Deciding what to do

Clark Abrahams
Clark Abrahams|October 4, 2012
Ned and Jake now realize that the spike in delinquencies is due to operational risk, not credit quality issues. The change in terms disclosure evidentially went unnoticed by most consumers, since there were no incremental complaints the month after they were mailed. However, when customers all of a sudden had checks bounce, and were assessed a $50 fee per check, that definitely caught their attention! The remaining challenge is to determine the full extent of the problem and then decide what to do about it.
 

Ned leverages the incident management capabilities of the solution

For that, Ned turns to his GRC system (SAS Enterprise GRC), which tracks all policy changes, operational incidents or process failures, and shows status on issues and their associated action plans.  By virtue of the number of customers affected and the estimated cost per account, Ned can get estimates of the loss per incident.  Clearly there are controls that failed and some new ones that need to be added.  When it comes time to fix the process, Ned will review risk and control assessments and decide what to do.  But for now, he needs to make sure he has everything covered.  

Helicopter view with a single button click!

For that exercise, Ned is in luck because he can use the 360 degree viewer with a single button click to find instantly all linkages to relevant risks, controls, objectives, incidents, policies, insurance policies, service level agreements, vendor contracts, assessments, and so on.  From that screen, Ned clicks over to the issues and actions tab to survey the issues in question.
 

Ned surveys issues that combine to a new "perfect storm" issue he will create

  
Ned will not only use the system to figure out the extent of the problem and root causes -- he will actually define a new issue that is the combined effect of known issues and he will put in place an action plan and monitoring to ensure it is handled in and effective and timely manner. The pressure is on, and minutes can make the difference between minimal damage and poster-child meltdown!

Ned creates the perfect storm issue for which he and Jake will develop an action plan

Ned decides to huddle again with Jake, so he scurries down the hallway and appears unannounced.   Jake looks up and sees Ned in the doorway and invites him to take a seat.  

Jake and Ned huddle and strategize on what to do!

Ned advises, "Jake, we need to formulate a good response and get the ball rolling quickly.  By next week’s Board Meeting, we’d better have this buttoned down completely, including making the customer’s “whole,” and putting together a solid communication around what transpired." 

Jake nods in agreement with a concurrent blank stare out the window.

The operational failure by the third party has potentially thrown the change in overdraft pricing into the public spotlight, and it is likely that Ned and Jake will see something soon on the popular Channel 5 Evening News Action Hotline featuring a one or more of SteadyBank’s unhappy customers with some complaints.  It sure would have played in SteadyBank’s favor to get the word out early to customers and in advance of any negative publicity.  

Ned suggests, "We need to get with Corporate PR right away to decide on an appropriate message." 

"Ok Ned, but do we have our arms around all of the issues yet?" Jake inquires.

"Yeah, let me show you what I have pulled and analyze from our GRC system," Ned replies and he shares an export of the 360 degree view that he has annotated.

Sorting it all out with the help of SAS Enterprise GRC!

"This is really great Ned," is Jake's response, continuing, "The pieces are all beginning to fall into place now."  Jake further examines the 360 degree view, and notes,  “We also need to make the third party reimburse us for the damage done, even though we have financial/professional insurance coverage.” 

 “Good catch Jake!  Quantifying that, however, is going to be a difficult exercise,” replied Ned, “and to your point, we will need to give a heads-up to our insurance carrier, per corporate policy BOP-LGL-100.1.” 

"You leave the insurance notification to me," Jake replies, "And as for the quantification of the damages, I am putting that squarely on Paul's shoulders!" 

Jake recalls the earlier phone call, and tells Ned, "Paul threw Andrew under the bus on the checkless payment problem to take heat off of himself, and I think he needs something more to do this weekend than his usual routine!"   

Jake wraps up the meeting, telling Ned, “We need to check with Legal to see what would be reasonable damages to include, such as value of the customer relationship over expected account lifetime.  With several hundred customers impacted, the word of mouth effect could snowball to thousands of customers, and the financial impact could be in the millions for us on an annual basis.  In addition, the impact on our share price and reputation could prove to be our biggest headache.” 

[At this point, Ned and Jake have a plan and have decided what needs to be addressed.  In next Thursday's post, they will take appropriate actions to deal with the looming crisis.]

Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank .  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

Drawings © 2012 Brad Abrahams

Post a Comment

What does high performance analytics (HPA) mean to modelers?!

Clark Abrahams
Clark Abrahams|October 3, 2012

InterpretationSubscripts on decision variables are getting cheaper !!

Gains in performance boost computer-based modeling capabilities

We have witnessed a 1,000 times improvement in peak flops (floating point operations per second) every ten years for the past three decades.  For those unfamiliar with Moore's Law postulated by Gordon Moore, fellow UC Berkeley grad and former CEO of Intel, in his 1965 paper he predicted a doubling in the number of transistors on a computer chip every two years.  When combined with faster clock speed, we have witnessed improvements in chip performance that have taken us to the brink of excascale computing (that's ten to the eighteenth power or a quintillion flops) and billion-way concurrency!  

My trusty Pickett slide rule circa "The 60's"

As a college freshman in 1969, armed with a slide rule, I never imagined that this level of computing capacity would exist in my lifetime -- not in my wildest dreams.  Allow me to share a personal story that can illustrate the impact of high performance analytics (HPA) on decision-makers and problem-solvers.  I hope that it will foster a deeper appreciation of the impact that this technological advancement will have on the way business leaders gain knowledge in order to develop and execute strategies and make key decisions.  HPA will surely help them to meet or exceed their corporate goals. 

 

Balance sheet analytics in the 80's

In 1985, as a balance sheet management analyst, I developed strategies to engineer a target balance sheet on an 18 month planning horizon.  A primary tool was a large-scale financial optimization system that pulled a half gigabyte of data from all of the bank's transaction systems (commercial loans, SWAPs-collars and caps booked by the investment bank,  Eurodollar placements and takings, treasuries, agencies, term repos, reverses, other capital markets securities, consumer certificates of deposit, jumbo and liability management CDs, financial futures, and so on).  It also accepted interest rate forecasts for all key market indices supplied by the banks economics unit and risk preferences based upon executive management's risk appetite

The objective function was to maximize net interest income (NII) plus realized capital gains/losses plus capital appreciation/depreciation.  I will not go into the constraint descriptions, but they were considerable.  Since the model was a temporal one, the cash flows needed to be preserved, while purchases and sales of securities were permitted for the first six months of an eighteen month horizon.  There were also non-linear risk constraints that were varied to generate an efficient frontier of risk-return tradeoffs.  Strategy choice was a function of the resulting pay-off matrix under different economic scenarios and the corporate risk appetite (tangent of A/L Management Committee indifference curve with the efficient frontier). 

The problem size, expressed in terms of the matrix that was generated from the modeling language and data inputs for input to the optimizer, was 30 thousand rows by 15 thousand columns, with a density of non-zero coefficients of 0.55 percent.  It took 50 minutes to generate the matrix, and 10 minutes to solve it on an IBM 3033 mainframe running in OS/MVS operating system batch mode.   In those days, great care was taken to manage problem sizes that could otherwise chew up a lot of CPU cycles on expensive computing platforms and pose unacceptably long run-times. 

Due to the long processing times, we were compelled to make the models as simple as possible.  For example, an instrument was defined based  on the type of security and its maturity instead of just the category of security with maturing being a second dimension.  This cut down on the number of decision variables, but it also limited the ability to interrogate the model and consider maturity structure independent of the category of security.  We made many other compromises in a problem formulation that made the application more challenging to work with from many respects.  Those spillover effects included difficulties in data management, constraint specification, infeasibility tracing, model documentation, problem modification, and verification (both of the problem specification and the optimal solution).  Despite those and many other barriers, we managed to develop some great balance sheet strategies and the few basis points of improvement we achieved annually for a super-regional bank with $32 billion in assets more than covered our technology investment, staffing costs and overhead by a factor of two (that's an ROI exceeding 100%).  We verified the value added, contrasted against both a benchmark "do nothing" strategy and a naive approach based on past performance.  We always asked "whether the juice was worth the squeeze" question, and before continuing with my balance sheet formulation story, let me digress for a short tale relative to the bank's trading operation.

Relative to the bank's trading book.  I recall the chairman coming down to my office one afternoon.  He shut the door to my office and told me he was wondering if our bond trading activities were really delivering for the bank.  So he asked me to run a simulation wherein we turned over the bond portfolio every two years (i.e. replace 4 1/6 percent of the portfolio every month) over a five year period, based on purchases at the historical Fed auction prices.  He wanted the results on his desk the next morning.  I reported to the CEO the next morning, accompanied by my manager, the bank's chief economist.  The answer ratified that our traders were consistently beating the market by a statistically significant, and financially material, margin that was well worth the costs of technology and performance-based compensation.

High performance analytics (HPA) in our current decade

 Fast forward thirty years, and we are now getting very close to achieving excascale computing.  For the problem just described, the implications are very dramatic.  We can now refine the model to have sufficient subscripts on the decision variable to enable modeling closer to the business reality by defining a new problem framework with some realistic ranges on individual dimension limits.
 
Additional subscripts better capture problem & facilitate solution analysis

You may wonder why a modeler might include legal location of the entity holding a security as a dimension in the framework.  Well, it turns out there are different tax treatments for various securities, in different, yes even neighboring, states in the US.  If you consider cross border holdings, then geo-political risk and foreign exchange risk come into play.  Euro-denominated securities could be put on a USD equivalent basis, but if they are still denominated in euros when a market disruption or failure occurs, the USD cash equivalent value may change.  Sure, on the tax treatment issue, you could handle the issue through the ETL, or data input stage, to put all securities on a pre-tax or after-tax equivalent basis.  However, you would not be able to perform "what-if"  simulations or post-optimality / parametric analysis with an optimization problem that is memory resident with billion-way concurrency.  Instead, you would need to reload "big data."

 You may also wonder why the problem framework should include the utility dimension.  Well, that has to do with risk appetite.  With the proper formulation, this mathematical programming problem can allow course correction on what securities to buy, sell, and hold, based on the extent to which profit plan targets have been met.  The appetite for risk would likely increase after goals have been met by sufficient margin, say 110%, 150%, 200%, and 250%.  In this case there would be four breakpoints introduced for the objective function, which would in effect quadruple the problem size.  But remember, decision variable subscripts are getting cheaper!
 
In the first scenario in the high performance balance sheet management problem formulation, I allowed the dimension sizes to exhaust all practical problem sizes.  The result was nearly three quadrillion decision variables.  Scenario two is a more conservative formulation, still very realistic for most mid-to-larger sized firms, which is in the neighborhood of nine billion decision variables.
 

HPA Takeaways

 
In summary, high performance analytics is not just about speedIt enables modeling that:
  • can consume massive volumes of data
  • is closer to the business reality
  • can encompass a vast array of possibilities
  • can surface whole families of solutions + associated trade-offs
  • can identify and portray the connectedness of solutions
  • fosters a far deeper understanding of the solution and its sensitivity to model assumptions and uncontrollable forces
 I will have more to say from a higher level perspective in a blog post on Friday that addresses what HPA means to CEO's.  Please stay tuned!
 
Post a Comment

Quest for the truth

Clark Abrahams
Clark Abrahams|September 27, 2012

Ned Thomas, CRO

Ned is determined to get to the bottom of the spike in key risk indicators (KRIs).  It would not be long before Peter Principal, the CEO, would be on his doorstep wanting his update on the corporate risk profile for next week’s board meeting.  The focus of the board meeting will be a review and approval of the capital plan prior to the form 10-k SEC filing.  Before departing for the conference in San Francisco and vacation with family, Ned had completed his narratives to support his corporate risk profile ratings and trends for the major risk categories for the past 6 months.  Now this could change everything!

What was looking to be stable, or decreasing risk, now appears to be increasing for credit risk, transaction risk, price risk, reputation risk, and strategic risk!  What makes matters worse, the Board has invited their primary bank regulator to attend the next meeting and Ned knows that Tom Scrutiny, Examiner in Charge, will most certainly be attending the meeting as an honored guest!  

“Boy, this is just not what I needed—what horrible timing,” he tells himself!  Ned ponders “I do not have much time to sort all of this out – I’ve got to quickly diagnose the root cause(s), formulate a risk mitigation response, and begin executing it before next week.”

Ned mulls over his next move, which is looking more and more like some pointed dialogue with SteadyBank Operations.  He knows Jake Jabber, SteadyBank COO, will get straight answers more quickly than he can extract the truth from the operations staff. 

So, Ned heads down to Jake’s office.  Together they decide it is time to call Paul, the manager of the eastern region’s processing center in Lexington, Kentucky.

Jake Jabber, COO

Jake dials and, as Paul picks up, he announces himself and begins to interrogate Paul.

“Hey Paul," Jake boomed, "Anything out of the ordinary been going on this past week or two?” 

Paul nervously replies, a slight quiver in his voice, “I been meaning to call you Jake, but wanted to make sure we had it handled on this end first so it would be old news and no big deal!” 

Jake’s eyes widen, and he replies, “I’m putting you on speaker phone so you can calm Ned’s concerns at the same time – he’s here in my office and he has beaten you to the punch on bringing me bad news!”  Jake continues, in a sarcastic tone, “So I trust the answer is that you have this under control now!”  There is dead silence on the other end. 

Spinning the truth

Paul Winkler, SVP, Tech & Ops Manager

“Hello, Paul!  Are you still on the line?” Jake asks.

  “Yeah, I’m here.” Paul replies, “Here’s the deal."  Paul clears his throat and matter-of-factly reports, "About two weeks ago, as you know, we relocated our lock box facility.  In the meantime we had begun to implement the majority of the staff reduction initiatives."  There was a pause.  

"Well?  Please continue Paul," says Jake, "I'm all ears!" 

Paul resumes his report, saying, "We contracted with a third party to process the mail over that weekend until we got the new facility operational on Monday."  Paul hesitates again, before explaining, "Well, it turns out that accidentally several large bags of mail got misplaced in the corner of the old facility.  It wasn’t until a week later that we realized there was a problem."

Paul continues, "We might have noticed quicker, but fewer staff was tasked with more to do and we did not press real hard, since morale is running low."  Paul could visualize Jake getting red in the face on the other end and he pauses again to see if Jake has a comeback, but there is only silence on the line.

Paul concludes his explanation with a sigh, saying, "As a result, somewhere between eight hundred to fourteen hundred customers' payments were posted 6 days late."

Paul continues, "This did not affect merchant accounts – only our retail customers residing in the eastern region.  I suppose that for some customers our collectors were a bit too aggressive, which no doubt ruffled some feathers.  On top of that, recall we raised our late fees recently and shortened the grace period from five to three days.  

That’s all I know right now, but say, if you want to pick on folks today you should give Andrew a call over in the Internet Banking Technology Group. I hear that the “checkless payment program ran into an unexpected bug and there were potentially a couple of thousand customers affected!” 

Jake Jabber, COO

“That’s enough,” Jake said, “I will circle back with you later today Paul.” 

Jake immediately calls Andrew on the speaker phone, who confirms that there is a problem, the extent of which is yet to be determined.  Probably not critical in and of itself, but in combination with the other issues, it could loom disproportionately large and further erode customer confidence. 

Jake hopes that customers will seek SteadyBank’s help to resolve any bad transactions and not ventilate frustrations to the local press.  For Ned, reputation risk is now top of mind.

Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!) For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank .  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

Drawings © 2012 Brad Abrahams

Post a Comment

Jake adds pieces to the puzzle

Clark Abrahams
Clark Abrahams|September 20, 2012
 

Jake Jabber, COO

Jake invites Ned down to his office.  Ned grabs his laptop and heads down the hallway to share what he has found and his concerns.  Ned was able to quickly bring Jake up to speed via the SteadyBank Enterprise GRC solution, which he masterfully navigated to substantiate the facts he had been able to assemble so far. Ned is struggling with a difficult puzzle.  He believes that with information provided by Jake, he can use the GRC solution to both confirm what Jake tells him and enable him to quickly fit the pieces together to solve it. 

Jake listens intently.  After hearing all that Ned has to say, he zeroes in on the “change in terms” event, telling Ned “The customer notification on that one did not go smoothly at all.  Our new third-party provider (TPP) had been tasked to access confidential customer information and perform the notification, but it turns out that they had a processing failure on their end that went totally undetected.” 

“Undetected!” Ned blurted out, “How so?!” 

“Well,” began Jake, “The operations person charged with responsibility at SteadyBank to oversee TPP knew he was going to be laid-off.  He did not effectively manage the transition, probably because he was more engaged in networking activities and finding a new job.  He also overlooked adding the vendor to the approved TPP Information Privacy Approval List.  As you know, because your people developed it, SteadyBank has a very thorough Gramm-Leach-Bliley (GLB) Procedure, as directed by GLB Corporate Policy 10101.   Problem is, it simply was not executed properly.”

 Ned recalls that the change became effective 30 days from the notification.   “Wait just a minute Jake,” Ned remarks, “this is too coincidental!” 

Ned Thomas, CRO

 

Ned is now thinking that the attrition has to be due to a mounting customer backlash on the posting order decision.  “Listen Jake, I think I’m on to something,” Ned shares, “We’re hitting some of our customers with higher fees and they don’t like it!”  

Not wanting to consume more of Jake’s time until he has a more complete picture, Ned excuses himself and heads back to his office.

  Ned realizes that he needs to probe deeper.  Two months ago, when the new posting order went into effect, there indeed had been an increase in complaints, and a minor uptick in checking account attrition, but nothing close to the current magnitude.  “Let’s see what has happened lately, and where, and for which products!” he says to himself, and Ned pulls up his cheat sheet on key risk indicators (KRIs) and key performance indicators (KPIs).  

Eastern region 4 day attrition KRI and component risk measures

He first zeros in on the KRIs, where he has risk identifiers that break out regular from premier checking accounts for the east versus west regions on a rolling four day window. 

Ned verifies that the related  summary KRI looks at attrition over the past 4 days for checking accounts in total for each region separately.    

Ned glances down at his watch and notes the time.  It's nine o'clock.   By now the call center and branch offices are open for business.  Ned goes to the monitoring tab in his EGRC solution and examines key risk and key performance indicators to see if the problem is widespread, or specific to particular business units.  To his surprise, he finds that the eastern region is hit three times harder than the west!  Perhaps the change in terms is not the culprit after all!  Moreover, Ned sees that there was a dramatic increase in complaints and attrition just in the past four business days.

Ned decides to have another cup of coffee while he ponders his next move.  Nothing like a few challenges on his first day back from vacation!

Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!)  For an introduction to SteadyBank and the main characters in this blog series please click on the following title: Understand GRC through SteadyBank .  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

 Drawings © 2012 Brad Abrahams
Post a Comment

Ned spots trouble

Clark Abrahams
Clark Abrahams|September 13, 2012

Ned Thomas, CRO

Ned arrives at his office at seven o’clock on a Monday morning with his morning beverage of choice -- a large coffee that contains two shots of espresso.  Ned usually likes to get the jump on things to start the week, and this week is especially true because he was off-site much of the prior week with business travel.  Ned presented at a major industry meeting on the advantages of lower channel cost afforded via the Web, versus the traditional brick-and-mortar physical market footprint.   This is a popular topic among Ned’s peers at other banks, who are looking to lower operating costs significantly, and no stones are being left unturned!   At SteadyBank, the current year’s goal is an 8 percent reduction in operating expenses, achieved through:

  • a 10 percent workforce reduction
  • customer conversion to the Internet spurred via some promotions with an electronic payment vendor
  • some very targeted outsourcing initiatives

Ned’s presentation was well-received, but it monopolized his focus for a few days of final prep, during which the checkless payment initiative was launched with a media blitz.  Since the conference was in San Francisco, he took his wife and son with him and they spent an additional week sight-seeing and relaxing in the surrounding Bay Area,  Need left his computer behind and did not check e-mails at the urging of the other C-level officers, who felt Ned should enjoy a much-deserved break form the action.

“Boy,” Ned says to himself, “There is a whole lot going on and it is so easy to get behind and lose focus.”  He decides to review his To Do List and In Process Tasks which are maintained on his Enterprise GRC Solution home page, so he docks and powers up his laptop and gets up to speed on where he stood on key initiatives before he left for the conference.  On his home page, Ned decides to review SteadyBank’s strategic business objectives. He arrows over to the lower right where his favorite shortcuts to his most critical and useful reports are prominently displayed. 

Ned's favorite shortcuts

 Clicking on the third shortcut, Ned views the annual corporate goals with specific targets.

  • Protect existing customer base through exceptional service and convenience
  • Address shrinking margins by reducing operating expenses and increasing fee income
  • Grow asset base and ROE by expanding the retail bank lending franchise

He remembers the profit planning meeting when the CEO, Peter Principal, pressed line executives to set very ambitious 2012 targets supporting those objectives, and he reads off the computer screen:

  • Reduce Operating Expense 8%
  • Reduce Headcount 10%
  • Maintain Customer Churn below 4%
  • Grow Consumer Loan Market Share 7%
  • Increase Fee Income 15%

Sipping his coffee, Ned muses to himself that there should have been a sixth and highly correlated bullet entitled:

  • Raise operational risk exposures by 40%!

Well, Ned thought, Pete, the CEO, is no doubt well-pleased with the business strategy execution in support of the goals.  After all, Ned received an “I told you so” text message at the airport Friday afternoon from the CFO, Bill Cutter, reporting that revenue was up 12 percent over the prior quarter, primarily due to fees charged to customers.  This made perfect sense to Ned because of the change to overdraft check posting rules implemented 2 months ago.  Ned had voiced strong opposition to that process change due to concerns about the reaction from customers that Ned felt might trigger significant attrition and reputation risk. 

Trouble arrives

Ned clicks over to look at his EGRC Dashboard in the middle of his solution home page.

 

Key risks dashboard

 

   ”Here it comes,” Ned exclaims as he notices a dial in the red signaling that there are two risks having exposures above appetite.

 

Ned drills into the dial. He discovers that one of the risks exceeding its tolerance relates to credit quality.  

 

Ned clicks his second shortcut favorite to bring up the latest asset quality control reports, which he immediately reviews.

Diminishing asset quality exceeds risk tolerences

He notices a disturbing negative spike in delinquencies, signaling what could be serious trouble in the consumer loan portfolios.

The other exposure dealt with customer relationships, so Ned clicks through to SteadyBank’s customer experience reports, and he notices that there has been a spike in customer complaints during the most recent reporting period, up fourfold from the 12 month moving average of 53 to 222 and he wonders what caused the spike.  Ned opens MS Outlook, and he finds a series of unopened alerts sent automatically by the EGRC solution indicating that customer complaints and account closures are above threshold.   Ned brings up the GRC Key Risk Indicator Trend Charts. 

SteadyBank KRI trends signal trouble

He sees that customer attrition on the deposit side of the house, namely regular and premier checking accounts, has also spiked well beyond the customary quarter of one percent monthly account churn.  “Whatever is going on could spell trouble in capital letters,” Ned reasons, “It is certain to have an adverse impact on the bottom line.” 

Ned wonders whether the recent change in terms for checking accounts had anything to do with it.  Four months ago he listened to the presentation in the risk management committee about the proposed change to check posting order (largest to smallest versus the current practice of clearing all of the small checks first when there are multiple debits for the nightly processing) and simultaneous increase in overdraft fees, doubling from $25 to $50 per item. 

The proposed change met with some resistance among two of the committee members, including Ned himself, but it passed just the same for several reasons, not the least of which was the fact that operating costs had been rising and fee income was down eight percent from the same time last year.  The rationale was that costs need to be passed along to the customer, and that customers who pay late or have insufficient funds to cover their obligations are probably the ones who most deserve to pay more, because they were thought to represent the greatest risk.  Or so it seemed to the majority of the risk committee members.  Customers were supposed to be notified a month after the committee approved both the change and the customer disclosure that would be mailed out in advance of the change taking effect.

Ned calls Jake, the COO.  “We need to talk, Jake” Ned advises. 

Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information. (To access it, simply click on the embedded link in the previous sentence!)  If you missed the initial post, please click on the following title: Understand GRC through SteadyBank .  Finally, if you are interested in learning more about what might be found on a CRO dashboard, please see my blog post Making GRC Personal, where you will find some discussion and examples of the anatomy of a bank CRO GRC dashboard.  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

Drawings © 2012 Brad Abrahams

Post a Comment

Understand GRC through SteadyBank

Clark Abrahams
Clark Abrahams|September 6, 2012

I am devoting Thursday posts in coming weeks to a banking story designed to illustrate the value that an enterprise GRC solution can bring to a fictitious bank named SteadyBank. The inescapable truth is that in any bank, serious problems will crop up from time-to-time. The impact felt on those occasions has much to do with the extent to which there is a good process in place to help surface problems and to deal with them effectively and efficiently. Technology can play a vital role in putting a well-validated and efficient process in place, so that even when management, the Board and regulators are looking in the opposite direction, they can have confidence that any significant issues will be brought to their attention and handled in a timely manner so as to minimize any negative consequences.

A sufficiently powerful and properly utilized enterprise governance, risk and compliance (eGRC) solution can provide just the sort process in place that I am speaking about. I will illustrate how this is the case by pointing out how technology can help in general terms, and I will also share an occasional screenshot from the SAS Enterprise GRC Solution to help me illustrate more specifically the functional capability that addresses the need.

This is an experiment to see whether or not telling a GRC tale in nine weekly episodes is well-received.  I am going to share the titles (broadcast dates) of the upcoming episodes much as if you were previewing a season series on Netflix!

They are:

  1. Understand GRC through SteadyBank   (September 6)
  2. Ned spots trouble   (September 13)
  3. Jake adds pieces to the puzzle   (September 20)
  4. Quest for the truth   (September 27)
  5. Deciding what to do   (October 4)
  6. Dealing with the crisis   (October 11)
  7. Fixing the process   (October 18)
  8. Keeping a watchful eye   (October 25)
  9. Enterprise GRC payback for SteadyBank   (November 1)

I look forward to your feedback as the episodes pass and the story unfolds -- please do comment as frequently as you like!  Finally, this soap opera applies to all industry segments and the public sector as well.  Financial services happens to be most familiar to me, but certainly is not alone in having personality conflicts and natural tensions among an organization's executive team that struggles for alignment as it deals with change, prioritizes objectives, constrains resources, repairs strained employee morale, tempers customer expectations, bends to financial pressures, reassures concerned regulators, satisfies demanding stakeholders, and so on.

Now we begin with a few introductions!  First up is SteadyBank itself!

An aggressive US regional bank that has grown largely through acquisition over decades,  SteadyBank is now looking to solidify its customer base and market territory and to grow organically.  SteadyBank will experience some wrenching struggles as it battles to grow revenue and market share.  Like its competitors, SteadyBank wants to keep shareholders happy, enhance its customer experience, improve employee morale, and strengthen regulatory relations.  No doubt, a tall order in today’s challenging business climate!

In the heat of the battle, SteadyBank learns some difficult and painful lessons, e.g. conflicting goals represent very real risk, change does not always come easy for their employees or their customers, and  bad situations can be made much worse – especially when management is operating under some seemingly reasonable but nonetheless false assumptions!  The situations that SteadyBank encounters are broad in scope.  In fact, they touch all areas of an enterprise GRC program!

Character Sketch of Ned Thomas, CRO, SteadyBank

Ned Thomas, CRO

Ned Thomas, CRO at SteadyBank, is a natural-born skeptic who doubts and discounts most of what he is told, or reads for that matter.  Hence, Ned likes to question and he is very persistent.  He is a “big city” guy and he works for an aggressive regional bank.  Ned has run into some “royal messes” in his time and he knows that things often are not what they initially appear to be.  As a result, Ned recognizes the value of collaboration and of creating a culture where issues are surfaced quickly and all relevant information is volunteered without the need of conducting pointed interrogations.

Ned gets provoked when he thinks someone is either concealing information that he seeks, or is putting their own spin on things in order to put themselves and their interests in the most favorable light.  Ned’s mantra in the Risk Management Division is “Say it like it is!”  For Ned, how the game is played is just as important as winning the game.  Ned is on a constant lookout for reckless behavior and corporate policy violations.  Ned believes that SteadyBank and all of its officers and employees can, and should, be principled achievers.

 Character Sketch of Jake Jabber, COO, SteadyBank

Jake Jabber, COO

Jake Jabber is a feisty fellow who possesses decades of line management experience in all facets of financial services.  Jake has found the perfect opportunity to exercise his business skills and to leverage his experience.  SteadyBank has no shortage of challenges in today’s banking environment, and we will soon see whether Jake is up for the challenge, or if he is “over the hill!”  Jake has his eye on the CEO job, but for the time being, he is consumed with meeting some ambitious profit plan goals that will cause some cracks to form soon at SteadyBank Operations Company!

Jake is very impatient and his pet peeve is “idle hands.”  His staff recalls the time that Jake asked a new face in a meeting to stand up, introduce himself and point out what he had accomplished recently.  The unsuspecting staffer, Pete, announced his name, his manager, Paul Winkler, and then stated that he had not accomplished much because he just gotten on board two months ago.  Pete did not realize that to Jake, two months is an eternity!  Jake sarcastically thanked Pete, explaining how the phrases “just got here” and “two months on the job” were contradictory!  Jake later had a few more words to say to Paul Winkler about the speed at which Paul was getting new hires producing value.  For Jake, results are what counts.  Jake’s motto is “Winning is not everything, just the only thing that really matters!”

 Character Sketch of Paul Winkler, SVP & Tech & Ops Manager, SteadyBank

Paul Winkler, SVP, Tech & Ops Manager

Paul Winkler heads up the IT Operations Center and he reports to Jake.  Paul is the consummate “go along guy” and he takes great pains to see that no one “rocks the boat.”  Paul makes sure that his direct reports are aligned with his views and he does not mind using a little public humiliation as a tool when a simple” wink and nod” to go with the flow do not suffice!  That usually works.  Paul is particularly annoyed when his dictates or authority are questioned.

On any important initiative or change in operations, Paul gives his “train is leaving the station” analogy.  He tells staff they have two options: get on the train or get left behind!  Everyone in Paul’s operations center fears his wrath and they observe that messengers of bad news are always shot.  This weighs heavily on in their minds and permeates the work atmosphere, how secure workers feel, and their approach towards performing their tasks and meeting their goals.  Seemingly paradoxically, Paul broadcasts that his culture is a proactive one.  The mantra in SteadyBank Operations Company is “If you see something wrong and do nothing about it, then you become part of the problem!”

On the next post, we will check-in with Ned bright and early on a typical Monday morning that turns out to be far less typical than Ned would have liked!

Note: If you are interested in this series, you will also find value in another GRC tale that illustrates the value of a GRC solution relative to preventing and dealing with a breech in security leading to the theft of customer information.  (To access it, simply click on the embedded link in the previous sentence!)  Be sure you read the whole Steadybank saga, so you can learn the GRC lessons of SteadyBank.

Drawings © 2012 Brad Abrahams

Post a Comment

What's needed -- innovation or more regulation?

Clark Abrahams
Clark Abrahams|June 10, 2012

The pace of regulation

I was recently reading the 2011 edition of an annual report on federal regulations in the US entitled: "Ten Thousand Commandments 2012," by Clyde Wayne Crews, Jr. The report combines estimates from credible government sources and academia to arrive at a $1.8 trillion cost of the US regulatory enterprise, and the expense to administer it. That amounts to over 1.5 times the total individual and corporate tax revenues collected by the IRS in 2011! The report goes on to compare yearly page totals for the Federal Register, which, as of 2011, was composed of over 80 thousand pages, nearly a third of which were devoted to final rules. Proposed rules are apparently growing faster than final rules and over the past 15 years over sixty thousand rules have been issued. Currently over 60 federal departments, agencies and commissions have over four thousand rules pending according to the report. In summary, the report was pretty sobering!

The purpose of regulation

Someone once quipped: "The purpose of regulations is to make companies do what they should be doing on their own." Specifically, companies should look out for their investors, customers, the environment, and social good in the communities in which they do business and for society at large. Yet we have felt the need to enact laws to compel them to live up to these responsibilities. Certainly it is unfortunate that we have been compelled to legislate in this fashion, and one must question from time to time whether or not newly enacted laws are really necessary, in whole or in part.  If not, then what is needed to ensure that companies will "make the right choices" and "do the right things?" That responsibility rests with corporate executives and with their Boards as a primary line of defense. However, due to some glaring examples of corporate failures during the past dozen years that cost investors billions of dollars, Congress has passed legislation designed to provide investors, and the taxpayers, with assurance that:

1) necessary controls are in place,
2) their compliance will be monitored, and
3) all violators will be punished.

Some examples of regulations

The Sarbanes-Oxley Act of 2002 was intended to restore confidence in the securities markets in the wake of multi-billion dollar corporate scandals by spelling out responsibilities and enhancing requirements on Corporate Boards, executives, and public accounting firms in their reporting of corporate financial performance to the investment community and to their regulators. It created the Public Company Accounting Oversight Board, or PCAOB, to regulate and monitor firms that audit publicly held businesses. The act also addresses financial disclosure, obtaining a truly independent opinion, control strength evaluation, and governance.

The Dodd–Frank Wall Street Reform and Consumer Protection Act of 2010 was intended to address imperfections and restore trust in the financial services industry in the wake of the great recession that began in 2008. It created the Office of Financial Research, the Financial Stability Oversight Board, and the Consumer Financial Protection Bureau, whose collective authority transcends identification, investigation and evaluation of any financial/economic systemic risks; investor protections relating to the regulation of securities, including credit default swaps, asset-backed instruments (ABS), and other derivatives; and aspects of bank supervision including consumer financial products and services regulatory compliance. Specifically, Title IX, Subtitle D requires due diligence relative to analyzing the assets underlying the security and it seeks to promote quality underwriting standards, but falls short of specifying what must actually be performed or defining what constitutes quality for a standard, in terms of its effectiveness or other criteria. A new and innovative approach for risk rating, pooling, monitoring and reporting loans that back securities sold to investors is described in chapter six of The Risk of Investment Products - From Product Innovation to Risk Compliance. Title XIV deals with mortgage reform, but does not specify the means by which mortgages are to be underwritten. These topics, and more, are addressed in the book Credit Risk Assessment -- The New Lending System for Borrowers, Lenders, and Investors.

There are varying opinions as to the effectiveness of these and other regulations, their cost burden on the taxpayers, and their impact on financial, and non-financial, institutions who struggle to compete in a time of shrinking margins and severe pressure to cut or contain costs despite rising operating expenses, of which regulatory compliance is an increasing component.

The case for innovation

In my opinion, what is needed is some real innovation, not merely process improvement on the same processes that have failed us in the past. Don't get me wrong, I favor evolution in preference to revolution 99.9% of the time, commonly referred to as the champion/challenger approach. But extraordinary occasions sometimes call for a fresh approach altogether, as opposed to the "same-old, same-old" with added bells, whistles and layered safeguards. Yes, what I am advocating is replacing a broken process, not heaping more regulations around it. But "Which processes do we replace?" and "With what do we replace them?" The answer must come from innovators, perhaps working as part of a team, who understand the business sufficiently to frame the problem, the latest technology in order to assess feasibility, and practical experience/subject matter knowledge in order to engineer, validate, and implement a solution.

Let me illustrate with a concrete example. Consider an innovation for consumer loan underwriting that exhibits eight important properties that render it:

1) transparent so that the borrower, lender and investor all have an identical view and full disclosure on how every loan is rated

2) grounded in accepted principles that have stood the test of time in practice, such as the Five C’s of Credit (character, capacity, capital, collateral, and conditions) for qualifying a request for credit

3) adaptive so that repayment odds for a loan is based on up-to-the-minute results, rather than a historical development sample that is several years old

4) accurate, because the system becomes more predictive over time as experience accumulates, not less so, especially over economic cycles when static credit scorecards diminish in effectiveness as witnessed in the last recession

5) systematic, based upon a statistical model that objectively applies ratings that are based upon the best judgment and science

6) comprehensive because it considers a 360 degree view of the transaction relative to the borrower, any collateral, and the conditions of the transaction and of the current and future market states which could adversely impact the financial position of the borrower, the value of the collateral, and/or the affordability of the loan

7) simple due to the straightforward classification of a loan transaction through transparent qualification definitions, rather than attempting to assign oftentimes counterintuitive amounts of points to individual characteristics that exhibit very complex correlation patterns

8) validated using both statistics and common sense, and is not subject to violations of critical theoretical and distributional assumptions incumbent on today's prevailing models (e.g. equal variance, normality, etc.)

9) inclusive of broader segments of consumers whose access to credit may be hampered by their lack of a credit bureau record, insufficient history of being in debt for purchase of costly durable goods, or infrequent usage of credit in preference to routine cash transactions for small purchases. In some cultures people are taught to borrow only when needed, and to repay what is owed as quickly as possible. This type of behavior is either not captured (cash obligations and related payments are not typically captured and reported to credit bureaus or lenders) or is unrewarded in our current consumer credit culture and system.

I can't speak for you, but my gut tells me that such a means of granting loans would be far more effective and efficient and would require far less regulation that the current fragmented and complicated lending systems which have evolved over the past five decades or so. Why? Well, for the reasons I just cited, plus the fact that far fewer loans would be granted to borrowers who cannot afford them, and also loans would be made more available and priced more reasonably to creditworthy applicants who may, or may not, fall within the mainstream of consumer finance.

Barriers to innovation

Sound simple? Why should there be any resistance to changing the lending process as described in the previous example? The answer to that question is threefold.

1) First is resistance to change. People tend to confuse new and unfamiliar with complicated, because they have to exert the mental energy to take on and fully understand an entirely different perspective or solution approach. People would rather live with a problem that is partially solved than adopt a complete solution they do not understand.

2) Second is fear of the unknown, especially relative to performance. There may be concern that a new idea may sound good, but it may not work as advertised. How can that fear be addressed? Typically, ideas are first proven in the lab, thoroughly vetted amongst experienced practitioners and academics, and then they are pilot or market tested to see how well they perform and how acceptable they are to consumers.

3) Third, and perhaps most significant, is the cost of change. Companies only undertake voluntary change in cases where the value to be derived represents a significant enough return to warrant making the change. The expression “Is the juice worth the squeeze?” comes to mind. This may be impossible to intuit, and that is where a pilot, or market test, would come into play. But to perform a pilot, you would need to have built the system, and so it becomes a “chicken-and-egg” situation. Fore risk adverse companies, the profit motive will prove insufficient to overcome the uncertainty associated with a new approach that can have far reaching consequences.

Fallout of failure to innovate

There are less obvious consequences than lack of effectiveness and efficiency associated with out-of-date business processes and practices. Certainly they put a drag on a company's profitability. Still, many companies opt to take a calculated risk that delaying the cost of modernization will not cause any near term harm. In banking, where risk management and information technology play such a vital role, that sort of thinking can prove fatal to the enterprise and very costly to taxpayers, as we witnessed in 2008.

Failure of companies to innovate when it is required to improve and maintain their business processes and practices may result in a shift of an even higher cost burden to the taxpayers through the enactment of regulations that attempt to more rigorously monitor and control flawed or outdated business practices.

What is the answer, if you believe that innovation is preferable to adding to the regulatory burden? Perhaps what is needed is an innovation council, composed of representatives from the government, industry, and academia, to develop and assess innovative ideas and technological advances in order to ensure that industry practices and business processes stay current. This type of model has been explored extensively over the past dozen years (refer to: The Triple Helix of University-Industry-Government Relations (February 2012), by Loet Leydesdorff).

Apologies for harping on lending, but that is an area of particular familiarity for me. My points are intended to be broad in scope, and not industry-specific. It is clearly in the best interest of every business to serve and protect its customers and to inspire the trust of shareholders, its Board, its primary regulator(s), legislators, elected officials, and the public at large. Laws and regulations provide and essential safeguard to society.

However, there is a need to strike a balance, and also a need and a responsibility to get to root cause(s) of problems in order to avoid:

1) missing the mark,
2) promoting overkill, or
3) generating unintended consequences.

Not an easy task, but I believe that especially when confronted with a problem of epic proportions, we may be well served to ignore for the moment our sizable investment in the status quo, and spend some quality time pondering alternatives, defining how a successful outcome would perform, and crafting a vision of the means to achieve success.

I’d like to hear what you think. Please post a comment with your preference for more innovation or more regulation!!

 

Post a Comment

Making GRC Personal

Clark Abrahams
Clark Abrahams|May 9, 2012

Users of software vary in job responsibilities and also in focus.  In the parlance of software developers, users are commonly categorized as representing a particular persona, based on their business role in an organization.  In the case of enterprise GRC solutions, some examples of common persona include risk managers, compliance officers, auditors, lawyers, IT managers, operations managers, strategy officers, C-Level officers and the Board. 

With the latest release of SAS Enterprise GRC, users can design their own customized Home Page.   This can help users to be more organized and focused, and saves both time and effort.   To make this a bit more concrete, let’s consider what a home page might look like for a bank Chief Risk Officer (CRO).   First, I will characterize the CRO’s role, reporting relationship, and main responsibilities.

 What is the role of a CRO in a bank? 

The CRO is responsible for developing, implementing, and maintaining the risk management function of the organization, including a strategy for managing all aspects of risk (market, credit, and operational).  The CRO is the principal control officer of the organization and he/she must maintain the independence and integrity of the risk management system and all of the controls that both support it and emanate from it. 

What is the CRO’s organizational reporting relationship? 

 The CRO may report directly to the BOD, with a dotted line to the CEO.  With respect to the BOD, the CRO may have a dual reporting relationship to the Chairman of the Board Audit Committee and the Chairman of the full Board.  In some instances, the CRO reports to the CEO or CFO.  In smaller institutions, the CEO and the CFO may share the duties of the CRO. Reporting to the CRO area are a variety of functions, including Audit, Compliance, Credit Administration, Legal, OREO, and Security.  This list may vary, depending upon the size of the institution.  If there is a balance sheet management division, then it may also report to the CRO or CFO.

What are some of the main responsibilities of a CRO? 

  • Provide risk management thought leadership, underscored internal controls philosophy and vision for the organization.
  • Develop and maintain a risk management system encompassing all types of risk confronting the organization
  • Establish a Risk Management Committee consisting of key management executives throughout the firm who are tasked with reviewing and making recommendations on all risk-related matters.  The key executives include the CEO, CFO, and Top Line Executives.
  • Ensure that the committee system of the bank is working properly.  In addition to the Risk Management Committee, the CRO may chair corporate committees, e.g. the Compliance Committee, Capital Planning Committee, Privacy Committee, and so on.  The CRO may also serve on other committees, such as the Asset/Liability, Pricing, Disclosure, and so on.  Finally, the CRO may serves on Board Committees, e.g. Audit, Compliance, and/or Risk Management.
  • Develop a risk limitation system, which seeks to identify, measure, monitor, and control risk in accordance with the organization’s risk preferences. 
  • Implement a reporting capability which provides management and the BOD with the ability to understand current and anticipated risk exposures, their associated impact on the organization, and provides helpful contexts that facilitate transparency and enable a deeper understanding of those exposures. 
  • Foster a risk-based portfolio optimization approach to managing the firm, which includes capital budgeting and allocation for the lines of business and for key organizational initiatives, and the use of insurance and alternative risk transfer vehicles.
  • Documenting the firm’s risk profile and explaining it to the Board of Directors, regulators, stock analysts, rating agencies, and business partners.
  • Develop and enhance the information technology infrastructure and processes which encompass data acquisition, data pre-processing, data warehousing, analysis, and reporting in support of the risk management function.

Now, back to the CRO home page I have designed (pictured below): 

Anatomy of a bank CRO GRC dashboard

TOP

At the top I put a section for tasks, which might relate to oversight of some key risk mitigation action plans in play, or review of recent alerts where there is potential for significant customer impact, or more routine items, such as preparation for committee meetings, activity prioritization, and so on. 

MIDDLE

Below, and in the middle, there is a dashboard of key risk and performance indicators which relate to attainment of corporate and department objectives and a 360 degree view of the enterprise spanning governance, operations, finance, risk management, compliance, social and environment responsibility, market and competitive forces, and business strategy execution. For instance, we see on the dashboard in question that we have risk exposure that exceeds appetite (as signified by the red dial) and we might also have a number of underperforming KPIs (which would be reflected by a yellow dial).  

LEFT

To the left of the dashboard is a section for shortcuts to functions of the software solution, e.g. creating various business objects (such as a policy, an action plan, an issue, a risk, a control, an audit plan, a compliance review); or checking status on action items or workflows; retrieving the latest version of a policy or procedure and noting when it was last modified, by whom and whether the changes have been approved; or reviewing open issues and findings, and so on. 

RIGHT

To the right of the dashboard are referential links to reports (such as special mention and classified assets, OREO, foreclosures, policy exceptions, concentrations, market rates and yields, daily statement of condition, flash report on financials, division control books, balanced scorecard, capital plan, latest 10k filing), more sensitive information (SAR filings, unresolved regulatory exam findings, outstanding issue log of Board Audit Committee,  summary of pending lawsuits, summary of committee actions), and external URLs (e.g. sites relating to economic analysis and outlook, OCC Canary Report, FFIEC home page, OCEG home page, Institute of Internal Auditors home page, Complianceweek, NACD home page, RMA home page, GARP home page, PRMIA home page, SNL Financial, Lexus Nexus, a rating agency website).

Your Take

What would you like to see on a bank CRO home page?  (Note: I have intentionally left a gap or two for you to fill in, so please "Have at it!")

Post a Comment

GRC solution can speed the achievement of objectives through collaboration

Clark Abrahams
Clark Abrahams|May 8, 2012

 

 

 

 

Today marks the announcement of the latest release of the SAS® Enterprise GRC solution at the SAS-sponsored Premier Business Leadership Series.  The main focus of GRC, short for governance, risk and compliance, is best articulated by the Open Compliance and Ethics Group as: 

The reliable achievement of objectives while addressing uncertainty and acting with integrity. 

Open Compliance and Ethics Group (OCEG)

That's really a mouthful!  Winning teams achieve their success through effective coordination.  Further, I have found in my own experience that there is sort of a team operational progression, or maturity model, which begins with communication, followed by cooperation, and finally resulting in collaboration to achieve the end goal.

  1.  communication
  2. cooperation
  3. collaboration

Technology can foster, indeed enable, collaboration so as to speed the achievement of objectives; better expose underlying risks; afford greater compliance with policies, agreements and regulations; achieve greater transparency in operations and offer more assurance to the Board and other key stakeholders.

Collaborating through GRC to make good things happen

 SAS® Enterprise GRC 5.1 provides firms with the means to foster greater collaboration among workgroups across the entire organization.  This is important, because there are critical linkages between an organizations goals, market and competitive forces, regulatory and policy compliance, risks of doing business, and stakeholder interests.  Those linkages span organizational units and third party providers that must effectively communicate and coordinate on all related activities.  The question becomes, “How does a company deal with, and successfully manage through, all of the demands, resource challenges, and perceived barriers to achieving their key objectives?  The short answer is excellence in the following areas:

  • Organization
  • Planning
  • Strategy development
  • Timely and reliable execution

 Excellence in the above areas can best be achieved through competent leadership, a well-motivated workforce, operational knowhow, and some great technology.  For superior technology in GRC, companies are turning to SAS, which has a very powerful solution that greatly eases the data management burden associated with GRC. 

Common GRC technology components

 The latest release of the software offers a highly flexible and integrated architecture that leverages common components. 

 For example, it boasts a custom screen builder that can be used to quickly produce customizable menus with an unlimited number of sub-menus, including a re-designed home page and saved views.  This latest release provides a more personalized user experience with faster and easier navigation and the ability to turn any screen or saved view into an instant report through an export to MS Excel feature.   Users can streamline projects to desired sequence and layout and then recall any saved operational view.  They can create menus that quickly point to URLs, stored processes, dashboards, XML files, task lists and documents.

 The solution also taps a workflow administrator that enables users to customize business processes to suit, which affords improved efficiency, quality and speed. Incident management can be specifically arranged to add decision nodes, alter validation stages, configure prompts, and establish separate processing for financial effects, recoveries and allocations. An added benefit of the latest release is the ability to manage approval workflow for risk, controls and impacts. 

Linkages between GRC business components 

 SAS Enterprise GRC enables users to edit the comprehensive view of an organization’s GRC program, including linkages between GRC dimensions and custom fields. Users gain a clearer visual of how risks, controls, key risk indicators, incidents and other core elements relate to and strengthen one another, as depicted above, and can perform root cause analysis when things don’t exactly go by the plan.  Case in point; consider a fictitious bank, named SteadyBank, which has the following strategic objectives in mind:

 SteadyBank Strategic Business Objectives

  • Protect existing customer base through exceptional service and convenience
  • Address shrinking margins by reducing operating expenses and increasing fee income
  • Grow asset base and ROE by expanding the retail bank lending franchise

Suppose further that SteadyBank has quantified some specific 2012 goals and targets as follows: reduce operating expense by 8%; reduce headcount 10%; maintain customer churn below 4%; grow consumer loan market share 7%; and also increase fee income 15%.  The strategic goals of managing customer churn while simultaneously raising fees will undoubtedly present significant challenges for SteadyBank.  So, you may be wondering, "How could a user visualize what it will take to achieve these objectives, and explore where efforts might become derailed?" 

Well, a single button click on View Links from SAS Enterprise GRC release 5.1 allows the user to see that at least four of the strategic objectives (the four yellow boxes) are related through associated risks (the three beige colored ovals ), some of which relate to multiple objectives.  Root causes to potential execution failures are also made apparent the three red stop signs).  

 Is SteadyBank destined to fall victim to trying to do too much all at once? Perhaps not. With the SAS solution, SteadyBank executives could actually visualize where their business objectives might lead, and they assess the risks that they would run, test the adequacy of controls, and put proper safeguards in place via a well-designed and executed action plan – all of which are core solution capabilities. In any enterprise, excellence in execution is king. SAS Enterprise GRC 5.1 enables users to maintain tighter control over their day-to-day operations.

 SAS empowers users to quickly command business operations through continuous monitoring of risks and controls, Meanwhile, they can respond to events that are planned (e.g. a regulatory change) or unplanned (e.g. actual loss event), by changing policy, enhancing internal controls, and adjusting key risk indicator thresholds.

I will have much more to say about GRC and ways in which technology can help over the next couple of week’s posts, which will be coming with greater frequency going forward!  I encourage you to share any comments and your thoughts about this post or other GRC topics you would like me to address.

 

Post a Comment

High-performance analytics is opening new frontiers

Clark Abrahams
Clark Abrahams|April 2, 2012

Last week I traveled to Orlando to attend the 20th High-Performance Computing Symposia (HPC), part of the SCS Spring Simulation Multi-conference (SpringSim'12) in cooperation with ACM/SIGSIM.  This HPC track was organized by General Chair Dr. Gary Howell, NC State University and Program Chair Dr. Steven Seidel, Michigan Technological University.  It included a couple of great tutorial sessions on various aspects of multi-core processing, in addition to research presentations on a broad array of topics and applications. 

Digression on computing trends

No doubt, one of the great global scientific quests over the next decade will be achievement of the exascale summit.  An article by Herb Sutter that appeared in Dr. Dobbs Journal back in 2005 entitled "The Free Lunch is Over: A Fundamental Turn Towards Concurrency Software," referred to a well-known rule of thumb asserting a doubling every two years in the number of transistors that can be placed on an integrated circuit called Moore's law.  My thanks go to Professor Gerhard Wellein, Department for Computer Science at the University of Erlangen-Nuremberg, for his excellent 2012 HPC tutorial that shed further light on the proposition that "the free lunch is over,"  specifically the following statement draws upon content from slide 5 of his workshop presentation.

 The idea of running increasingly smaller transistors on a chip (this is now approaching 3 billion) faster with increasing throughput "for free" via higher clock speeds will reach some physical limitations relative to hardware in the next decade.  

We cannot make light go faster, we are operating at atomic levels where by 2015 the size of a semiconductor processing unit is projected to approach 11 nanometers (the width of 110 helium atoms), and we are bumping up against other limits related to thermodynamics. The upshot is that: 1) advancements in multi-core/threading, 2) complex on-chip memory caches with increasing functionalities, and 3) software algorithms to better exploit parallel processing, represent three broad areas promising some degree of performance gains. For the interested reader, Dr. David E. Keyes wrote an excellent article in 2011 entitled "Exaflop/s: The why and the how" in Comptes Rendus Mecanique, that explores the subject further.  By the way, the best serial algorithm for solving a particular problem in business or science may prove inferior to a far simpler algorithm that can better exploit multicore. I couldn't have imagined that back in the 1970's when I entered the computer profession?!

High-performance analytics

You may be wondering why, as a marketing person, I would attend a technical conference and listen to computer scientists discuss the latest research on the boundaries of high performance computing, especially for someone who, up until this year, was not directly involved in business solutions leveraging this powerful technology.  After all, below the surface of high level description and business context, this stuff can get pretty complicated, pretty fast. 

My rationale was fairly straightforward.  The conference afforded a very efficient way to learn directly from researchers who traveled from all over the world to share their findings on what works best and discuss future areas that hold the greatest promise and challenges for HPC.  Great minds also have the ability to make the complex seem simple.  As a result of three days of intensive immersion, I feel like I can pick up a technical journal article now and actually follow along, and even pose some intelligent questions about multicore processing (improving single thread performance through parallelism).  Moreover, in describing what high performance analytics is all about, I am much better equipped to understand related practical business issues, uses, and benefits. 

I message to a wide audience, and in more general circles outside the scientific community and actual practitioners (e.g. Boards of Directors, C-Level Management, mid-management buying decision influencers), there is a need for some education on:

  1. what high-performance analytics is all about
  2. the uses of high-performance analytics
  3. the future of high-performance analytics

A very knowledgeable and helpful researcher (Dr. Aron Ahmadia, Computational Scientist at the Shaheen Supercomputer Laboratory in Saudi Arabia) introduced me to an entertaining and informative short video on the uses of this powerful technology (developed by Dreamworks and the Council on Competitiveness).

Computer modeling advancements/applications

In the general multi-conference session on day one, Dr. Roger Smith, Chief Technology Officer for Florida Hospital's Nicholson Center, delivered the first Keynote address on Monday and he made some great observations and had some good advice, which reinforced my reasoning for attending.  He said it was important to keep hands on the technology --reading program code can demystify a lot and you need to probe deeper than the minimum requirement, or Cliff Notes version, when surveying the literature.  He also stressed the value of a multi-disciplinary aspect, or “branching out.”  Dr. Smith has modeled in different domains as the title of his address indicated: Surgeon, Soldier, Spy — Simulation Training in Different Domains. Looking across a variety of domains, e.g. psychology, system dynamics, medicine, economics, etc. helps you to generalize to common themes and then apply general principles in new areas.  He conjectured:

Multi-disciplinary perspectives will spur more innovation than operating within a silo of knowledge.

I agree.  The next keynote address was delivered by Dr. Dylan Schmorrow, Captain Medical Services Corps, US Navy, and Dr. Schmorrow discussed sociocultural behavioral modeling as a means to understand the mindset of opposing forces and anticipate results stemming from developments off the battlefield, but within societies.  The amount of information involved in these efforts is massive and streaming on a continuous basis.  Big data, including open source material (e.g. Twitter, Facebook, etc.) and collecting valid data in denied environments!  Within the human system integration domain, the US Department of Defense Research and Engineering Division has an annual budget of $4 billion with an associated strategy based on a capability framework with 4 key elements:

  • Understanding
  • Detecting
  • Forecasting
  • Mitigating 

Dr. Schmorrow spoke of engineering new generations of hybrid modeling systems, the elements that would characterize successful programs, and the challenges that lie ahead relative to that tasks at hand of building social radar support by results from multiple models over multiple timeframes with multiple processing layers in real time.  And success will require the ability to see change before it happens, anticipate the impact of culture,  group identity, and ideology have in irregular warfare, violent extremism, nation‐state instability, weapons of mass destruction, and cyber threats.  Sound like an application for high-performance analytics?!

New frontiers 

As I attended some of the more technical sessions on high-performance computing, it became increasingly apparent how:

 High-performance analytics will change not only how fast we can solve problems, but also the way we conceptualize them, and push out the boundaries of the solution domains.

 I am excited to report that I will be working in the Simulation Interoperability Standards Organization’s (SISO) Simulation Conceptual Modeling Study Group, the chief objective of which is to improve formalization of conceptual models.  There is a wealth of material in the literature on how to solve problems, but far less on how to conceptualize and describe them. 

 Problem conceptualization is, without a doubt, a bottleneck in the problem solving value chain.

More to come on high-performance analytics over the coming weeks.  Let me know if you have some ideas about interesting and useful applications of high-performance analytics!

 

Post a Comment