Enterprise GRC payback for SteadyBank

[Our final SteadyBank episode finds Ned in Jake's office.  It's November 1 and the board meeting alluded to in our last episode is tomorrow.  Ned has had some help from Paul Winkler and his staff and the GRC vendor on quantifying the system benefits.  Next, Ned got the benefit estimates refined and blessed by SteadyBank's CFO, William (Bill) Cutter.  As a final check, Ned wants to run the numbers by Jake to see if they pass Jake's "sniff test!"]


The $64,000 question!

Jake asks Ned the $64,000 question!

Ned announces to Jake "I've pulled the benefit numbers together, with help from Paul, Bill, and the vendor.  I plan to tell the board how many months were required to recoup our investment in the enterprise GRC solution."
Jake replies, eyes wide open, "Let's hear it!  Time value of money aside, what did you come up with for the total monthly dollar benefit?  That is the $64,000 question, Ned!"
Ned's jaw drops.  "This is unreal Jake!  Wow, I was looking for confirmation, but I never dreamed of independent validation!"
Jake looks puzzled, and then his eyebrows soar.  "Ned, did you say the monthly benefit is $64,000?  I suppose that is not unreasonable for a $10 billion institution.  Still, that is a fast payback for SteadyBank!!  I assume you have the details to back up that number.  What is our supporting data?" Jake inquires.

The $64,000 answer!

GRC metaphor!

"Well," Ned begins, "our GRC solution is analogous to a Swiss Army knife, Jake.  We initially bought it for its risk management capabilities, but once we had it installed and began using it, we realized that it could do much more.  As a result, over the past two years, we have expanded its use into a number of additional areas.  I have a table that shows the evolution, and by construction, how we evolved to the $64,000 monthly benefit, and here it is."  [Ned shows Jake a table that illustrated the progression of benefits as the GRC system usage expanded over time.]


SteadyBank's answer to the $64,000 question!

"This is a doozey of an exhibit for the board book!  They'll love it!" exclaimed Jake, continuing, "Very interesting indeed!"  Jake quickly runs through the numbers, and he observes, "Ned, it is interesting to note that the risk components implemented first in 2010 account for 40 percent of the ultimate benefit of the system as it is used today.  I suppose that is the 'R' in the GRC solution, right?"
"That's correct Jake," replies Ned, continuing, "Last year we determined to implement the audit, policy and regulatory change management components, which cover the 'G' and the 'C' parts of GRC!  So, this year we decided to add targeted areas where there was the greatest benefit and/or perceived risk that we wanted to address.  Unfortunately the vendor management and IT Security portions were not begun until mid-year, which was after we had the big push on all of those changes, which combined to for a "perfect privacy, vendor, and change management storm!"
Jake nodded his head in agreement, saying "Ned, hindsight is always 20/20!  The $2.5 million we need to explain tomorrow to the board is also a future "cost avoidance benefit" example that we need to underscore.  The numbers you have shared above are conservative in that respect, because that annualized dollar benefit estimate for IT Security and TPP risk management alone are roughly $85,000, which says that if SteadyBank could avoid the type of incident we just experienced through the use of the GRC solution even once every 30 years it would be worth it to us!  Ned, I would call that out big-time!  And, looking to the future, SteadyBank can continue to accrue even greater benefits from the enterprise GRC solution as we discover more good uses for it!"
Ned smiled and nodded in agreement, replying, "Jake, I knew you would help me bring out the most important points, and with just the right emphasis on each one.  You can truly make lemonade out of lemons!  Furthermore, I think your point about:
 'The future benefits to be accrued by SteadyBank due to our ever-expanding use of our enterprise GRC solution are unlimited!'
is precisely the quote that our vendor was looking for!" 
"I am really looking forward to the board meeting now!" Ned added.
"That's a good thing," replied Jake, "because you will own center stage with you presentation."
"I certainly hope so," Ned said, beaming with delight, "I love to tell a good story!"
[Note: This concludes my nine-part GRC series featuring SteadyBank and its cast of characters. I encourage you to check out another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!)  For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank.  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.]

Drawings © 2012 Brad Abrahams

A final word

My primary purpose of this blog series was to realistically illustrate the use and value of a GRC solution in a bank. I hope you found it to be both informative and entertaining. While I opted to inject some humor on occasion, the subject of GRC is no laughing matter. I am very passionate about principled achievement through a strong ethical culture, proper tone at the top, strong internal controls, mutual respect and collaboration among employees and a mindset of acting in the best interest of your customers.

The storylines and characters in each of the episodes were purely fictional, and any similarity to actual situations or real people is purely coincidental. If you liked this story-telling approach to illustrating the value of GRC please write me at clark.abrahams@sas.com or post a comment and let me know. Thank you!

Post a Comment

Keeping a watchful eye


This week's episode is installment number eight in a nine-part series aimed at fostering understanding of GRC solutions.  It's now October 25, 2012, and it has been six months since the problems cropped up at SteadyBank. The full financial impact of the loss events that have occurred has now been realized.

Ned Thomas, SteadyBank CRO, and Jake Jabber, COO,  have spent the better part of the morning reviewing the financials and the details behind them, which were accessed through their GRC system.  Our episode begins with Ned briefing Jake on what he plans to tell the board, which has had many sets of watchful eyes on mounting financial, regulatory and customer relationship fallout.

Informing the board

Jake tells Ned, "SteadyBank's GRC solution captured all of the results. Bill Cutter told me it was amazingly easy to prepare his summary for the upcoming quarterly board meeting. Essentially Bill will simply provide the financial facts, and you and I will follow, and they provide any answers to questions from the board." Jake shares, "Bill's key points are:


Incident                                            Financial Effect     Direct Recovery      Ins. Recovery   Net Loss     
1.  change in check posting order,
misplaced mail, tardy disclosure      $  8,000,000             $  1,200,000               $  4,300,000     $  2,500,000
2.  TPP customer information loss   $     700,000             $     150,000               $     550,000     $                0
and I think the only new information is the insurance claim payment of $4,300,000 that should put the board in a good mood after 22 weeks of perspiration and worry about the possible rejection of the claim for the reasons initially raised by our insurance carrier when we first filed in May."

Ned and Jake huddle and strategize on what to do!

"Listen Jake," explains Ned, "there will be plenty of blame to spread around in the board meeting.  After all, the last quarterly risk assessment prior to the incident clearly showed trouble was brewing," Ned emphasizes.

Ned continues "Had management paid closer attention to the GRC Quarterly Risk Assessments we could have done a better job of managing the communications around the processing change."  Ned points to the screen on his laptop (shown below).

GRC signal of coming trouble

“We also would have been more on our toes to spot issues associated with the downsizing initiative, as employee risk was rated high in the risk self-assessment!" Ned notes wistfully.  Jake responds "Well, you're right Ned, of course. If I recall correctly, Cutter's loss figure of two and a half million dollars does not include damaged customer morale, a strain in our regulatory relations with examiner-in-charge Tom Scrutiny, or the inevitable increase in next year's insurance premiums. We need to tell the board about the monitoring program you put in place, Ned, which will ensure that SteadyBank will not have any repeats of this sort of trouble."  "Yep!" is Ned's reply.

Two key points

Ned shares, "In addition to control strengthening around our outsourcing and system change management process, I am going to emphasize two other key aspects of our GRC process enhancements to our board."  Ned continues, “The first is better management of project concurrence risk. I created a slide to portray what we had going, and, in hindsight, it was a "perfect storm" waiting to happen.

Perfect operational storm in the making!


"That is a great depiction of the risks associated with all of the change that was occurring at the time Ned -- I like it!" remarks Jake. "So tell me, Ned, what is the other thing you had in mind to share with the board?" Jake inquires.

"Continuous assurance!" exclaims Ned, continuing "Check out the next slide where I lay out conceptually the “big picture” of how we leverage our GRC solution to achieve on-going monitoring of our risk exposures and control strength!"  Ned goes on to highlight for Jake what he intends to present in the board meeting in greater detail.

Assurance for the board!

Continuous monitoring consists of processes that your people, Jake, have put in place to assess whether your policies, procedures, and business processes are doing what they’re supposed to do.  By identifying the control objectives and test conditions and by establishing automated risk exposure tests based on KRI benchmarks, trends, and correlations, SteadyBank has found 3 activities and two dozen transactions that are non-compliant and/or posed unacceptable risk over the past two months,” Ned explains.  “I like the fact that you are providing some good information on the progress we’ve been making—the board will find it reassuring,” Jake interjects.

Ned provides more highlights, saying, “Continuous auditing provides for real-time automated monitoring and review of the business, and it incorporates analysis involving the use of rules-based reasoning, predictive and statistical modeling, and other software tools.  Our internal audit team's charge is control of all controls  in the bank.  The board needs reassurance in the wake of this year's problems that our internal controls are effective and sufficient to avoid any repeats.  SteadyBank’s internal auditors collaborated with our solution provider, SAS, to devise over 300 risk indicator measurements and several dozen new daily control checks that will afford more timely assurance that our data is good and our business processes are under control.  this was the end result of applying a very strong CAVT control testing regimen that verifies our internal controls are:

  • Complete (accounting for all scenarios of transactions),
  • Accurate (well-maintained and designed to ensure business processes and practices are compliant with current policies, laws and regulations).
  • Valid (checking that controls effectively limit compliance risk and continue to perform their intended function),
  • Timely (ensuring controls are run at sufficient frequency to prevent significant failures from occurring).”

“This is excellent,” responds Jake, saying “Ned, you have prepared well and have put things in the best possible light, given the circumstances.”

Measuring GRC system value

“We couldn’t have done it without the help from our GRC solution vendorThey took an ownership interest in the risk management, compliance and governance challenges faced by SteadyBank.   They really helped us to better appreciate and leverage the tremendous value in their solution.  As a result, I am preparing some information for them relating to return on investment (ROI) for their Enterprise GRC solution that we agreed to share as a success story.  As soon as I pull that information together, I will run it by you, Paul, and Bill Cutter,” Ned promises.  “I look forward to reviewing it Ned, and let me know if the vendor wants a quote from a CCO.  I will gladly prepare one for you to pass along,” offers Jake.

As Ned is leaving Jakes office, Jake notes, “In addition to our keeping watchful eyes on things, we have the benefit of our GRC solution that is automatically, and continuously monitoring SteadyBank’s operations!”


A few of SteadyBank's most watchful eyes!


Note: Their GRC solution will help the SteadyBank Team keep risks in check and more effectively monitor and control the operation. As a result, they will likely avoid similar loss events in the future, and they will be alerted earlier in the process when there is a problem. This will enable them to take swifter corrective action.  If you are interested in this nine-part GRC series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank Keep a lookout for the final post in this series that will go live on Thursday,  November 1st Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

Drawings © 2012 Brad Abrahams

Post a Comment

Fixing the process

Ned Thomas, CRO

Ned sees several layers in the process for "fixing the process." SteadyBank's enterprise GRC solution will factor into them all, and will serve to not only affect the needed changes, but also communicate what is expected, and monitor and report on performance relative to those changes.

At the top layer, there is needed improvement to the internal controls. That will entail modifications to policies. The next layer involves changes to business processes and procedures associated with the affected policies and related to the recent loss events and communication issues and execution failures (these represent additional layers).  In addition, there needs to be stepped up audit frequencies and/or validation requirements to ensure that policies are being followed. Ned decides to deal first with the immediate process fixes and deal with the monitoring aspects afterwards.  For exposures that cannot be well managed and pose too great a threat, either risk transfer should be sought or the activities causing those exposures should be either scaled back or eliminated.

SteadyBank's GRC system -- Ned's biggest asset!

Ned sees the GRC solution as his biggest asset as he attempts to button things down.  This is because linkages between all of the GRC components have already been created within the system in order to ensure that nothing slips through the cracks.

Ned quickly pulls up the causes of the problems and notes them:

  • Lack of communication/ miscommunication
  • Lack of management attention and monitoring
  • Failure in planning and risk assessment
  • Insufficient monitoring of third-party provider
  • Inadequate software testing prior to deployment
  • Malfunctions in software or hardware

Ned is also interested in any regulatory violations, plus business disruption and customer impact. He decides to examine incidents related to disclosure and information privacy.  To do so, Ned simply clicks on the incidents tab, applies a defined filter, and selects only those incidents that are under current investigation.

Ned uses a pre-defined view he created to zero in on the relevant disclosure issues

Next, Ned is easily able to trace through the linkages, which he opts to do through the tabular sections under each incident which he clicks through in turn. He maps out the information and he probes deeper into an apparent lack of management attention and monitoring by Tech & Ops when passing non-public customer information to third-party providers (TPPs). This is a clear violation of SteadyBank's Gramm-Leach-Bliley Act (GLB) Policy. "Boy, we're looking at some additional fines for SteadyBank -- that will certainly put some salt on our wounds," Ned told himself. Ned calls Tech & Ops Manager Paul Winkler to get the straight scoop.

Process fix or people fix?!

Paul Winkler, SVP, Tech & Ops Manager

"Ned, I have determined that this was brought on by turnover of key resources and lack of motivation due to the staff reduction initiative which hurt employee morale in the division and caused longer working hours for those who retained their jobs," reported Paul. Hearing no response, Paul continued, "I had a conversation with Pete, who has been one of my most trusted lieutenants. Pete was very upset over having to let go a couple of his long-time staff due to the corporate ten percent staff reduction initiative."

Paul's voice trembles a bit as he relates, " I pressed him pretty hard, and he finally admitted that he and his remaining two system programmer/analysts failed to exercise careful oversight of the TPP consultants who were brought in to handle the system conversions for check payment posting and electronic (checkless) payment processing. They blamed Bill Cutter, CFO, for the layoffs and I suppose Pete thought it might teach Bill a lesson. I am very angry with Pete, but the fact is that we do not have his area well-documented and I can't really discipline him until the situation stabilizes." "It is a royal mess over here," Paul concluded.

"Thanks for your candor, Paul. I will take this up with the management team and Jake Jabber will circle back with you. By all means, try to get going on a knowledge transfer initiative before all of the walls go up," Ned advised and he ended the call. Ned could see that, at the root, there were serious people issues, which he proceeded to note in the system.

A fix will entail some people-related controls!

Putting heads together

Ned heads down the hallway to Jake’s office. When he arrives, Jake is sorting through some conference material on his desk and he pauses as Ned appears in his doorway. “Can I buy you a cup of coffee?” Ned inquires. “No thanks Ned.  Come in and have a seat!” Jake replied. Ned shares what he has learned from the GRC system and his subsequent conversation with Paul.

Jake Jabber, COO

“Just as I suspected,” Jake remarked, and he continued, “I attended a conference on governance and risk management and two of the top five risks were human capital risk and third-party risk. Hence this comes as no surprise.” Jake punched the speaker phone button and speed-dials to bring Paul into the conversation.

Paul answers the call, saying “Hi Jake! Ned told me I would be hearing from you. I must confess that I have been racking my brain trying to decide whether I need to use the carrot or the stick at his point with these knuckle heads. What do you think I should do?”

Without a pause, Jake answered, “Paul, I suggest you use the frozen carrot!”

“What’s the frozen carrot?” asked Paul.

“You give them the frozen carrot and you tell them they have to eat it or give it back," replied Jake, concluding, “And in the latter case, you then use it as a stick!”

Ned inserted himself into the conversation at this point, insisting, “Listen, all kidding aside, I have worked hard to foster an open and honest culture at SteadyBank where we all listen to each other’s opinions respectfully, we hold ourselves and other accountable for results, and we trust the judgment of our leaders.”

Jake agreed, and chimed in saying, “We can and must do better Paul, and you need to make it a top priority to set the proper tone and instill those values throughout SteadyBank’s Tech & Ops workforce.”

Giving direction

Jake tasks Paul to get answers to the following five key questions on the third-party front:

  1. Are our contractors obligated contractually to abide by our policies and regulatory requirements?
  2. Do our risk assessments cover third-party risks, and if so, what risk areas are covered?
  3. How do we supervise third-party activities and what structures, key performance measures (KPIs) and incentives/penalties do we have in place to control TPPs?
  4. How thoroughly do we check out TPPs before hiring them?
  5. Do we have insurance coverage for outsourced activities and is it adequate?

Jake advised Paul, “Call Bill Cutter to find out about the insurance, and please coordinate with Ned on the rest of the items.” Paul agreed and Jake ended the call. “SteadyBank has some significant third-party risk exposure, and I have no doubt that we need to strengthen our governance around third parties ASAP,” he told Ned.  Ned agreed with Jake and he returned to his office.

Policy management a la GRC!

Ned immediately clicked on the compliance tab in SteadyBank’s GRC system to do some policy creation and revision, which he plans to circulate with the management team prior to next week’s monthly risk management committee meeting.

Fixing the process involves policy management -- an integral part of the GRC solution!

Thankfully, his GRC solution provider, SAS, provided some very helpful templates "out-of-the-box" to assist him, such as a policy on policies, a procedure for creating and updating procedures, a companion template procedure, a procedure for creating and updating policies, and a template policy, a procedure for creating forms, and so on. Also, there were lots of example procedures that addressed banking regulations.

Ned pulls up #10301 SteadyBank Guideline Policy (policy on policies) to review core elements in light of the five questions Jake posed to see if there was something that could possibly be generalized and added to the policy template.




Policy on policy!

In terms of structure for policy documents, Ned sees the core elements as follows:


  • Purpose
  • Scope
  • Critical Parameters
  • Citation to Companion Procedure
  • Penalty for Non-compliance

Jake decides, based on Jake's first question that the structure needs to be added to allow for citations, or linkages, relating to specific contracts and corporate agreements where the policy in question comes into play. That way:

  • SteadyBank Procurement will be more "policy aware" when negotiating contracts, and
  • Risk Management will be more "contract aware" when reviewing proposed changes to policies and gauging their impact.

"This is great!" Ned tells himself. Just then, Ned's cell phone rings, and it is Paul.

Customer data compromised

"Hey Ned," Paul beckoned, "There has been a development on the TPP front. It turns out there is a missing portable storage device that a TPP programmer took home to work on the computer processing development. It has an image of half of our credit card customer billing records, complete with social security numbers, addresses, birthdates, and the whole works! The individual in question has having home remodeling performed and there have been a dozen different workers in and out of his home on a constant basis over the period, and he suspects one of them made off with the external drive, but he has no idea even when it occurred because he got pulled out of town for several days and left the house key under the doormat, only to return and discover the device was gone."

Ned responds, "Paul, this is important. Was the device password -protected? Also, was the customer data encrypted?" "No to both!" was Paul’s reply.

"This is potentially a "worst nightmare scenario," said Ned, palm on forehead. “Paul, you need to get with Jake, Legal and our physical security department and take immediate action. By tomorrow, I need to contact our primary regulator and by then I want to know precisely which half of our cardholder customer base is affected and what your plans are to issue new cards, freeze the ones they have, and so on. We could be looking at identity theft, worst case." Ned wonders how thing can get this far out of control and he pulls up the schematic for customer data flows he work on with Paul earlier in the year.

Customer data flows through SteadyBank!

Ned thought he had everything covered, but now he knows better.  Systems are one aspect, but Ned now realizes that he forgot to consider the human element.  Ned and Paul not only needed to consider how customer data flows through SteadBank, but they also need to consider how it could flow out of SteadyBank--in other words how to make customer data secure!

More fixes needed

Two policy changes we need to make immediately are to revise our GLB and TPP policies to require device passwords and data encryption on all bank data with application to all third-party contracts going forward, and retro-actively on any projects "in play." In addition, we need to ensure that any data transmitted or "shipped" is also covered. "I don't want to worry about hackers intruding into our network and servers, nor do I want to sweat it out if any FedEx trucks getting hijacked with our data on them!" Ned tells himself.

Next, Ned calls Jake and brings him current on the situation. "Ned," Jake advises, "we need to look into the insurance side, especially to examine our financial/professional (FINPRO) insurance coverage and find out what our TPP has on their end. If identity theft is involved, the consequences might not materialize until sometime in the future, meaning we may need tail coverage on these occurrences, or set additional capital aside, i.e. self-insure. So, let's engage Bill Cutter and our friends over in the Finance Department, who can carry the water on these aspects."

[Narrator: A general realization creeps over Ned, Jake, Paul and others at SteadyBank that "fixing the process" is going to amount to much, much more than originally imagined. Fortunately, the majority of the information required and processes to achieve the desired end result reside in SteadyBank's GRC solution. Fast forward six months, the next episode takes place on October 25, 2012! At that time, we will see the full financial impact of the loss events that have occurred. We will also witness how the GRC solution can help the SteadyBank Team keep risks in check and more effectively monitor and control the operation. As a result, they will likely avoid similar loss events in the future, and they will be alerted earlier in the process when there is a problem. This will enable them to take swifter corrective action.]

Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank .  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank. 

Drawings © 2012 Brad Abrahams

Post a Comment

Dealing with the crisis


Ned Thomas, CRO

Ned and Jake are of a common mind on next steps for dealing with the crisis.  Ned realizes the fastest way to achieve desired results is to drive actions through the Enterprise GRC solution. In this way, Ned reasons that all appropriate stakeholders will be informed, status will be taken and reported, and accountability for meeting timelines on deliverables will be assured.

 "Boy," Ned thinks out load, "I would be cooked if I had to rely on dreadsheets, unread e-mails, voice mail, and sneaker-net!  I am going to get right down to business this minute!" 

GRC solution is "system of record" for corporate issues

Ned logs onto the GRC solution, and immediately pulls up the issues he and others have been posting to the system.   

Ned uses a pre-defined view he created to zero in on the relevant issues
 Ned has not wasted any time. While meeting with Jake, Paul, Andrew, and third-party provider management, he put the action plans and associated timelines into the solution as they were formulated, eliminating transcription time for him and ensuring that he was capturing everything that the system requires, thus avoiding the need to go back multiple times and quiz information providers on information gaps. 

GRC solution links issues with action plans

Ned next reviews the action plan associated with the fifth issue on the list on the need to inform customers about the processing problems that occurred.  For that, Ned will seek help from SteadyBank's Corporate Public Relations Department in order to craft an appropriate message.







Ned is satisfied with what he has put into motion, and he checks his plan for fixing the problem with the third-party provider over in the electronic payments area. 

Action plan for Third-Party Provider (TPP) in SteadyBank Electronic Payments

Ned has the required actions - he just needs to initiate the approval process and he and Jake can report to Peter Principal, CEO, that they are dealing with all of the issues and that it appears they have headed off what could have been a major crisis and loss event.  With a couple of button clicks, Ned has put into motion five action plans aimed at dealing with the crisis, and he will take status twice a day until the major hurdles have been overcome.

GRC solution captures and surfaces early warning signals

Ned knows that the Peter will ask if there had been any warning signals that such problems might occur.  Ned decides that he will need to provide a backdrop of what internal control assessments and audits had indicated over the past 2 years.  That will not take long. 

Ned uses his "favorites" list to filter out the assessments of interest

Ned clicks on the GRC audit tab.  He uses a "favorite" feature which allows him to view previously defined organizational entities within SteadyBank.  He quickly finds the report he is seeking and displays it on his screen.

Audit scores and trends by SteadyBank operating units

 Just as Ned suspected, there were some reasons to be concerned.  They had indications from audit results that sooner or later the pressures and issues in technology, as SteadyBank rolled out its "modernization plan" would play out if not dealt with "head-on."  Further, the upwards trend in HR reflected concerns around expected turnover and the challenges of ramping up staff who needed to expand their skill sets to handle the new web channel and electronic banking.   The alternatives were to replace existing staff with new hires, or contractors, who possessed the needed skills, or outsource the function entirely. 
Ned decided to examine the quarterly retail banking operations self-assessments that provided the operating unit's perspective.  Ned clicked over to the GRC risk tab in the solution and pulled up the last three quarterly assessments.

Operating unit assessments provide more data points

Ned concludes, "Clearly, the handwriting was on the wall, but due to cost control and other priorities the audit results were given low priority -- so much for plausible deniability!"
Ned knew that he and Jake would have very little time afforded to them, and the full management team, between dealing with the crisis and finding a more permanent fix.  After all, the CEO would have to answer to Tom Scrutiny, their primary regulatory examiner, and also the Corporate Board. 
"Yes,"  Ned thought, "Fixing the process is the next task he will need to address with Jake." 
Ned considered what role the GRC system would play in that chapter of the story, and it all started to come into focus.  He is thinking that his next solution "mouse click" will be on the GRC compliance tab.

 Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank .  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank. 

Drawings © 2012 Brad Abrahams

Post a Comment

Press release today announcing launch of SAS High-Performance Risk Release 2.2

Today marks the announcement of the latest release of the SAS® High-Performance Risk solution at The Premier Business Leadership Series in Las Vegas. Nevada.  In today’s environment, financial institutions need to make timely and well-informed decisions on a range of portfolio moves from individual security positions through to firm-wide exposures of credit, market and liquidity risk, and possibly macro-hedges.

 SAS High-Performance Risk empowers risk professionals to ask questions – and get fast, precise answers – to address business issues that normally entail significant time delays before results can be obtained.

Risk managers in banking and capital markets need the power to know, and fully understand the implications of, their:

  • exposures
  • price volatility of financial assets held
  • earnings as risk
  • aggregate risk position
  • loss potential
  • appropriateness of limits in risk policies
  • minute-to-minute conformance with limits
  • compliance with regulations

Meeting the challenges

The faster response times made possible by SAS High-Performance Risk enable firms to meet their significant business challenges head-on, while the solution’s scalability ensures the firm’s ability to meet the ever-increasing scope, scale, complexity and pace of change well into the future. Customer issues include real-time risk aggregation, dynamic portfolio valuation, continuous limits monitoring, liquidity management, and counterparty and concentration risk.

Benefits include:

  • Faster, more accurate portfolio risk and exposure measurement
  • More targeted and profitable reaction to market events
  • Ability to plan ahead, anticipate outcomes and formulate contingencies.

Accurate quantification of millions of correlations spanning marketable securities, market indices, economic indicators, and counterparties is no small feat. Aggregating results and calculating interest rate, liquidity, and counterparty exposure based on the full distribution of market states, all in near-real time, is an even greater challenge.  Leveraging patent-pending in-memory technology, the SAS® High-Performance Risk solution achieves dramatically reduced run times, where results are maintained in-memory, enabling instantaneous stress testing, scenario analysis and interrogation of results on multiple portfolios. 

Regulatory pressure a factor


In the aftermath of the financial crisis, regulators have come to view markets as more interconnected, with growing transactional volume across borders and ever-increasing complexity.  Regulatory compliance pressures have stepped up to deal with a more systemic view that recognizes the linkages between institutions and across stock exchanges and country/regional jurisdictions that previously were supervised in a more micro-prudential fashion.  Where previously there were silos in local jurisdictions due to differing requirements, different markets and market structures, we now see more of a blend with greater commonality and unification through to asset classifications. 

This movement towards systemic regulation will not likely abate over the coming years.  Consequently, global banks and capital markets firms must continue to evolve and hasten the ways in which they analyze big data for risk and compliance to meet Basel III, Dodd-Frank and other regulations.  Basel III is a) requiring banks to increase Tier 1 capital, b) changing how firms assess, measure and report their liquidity, and c) requiring that they account for their  counterparty credit risk via the credit value adjustment (CVA) metric.  In addition,  the US Dodd-Frank Act's mandate for central clearing and standardization of the synthetic securities market will require all firms that engage in swaps and derivatives transactions to transform their processes in order to achieve compliance.  Yes, there is much work to be done on the regulatory front!

About SAS High-Performance Risk Release 2.2

 The latest release affords users with demonstrably superior capabilities in the marketplace, such as:

  • Fast distributed calculation for quick risk monitoring and decision making
  • End-to-end risk analysis for complete risk exploration
  • User or third-party risk methods and pricing model interface for openness
  • On-demand in-memory reporting for flexible slice-dice view
  • Integrated view of independently updatable information for enterprise aggregated risk analysis
  • Event driven risk information update for quick and automated data orchestration

 The new release enables large scale simulations, portfolio pricing, and portfolio aggregation in minutes or seconds.  Optional support for event stream processing rapid data injection and event orchestration is now available.  For more information, please visit the SAS High-Performance Risk solution web page.

Post a Comment

What does high performance analytics mean to CEOs?

CEOs are confronted with all sorts of issues day-in and day-out.  They must deal with an ever-increasing: 1) pace of change, 2) volume of data, 3) degree of complexity, 4) technological advances, 5) globalization, 6) regulations, 7) competition, and frequent shifts in: 1) market and economic forces, 2) customer preferences, 3) board and shareholder risk appetites,  and 4) brand sentiment evidenced through social media.  CEOs typically have a corporate mission defined and corporate values instilled in the workforce that serve to unify the corporate team and reinforce living the vision behaviors.  Examples of values would be: put the customer first, treat fellow employees with courtesy and respect, be inclusive, provide clear performance signals, exhibit a can-do attitude, trust the process, and so on.

CEOs leverage annual planning and strategy sessions to refine their vision, and set direction and quantify corporate goals. CEOs answer to their board for the enterprise's performance relative to goal that they and their management team are expected to deliver.  Analytics comes into play, and is operationalized, in the decision-making, execution, and analysis of results as depicted below.

Typical business learning context

Which do you trust, science or your gut?!

Instincts are great, but sometimes they can steer us wrong (literally) like when you skid on ice and the rear of your car is fishtailing and instincts tell you to turn away from the direction that the rear wheels are moving.   Science and models can lead us in the wrong direction in situation where data and formulas alone are insufficient to capture the realities, uncertainties and dynamics of important assumptions.  Data capture past experience and other important variables, but may lack sufficient consistency, reliability, completeness, or availability to provide solid ground for a decision.  Effective decision-making draws from three primary sources, namely data, science, and judgment.  You need all three, because science leverages observed behavior and givens (data) and business rules (judgment) to enumerate all relevant possibilities in order to predict what will happen and to determine what is best. 

Further, we recognize that data may be unstructured and hence not readily usable without some good science (e.g. text mining) to extract nuggets of information.  Furthermore, judgment can point to the best approach for a modeler to use when attempting to solve a problem and judgment can also play into determining the proper transformations to use on input data or even the level of granularity required.  I have highlighted these examples for you in the graphic below that illustrates the inter-connectedness theme.

Interconnectedness of data, science and judgment in decision-making

It is generally accepted that the more experienced CEO is in their role and industry, the greater is the likelihood that they will be successful.  Those who have been around a long time have either made plenty of mistakes, or witnessed their fair share of crises brought about by a combination of unfavorable circumstances, flawed processes, inadequate controls and bad decisions or behavior.  The greatest asset a leader can have is knowledge.  In the final analysis, sustainable winning is a function of the power to know plus the ability to act.  So, let's consider two different models for acquiring knowledge.   

Which way would you prefer to learn?!

On the right-hand side, we have learning by experience. An alternative means of acquiring knowledge is learning through high performance analytics (HPA).  As noted in my last post that pointed to the value of HPA for modelers, CEOs are entering an era where it will be possible for them to embed high performance analytics into their decision-making process.  This will pay huge dividends, both in good times and in bad times. 

When in crisis mode, time-to-decision can spell the difference between minimal loss and staggering loss scenarios.  Just imagine what the value of HPA amounts to in the extreme case!  What about HPA's value in good times?  Consider those quiet moments when a CEO contemplates the cascading consequences of taking certain actions, such as restructuring their business, or embarking on a new venture, or making an acquisition. 

 In the world of HPA, the CEO can imagine what a solution could look like and that vision can merge with the business problem-solving reality to map out how the desired result might be achieved. 

In summary, high performance analytics can provide leaders with:

  • more information
  • more options
  • better solutions
High performance analytics can position leaders (CEOs) for success by enabling them to learn faster, and more safely, through modeling rather than by experience.
Post a Comment

Deciding what to do

Ned and Jake now realize that the spike in delinquencies is due to operational risk, not credit quality issues. The change in terms disclosure evidentially went unnoticed by most consumers, since there were no incremental complaints the month after they were mailed. However, when customers all of a sudden had checks bounce, and were assessed a $50 fee per check, that definitely caught their attention! The remaining challenge is to determine the full extent of the problem and then decide what to do about it.

Ned leverages the incident management capabilities of the solution

For that, Ned turns to his GRC system (SAS Enterprise GRC), which tracks all policy changes, operational incidents or process failures, and shows status on issues and their associated action plans.  By virtue of the number of customers affected and the estimated cost per account, Ned can get estimates of the loss per incident.  Clearly there are controls that failed and some new ones that need to be added.  When it comes time to fix the process, Ned will review risk and control assessments and decide what to do.  But for now, he needs to make sure he has everything covered.  

Helicopter view with a single button click!

For that exercise, Ned is in luck because he can use the 360 degree viewer with a single button click to find instantly all linkages to relevant risks, controls, objectives, incidents, policies, insurance policies, service level agreements, vendor contracts, assessments, and so on.  From that screen, Ned clicks over to the issues and actions tab to survey the issues in question.

Ned surveys issues that combine to a new "perfect storm" issue he will create

Ned will not only use the system to figure out the extent of the problem and root causes -- he will actually define a new issue that is the combined effect of known issues and he will put in place an action plan and monitoring to ensure it is handled in and effective and timely manner. The pressure is on, and minutes can make the difference between minimal damage and poster-child meltdown!

Ned creates the perfect storm issue for which he and Jake will develop an action plan

Ned decides to huddle again with Jake, so he scurries down the hallway and appears unannounced.   Jake looks up and sees Ned in the doorway and invites him to take a seat.  

Jake and Ned huddle and strategize on what to do!

Ned advises, "Jake, we need to formulate a good response and get the ball rolling quickly.  By next week’s Board Meeting, we’d better have this buttoned down completely, including making the customer’s “whole,” and putting together a solid communication around what transpired." 

Jake nods in agreement with a concurrent blank stare out the window.

The operational failure by the third party has potentially thrown the change in overdraft pricing into the public spotlight, and it is likely that Ned and Jake will see something soon on the popular Channel 5 Evening News Action Hotline featuring a one or more of SteadyBank’s unhappy customers with some complaints.  It sure would have played in SteadyBank’s favor to get the word out early to customers and in advance of any negative publicity.  

Ned suggests, "We need to get with Corporate PR right away to decide on an appropriate message." 

"Ok Ned, but do we have our arms around all of the issues yet?" Jake inquires.

"Yeah, let me show you what I have pulled and analyze from our GRC system," Ned replies and he shares an export of the 360 degree view that he has annotated.

Sorting it all out with the help of SAS Enterprise GRC!

"This is really great Ned," is Jake's response, continuing, "The pieces are all beginning to fall into place now."  Jake further examines the 360 degree view, and notes,  “We also need to make the third party reimburse us for the damage done, even though we have financial/professional insurance coverage.” 

 “Good catch Jake!  Quantifying that, however, is going to be a difficult exercise,” replied Ned, “and to your point, we will need to give a heads-up to our insurance carrier, per corporate policy BOP-LGL-100.1.” 

"You leave the insurance notification to me," Jake replies, "And as for the quantification of the damages, I am putting that squarely on Paul's shoulders!" 

Jake recalls the earlier phone call, and tells Ned, "Paul threw Andrew under the bus on the checkless payment problem to take heat off of himself, and I think he needs something more to do this weekend than his usual routine!"   

Jake wraps up the meeting, telling Ned, “We need to check with Legal to see what would be reasonable damages to include, such as value of the customer relationship over expected account lifetime.  With several hundred customers impacted, the word of mouth effect could snowball to thousands of customers, and the financial impact could be in the millions for us on an annual basis.  In addition, the impact on our share price and reputation could prove to be our biggest headache.” 

[At this point, Ned and Jake have a plan and have decided what needs to be addressed.  In next Thursday's post, they will take appropriate actions to deal with the looming crisis.]

Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank .  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

Drawings © 2012 Brad Abrahams

Post a Comment

What does high performance analytics (HPA) mean to modelers?!

InterpretationSubscripts on decision variables are getting cheaper !!

Gains in performance boost computer-based modeling capabilities

We have witnessed a 1,000 times improvement in peak flops (floating point operations per second) every ten years for the past three decades.  For those unfamiliar with Moore's Law postulated by Gordon Moore, fellow UC Berkeley grad and former CEO of Intel, in his 1965 paper he predicted a doubling in the number of transistors on a computer chip every two years.  When combined with faster clock speed, we have witnessed improvements in chip performance that have taken us to the brink of excascale computing (that's ten to the eighteenth power or a quintillion flops) and billion-way concurrency!  

My trusty Pickett slide rule circa "The 60's"

As a college freshman in 1969, armed with a slide rule, I never imagined that this level of computing capacity would exist in my lifetime -- not in my wildest dreams.  Allow me to share a personal story that can illustrate the impact of high performance analytics (HPA) on decision-makers and problem-solvers.  I hope that it will foster a deeper appreciation of the impact that this technological advancement will have on the way business leaders gain knowledge in order to develop and execute strategies and make key decisions.  HPA will surely help them to meet or exceed their corporate goals. 


Balance sheet analytics in the 80's

In 1985, as a balance sheet management analyst, I developed strategies to engineer a target balance sheet on an 18 month planning horizon.  A primary tool was a large-scale financial optimization system that pulled a half gigabyte of data from all of the bank's transaction systems (commercial loans, SWAPs-collars and caps booked by the investment bank,  Eurodollar placements and takings, treasuries, agencies, term repos, reverses, other capital markets securities, consumer certificates of deposit, jumbo and liability management CDs, financial futures, and so on).  It also accepted interest rate forecasts for all key market indices supplied by the banks economics unit and risk preferences based upon executive management's risk appetite

The objective function was to maximize net interest income (NII) plus realized capital gains/losses plus capital appreciation/depreciation.  I will not go into the constraint descriptions, but they were considerable.  Since the model was a temporal one, the cash flows needed to be preserved, while purchases and sales of securities were permitted for the first six months of an eighteen month horizon.  There were also non-linear risk constraints that were varied to generate an efficient frontier of risk-return tradeoffs.  Strategy choice was a function of the resulting pay-off matrix under different economic scenarios and the corporate risk appetite (tangent of A/L Management Committee indifference curve with the efficient frontier). 

The problem size, expressed in terms of the matrix that was generated from the modeling language and data inputs for input to the optimizer, was 30 thousand rows by 15 thousand columns, with a density of non-zero coefficients of 0.55 percent.  It took 50 minutes to generate the matrix, and 10 minutes to solve it on an IBM 3033 mainframe running in OS/MVS operating system batch mode.   In those days, great care was taken to manage problem sizes that could otherwise chew up a lot of CPU cycles on expensive computing platforms and pose unacceptably long run-times. 

Due to the long processing times, we were compelled to make the models as simple as possible.  For example, an instrument was defined based  on the type of security and its maturity instead of just the category of security with maturing being a second dimension.  This cut down on the number of decision variables, but it also limited the ability to interrogate the model and consider maturity structure independent of the category of security.  We made many other compromises in a problem formulation that made the application more challenging to work with from many respects.  Those spillover effects included difficulties in data management, constraint specification, infeasibility tracing, model documentation, problem modification, and verification (both of the problem specification and the optimal solution).  Despite those and many other barriers, we managed to develop some great balance sheet strategies and the few basis points of improvement we achieved annually for a super-regional bank with $32 billion in assets more than covered our technology investment, staffing costs and overhead by a factor of two (that's an ROI exceeding 100%).  We verified the value added, contrasted against both a benchmark "do nothing" strategy and a naive approach based on past performance.  We always asked "whether the juice was worth the squeeze" question, and before continuing with my balance sheet formulation story, let me digress for a short tale relative to the bank's trading operation.

Relative to the bank's trading book.  I recall the chairman coming down to my office one afternoon.  He shut the door to my office and told me he was wondering if our bond trading activities were really delivering for the bank.  So he asked me to run a simulation wherein we turned over the bond portfolio every two years (i.e. replace 4 1/6 percent of the portfolio every month) over a five year period, based on purchases at the historical Fed auction prices.  He wanted the results on his desk the next morning.  I reported to the CEO the next morning, accompanied by my manager, the bank's chief economist.  The answer ratified that our traders were consistently beating the market by a statistically significant, and financially material, margin that was well worth the costs of technology and performance-based compensation.

High performance analytics (HPA) in our current decade

 Fast forward thirty years, and we are now getting very close to achieving excascale computing.  For the problem just described, the implications are very dramatic.  We can now refine the model to have sufficient subscripts on the decision variable to enable modeling closer to the business reality by defining a new problem framework with some realistic ranges on individual dimension limits.
Additional subscripts better capture problem & facilitate solution analysis

You may wonder why a modeler might include legal location of the entity holding a security as a dimension in the framework.  Well, it turns out there are different tax treatments for various securities, in different, yes even neighboring, states in the US.  If you consider cross border holdings, then geo-political risk and foreign exchange risk come into play.  Euro-denominated securities could be put on a USD equivalent basis, but if they are still denominated in euros when a market disruption or failure occurs, the USD cash equivalent value may change.  Sure, on the tax treatment issue, you could handle the issue through the ETL, or data input stage, to put all securities on a pre-tax or after-tax equivalent basis.  However, you would not be able to perform "what-if"  simulations or post-optimality / parametric analysis with an optimization problem that is memory resident with billion-way concurrency.  Instead, you would need to reload "big data."

 You may also wonder why the problem framework should include the utility dimension.  Well, that has to do with risk appetite.  With the proper formulation, this mathematical programming problem can allow course correction on what securities to buy, sell, and hold, based on the extent to which profit plan targets have been met.  The appetite for risk would likely increase after goals have been met by sufficient margin, say 110%, 150%, 200%, and 250%.  In this case there would be four breakpoints introduced for the objective function, which would in effect quadruple the problem size.  But remember, decision variable subscripts are getting cheaper!
In the first scenario in the high performance balance sheet management problem formulation, I allowed the dimension sizes to exhaust all practical problem sizes.  The result was nearly three quadrillion decision variables.  Scenario two is a more conservative formulation, still very realistic for most mid-to-larger sized firms, which is in the neighborhood of nine billion decision variables.

HPA Takeaways

In summary, high performance analytics is not just about speedIt enables modeling that:
  • can consume massive volumes of data
  • is closer to the business reality
  • can encompass a vast array of possibilities
  • can surface whole families of solutions + associated trade-offs
  • can identify and portray the connectedness of solutions
  • fosters a far deeper understanding of the solution and its sensitivity to model assumptions and uncontrollable forces
 I will have more to say from a higher level perspective in a blog post on Friday that addresses what HPA means to CEO's.  Please stay tuned!
Post a Comment

Quest for the truth

Ned Thomas, CRO

Ned is determined to get to the bottom of the spike in key risk indicators (KRIs).  It would not be long before Peter Principal, the CEO, would be on his doorstep wanting his update on the corporate risk profile for next week’s board meeting.  The focus of the board meeting will be a review and approval of the capital plan prior to the form 10-k SEC filing.  Before departing for the conference in San Francisco and vacation with family, Ned had completed his narratives to support his corporate risk profile ratings and trends for the major risk categories for the past 6 months.  Now this could change everything!

What was looking to be stable, or decreasing risk, now appears to be increasing for credit risk, transaction risk, price risk, reputation risk, and strategic risk!  What makes matters worse, the Board has invited their primary bank regulator to attend the next meeting and Ned knows that Tom Scrutiny, Examiner in Charge, will most certainly be attending the meeting as an honored guest!  

“Boy, this is just not what I needed—what horrible timing,” he tells himself!  Ned ponders “I do not have much time to sort all of this out – I’ve got to quickly diagnose the root cause(s), formulate a risk mitigation response, and begin executing it before next week.”

Ned mulls over his next move, which is looking more and more like some pointed dialogue with SteadyBank Operations.  He knows Jake Jabber, SteadyBank COO, will get straight answers more quickly than he can extract the truth from the operations staff. 

So, Ned heads down to Jake’s office.  Together they decide it is time to call Paul, the manager of the eastern region’s processing center in Lexington, Kentucky.

Jake Jabber, COO

Jake dials and, as Paul picks up, he announces himself and begins to interrogate Paul.

“Hey Paul," Jake boomed, "Anything out of the ordinary been going on this past week or two?” 

Paul nervously replies, a slight quiver in his voice, “I been meaning to call you Jake, but wanted to make sure we had it handled on this end first so it would be old news and no big deal!” 

Jake’s eyes widen, and he replies, “I’m putting you on speaker phone so you can calm Ned’s concerns at the same time – he’s here in my office and he has beaten you to the punch on bringing me bad news!”  Jake continues, in a sarcastic tone, “So I trust the answer is that you have this under control now!”  There is dead silence on the other end. 

Spinning the truth

Paul Winkler, SVP, Tech & Ops Manager

“Hello, Paul!  Are you still on the line?” Jake asks.

  “Yeah, I’m here.” Paul replies, “Here’s the deal."  Paul clears his throat and matter-of-factly reports, "About two weeks ago, as you know, we relocated our lock box facility.  In the meantime we had begun to implement the majority of the staff reduction initiatives."  There was a pause.  

"Well?  Please continue Paul," says Jake, "I'm all ears!" 

Paul resumes his report, saying, "We contracted with a third party to process the mail over that weekend until we got the new facility operational on Monday."  Paul hesitates again, before explaining, "Well, it turns out that accidentally several large bags of mail got misplaced in the corner of the old facility.  It wasn’t until a week later that we realized there was a problem."

Paul continues, "We might have noticed quicker, but fewer staff was tasked with more to do and we did not press real hard, since morale is running low."  Paul could visualize Jake getting red in the face on the other end and he pauses again to see if Jake has a comeback, but there is only silence on the line.

Paul concludes his explanation with a sigh, saying, "As a result, somewhere between eight hundred to fourteen hundred customers' payments were posted 6 days late."

Paul continues, "This did not affect merchant accounts – only our retail customers residing in the eastern region.  I suppose that for some customers our collectors were a bit too aggressive, which no doubt ruffled some feathers.  On top of that, recall we raised our late fees recently and shortened the grace period from five to three days.  

That’s all I know right now, but say, if you want to pick on folks today you should give Andrew a call over in the Internet Banking Technology Group. I hear that the “checkless payment program ran into an unexpected bug and there were potentially a couple of thousand customers affected!” 

Jake Jabber, COO

“That’s enough,” Jake said, “I will circle back with you later today Paul.” 

Jake immediately calls Andrew on the speaker phone, who confirms that there is a problem, the extent of which is yet to be determined.  Probably not critical in and of itself, but in combination with the other issues, it could loom disproportionately large and further erode customer confidence. 

Jake hopes that customers will seek SteadyBank’s help to resolve any bad transactions and not ventilate frustrations to the local press.  For Ned, reputation risk is now top of mind.

Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank .  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

Drawings © 2012 Brad Abrahams

Post a Comment

Jake adds pieces to the puzzle


Jake Jabber, COO

Jake invites Ned down to his office.  Ned grabs his laptop and heads down the hallway to share what he has found and his concerns.  Ned was able to quickly bring Jake up to speed via the SteadyBank Enterprise GRC solution, which he masterfully navigated to substantiate the facts he had been able to assemble so far. Ned is struggling with a difficult puzzle.  He believes that with information provided by Jake, he can use the GRC solution to both confirm what Jake tells him and enable him to quickly fit the pieces together to solve it. 

Jake listens intently.  After hearing all that Ned has to say, he zeroes in on the “change in terms” event, telling Ned “The customer notification on that one did not go smoothly at all.  Our new third-party provider (TPP) had been tasked to access confidential customer information and perform the notification, but it turns out that they had a processing failure on their end that went totally undetected.” 

“Undetected!” Ned blurted out, “How so?!” 

“Well,” began Jake, “The operations person charged with responsibility at SteadyBank to oversee TPP knew he was going to be laid-off.  He did not effectively manage the transition, probably because he was more engaged in networking activities and finding a new job.  He also overlooked adding the vendor to the approved TPP Information Privacy Approval List.  As you know, because your people developed it, SteadyBank has a very thorough Gramm-Leach-Bliley (GLB) Procedure, as directed by GLB Corporate Policy 10101.   Problem is, it simply was not executed properly.”

 Ned recalls that the change became effective 30 days from the notification.   “Wait just a minute Jake,” Ned remarks, “this is too coincidental!” 

Ned Thomas, CRO


Ned is now thinking that the attrition has to be due to a mounting customer backlash on the posting order decision.  “Listen Jake, I think I’m on to something,” Ned shares, “We’re hitting some of our customers with higher fees and they don’t like it!”  

Not wanting to consume more of Jake’s time until he has a more complete picture, Ned excuses himself and heads back to his office.

  Ned realizes that he needs to probe deeper.  Two months ago, when the new posting order went into effect, there indeed had been an increase in complaints, and a minor uptick in checking account attrition, but nothing close to the current magnitude.  “Let’s see what has happened lately, and where, and for which products!” he says to himself, and Ned pulls up his cheat sheet on key risk indicators (KRIs) and key performance indicators (KPIs).  

Eastern region 4 day attrition KRI and component risk measures

He first zeros in on the KRIs, where he has risk identifiers that break out regular from premier checking accounts for the east versus west regions on a rolling four day window. 

Ned verifies that the related  summary KRI looks at attrition over the past 4 days for checking accounts in total for each region separately.    

Ned glances down at his watch and notes the time.  It's nine o'clock.   By now the call center and branch offices are open for business.  Ned goes to the monitoring tab in his EGRC solution and examines key risk and key performance indicators to see if the problem is widespread, or specific to particular business units.  To his surprise, he finds that the eastern region is hit three times harder than the west!  Perhaps the change in terms is not the culprit after all!  Moreover, Ned sees that there was a dramatic increase in complaints and attrition just in the past four business days.

Ned decides to have another cup of coffee while he ponders his next move.  Nothing like a few challenges on his first day back from vacation!

Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!)  For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank .  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

 Drawings © 2012 Brad Abrahams
Post a Comment