puzzled, and then his eyebrows soar.  "Ned, did you say the monthly benefit is \$64,000?  I suppose that is not unreasonable for a \$10 billion institution.  Still, that is a fast payback for SteadyBank!!  I assume you have the details to back up that number.  What is our supporting data?" Jake inquires.

GRC metaphor!

"Well," Ned begins, "our GRC solution is analogous to a Swiss Army knife, Jake.  We initially bought it for its risk management capabilities, but once we had it installed and began using it, we realized that it could do much more.  As a result, over the past two years, we have expanded its use into a number of additional areas.  I have a table that shows the evolution, and by construction, how we evolved to the \$64,000 monthly benefit, and here it is."  [Ned shows Jake a table that illustrated the progression of benefits as the GRC system usage expanded over time.]

.

.
"This is a doozey of an exhibit for the board book!  They'll love it!" exclaimed Jake, continuing, "Very interesting indeed!"  Jake quickly runs through the numbers, and he observes, "Ned, it is interesting to note that the risk components implemented first in 2010 account for 40 percent of the ultimate benefit of the system as it is used today.  I suppose that is the 'R' in the GRC solution, right?"
.
"That's correct Jake," replies Ned, continuing, "Last year we determined to implement the audit, policy and regulatory change management components, which cover the 'G' and the 'C' parts of GRC!  So, this year we decided to add targeted areas where there was the greatest benefit and/or perceived risk that we wanted to address.  Unfortunately the vendor management and IT Security portions were not begun until mid-year, which was after we had the big push on all of those changes, which combined to for a "perfect privacy, vendor, and change management storm!"
.
Jake nodded his head in agreement, saying "Ned, hindsight is always 20/20!  The \$2.5 million we need to explain tomorrow to the board is also a future "cost avoidance benefit" example that we need to underscore.  The numbers you have shared above are conservative in that respect, because that annualized dollar benefit estimate for IT Security and TPP risk management alone are roughly \$85,000, which says that if SteadyBank could avoid the type of incident we just experienced through the use of the GRC solution even once every 30 years it would be worth it to us!  Ned, I would call that out big-time!  And, looking to the future, SteadyBank can continue to accrue even greater benefits from the enterprise GRC solution as we discover more good uses for it!"
.
Ned smiled and nodded in agreement, replying, "Jake, I knew you would help me bring out the most important points, and with just the right emphasis on each one.  You can truly make lemonade out of lemons!  Furthermore, I think your point about:

'The future benefits to be accrued by SteadyBank due to our ever-expanding use of our enterprise GRC solution are unlimited!'

is precisely the quote that our vendor was looking for!"
.
"I am really looking forward to the board meeting now!" Ned added.
.
"That's a good thing," replied Jake, "because you will own center stage with you presentation."
.
"I certainly hope so," Ned said, beaming with delight, "I love to tell a good story!"
.
[Note: This concludes my nine-part GRC series featuring SteadyBank and its cast of characters. I encourage you to check out another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!)  For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank.  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.]
.

### A final word

My primary purpose of this blog series was to realistically illustrate the use and value of a GRC solution in a bank. I hope you found it to be both informative and entertaining. While I opted to inject some humor on occasion, the subject of GRC is no laughing matter. I am very passionate about principled achievement through a strong ethical culture, proper tone at the top, strong internal controls, mutual respect and collaboration among employees and a mindset of acting in the best interest of your customers.

The storylines and characters in each of the episodes were purely fictional, and any similarity to actual situations or real people is purely coincidental. If you liked this story-telling approach to illustrating the value of GRC please write me at clark.abrahams@sas.com or post a comment and let me know. Thank you!

1. Posted November 13, 2012 at 11:22 pm | Permalink

“Hi Clark, good article to stretch people's perception of value-add. I couldn't help but notice, perhaps because of coming from a performance management background, that most of the categories are control based. Can you stretch GRC into supporting innovation, a closer connection to the customer, a quicker time to market with new banking solutions...? How about creating a work place where people got recognized for "principled achievement"?

My guess is \$64,000 might seem like chump change in comparison! Value add certainly includes controls, but in the past couple of decades the value proposition seems to have moved away from the big kick coming from greater efficiencies, and instead more effective, innovation tied to a value proposition.

• Clark Abrahams
Posted November 14, 2012 at 8:44 am | Permalink

Great comment Rodney - your suggestions are really excellent. Rather than respond as a comment, I think this deserves an additional post! Thank you!

2. Fernn
Posted February 4, 2013 at 5:37 am | Permalink

Nice illustration of EGRC. Certainly help me a fair bit on my understanding of it. Thanks Clark!

3. Staci
Posted April 5, 2013 at 9:13 am | Permalink

excellent issues altogether, you just gained a new reader.

• Clark Abrahams
Posted April 5, 2013 at 11:23 am | Permalink

Staci - thanks for your comment and question.

Before I answer about my most recent post, let me fist say about this post on GRC that companies need to consider how an enterprise GRC solution can help them transform their organization into a more efficient, collaborative, effective and secure operation that can compete successfully in an incresingly regualted and competitive landscape.

Now, on to your question about my most recent post. I recommend that you visit the following page on the SAS website that can provide some very compelling examples and reasons why high performance analytics is so valuable and how leveraging it can pay big dividends for those companies investing in the technology now - both immediately and increasing in the future. HPA can introduce a whole new way to think about solving business problems and hitting planned performance targets. Even more important, HPA can provide executives with the ability to better conceptualize what their goals should be in the first place.

1. By Understand GRC through SteadyBank on November 1, 2012 at 11:23 am

[...] Enterprise GRC payback for SteadyBank   (November 1) [...]

2. By Decision making and GRC on June 28, 2013 at 2:58 pm

[...] series is now approaching 25,000 views (over 9,000 page views alone on the final one)!  Based on these results, perhaps I should consider creating another series -- possibly a [...]

Clark Abrahams has been with SAS for a decade. A 2011 NACD Governance Fellow, Clark previously worked three decades in various management positions dealing with credit, risk and finance, culminating in a bank executive role reporting directly to the board. He currently serves on the PERC Advisory Board. Clark is a strong proponent of high-performance analytics (HPA), which he envisions will enable quantum leaps in business strategy, problem-solving and decision-making. Clark has been awarded five patents and has two more in the works. Clark has co-authored several books on risk, complinace and decision making:

See and hear Clark discuss a new lending system in this RMA " Journal Interview" video.