Skip to content

January 31, 2024

When IT Governance Fails – Investments Unlimited Series: Chapter 1

By IT Revolution ,Helen Beal ,Bill Bensing ,Jason Cox ,Michael Edenzon ,Dr. Tapabrata "Topo" Pal ,Caleb Queern ,John Rzeszotarski ,Andres Vega ,John Willis

Welcome to the first installment in our serialization of the book Investments Unlimited: A Novel about DevOps, Security, Audit Compliance, and Thriving in the Digital Age, written by Helen Beal, Bill Bensing, Jason Cox, Michael Edenzon, Tapabrata Pal, Caleb Queern, John Rzeszotarski, Andres Vega, and John Willis.

In this opening chapter, Investments Unlimited CEO Susan Jones receives surprising news about an MRIA, or Matter Requiring Immediate Attention notice, putting the future of her company IUI into jeopardy. Read below or listen to the first episode of the limited series podcast here.


Prelude

“Dad? Bad news .”

The rain against the government office window on the gray New England afternoon had gotten so strong that Greg Dorshaw had to ask his teenage daughter to repeat herself. His old flip phone was getting harder to hear.

“Dad, they called off the game because of the weather. You don’t need to come. Drive safely on your way home.”

Dorshaw never missed his daughter’s softball games. This week, the wet Boston weather had given the Supervisory Officer an excuse to stay late in the office and dig into a curious email he had received from his team earlier that day.

Eager for some quiet time to focus, he turned off the fluorescent lights in his Federal Reserve Board office, poked at what remained of his takeout Pad Thai, and focused on the email. With his face lit only by the light of the monitor, he read:

Subject Line: IUI preliminary examination results

Greg, looks like history is repeating itself. Seems like another fintech firm is going to require a formal action. 

The team is quite concerned  .  .  .

Chapter 1

Monday, March 28th

Susan Jones had been the CEO of Investments Unlimited, Inc. (IUI), for five years. She was quick on her feet and always appeared to ask the right questions and make the right decisions. The board trusted her. But right now—although you couldn’t tell from her demeanor—she was panicking.

“How did you find out?” Susan said into the phone, nearly gasping. It was family pizza night, but she had stepped away from the kitchen to take the urgent call. Behind her the noise of her family, Rich and Lucas making Rich’s famous pizza, seemed to disappear. All she could hear was the beat of her own heart and Jason, her SVP of Digital Transformation, on the phone.

“I met with Bernard this evening at our regular two-finger Scotch session. He let me know that the MRIA will be issued to IUI.” Jason paused. “You know, it may feel like regulators are out to get us, but they’re really there to help us and help protect our customers.”

“You could have fooled me,” Susan replied, half under her breath. She didn’t think Jason heard her as he kept talking.

“It’s not uncommon for an MRIA to be informally notified through back channels so there’s no surprise when it’s issued. Bernard has a good relationship with the director of the regulatory agency approving the MRIA. That director reached out to Bernard as a show of good faith,” Jason said.

Susan took a deep breath. She was familiar with an MRIA, a Matter Requiring Immediate Attention, but only in concept. Actually being issued one was alarming. Federal regulators only issue an MRIA when something is seriously wrong at a bank. They aren’t handed out like candy. Susan had heard horror stories from other institutions, but she’d never had one issued at a bank she worked at—let alone the bank she ran.

“Do you know what the MRIA is about?” Susan asked.

“Yes, and it’s frankly embarrassing. There are over fifteen MRAs that have been issued to IUI over the past year. We’ve asked for several extensions on those, but there doesn’t seem to be a clear plan to close them. That’s why this MRIA is being issued. Our team hasn’t provided any evidence of progress, and the agency now thinks we have a huge problem.”

“I see,” Susan said. But really, she didn’t understand at all. How did my team let this happen? she wondered. How did I let this happen? Her CAO (Chief Audit Officer) had repeatedly assured her that everything was in order with these MRAs. Clearly that wasn’t true.

“As you know, it’s a big issue,” Jason said. “Just remember, you’re CEO because Bernard thinks the world of you and knows you’re extremely capable. I reminded him that he couldn’t have retired without you. He agreed.”

“Thanks for the kind words, Jason. We’ll have to get the whole team together first thing in the morning to tackle how we found ourselves in such a mess. There’s nothing more we can do tonight.”

“Sounds good,” responded Jason. “I’m sorry to interrupt your evening, but I knew you would want to know. I’ll talk to you tomorrow. Have a good night.”

“Yes, thanks, Jason. I’m glad you called. Good night.” Susan ended the call and sat down at the dining room table. It was a long table that fit over fifteen people, and it was always made up as if there was a dinner party starting at any moment. The orderly array of dishes in front of her seemed to mock her as she processed the implications of the call with Jason. Her mind was racing for answers and solutions.

She sat there, waiting for the numbness to wear off, waiting for her thoughts to slow down to a crawl.

“Love, are you okay?” Rich asked softly as he walked out of the kitchen.

“Yes, I’m fine. Give me a minute, and I’ll come in to help with the pizza,” Susan replied. She could smell the old Sicilian tomato sauce recipe that Rich was cooking up. It was a favorite of his, handed down from his great-grandmother to his mother to him. She took a deep breath. The delicious aroma was like therapy. Maybe she was starting to feel better—or maybe she was just hungry. Either way, she walked into the kitchen.

As Susan looked around, all she could see was a mess. White flour covered the countertops and floors. It looked like a fresh coat of Aspen snow had covered their kitchen.

“Well, this is certainly a ‘matter requiring immediate attention’ if I’ve ever seen one,” Susan said, walking over to her six-year-old son, Lucas, happily drawing smiley faces in the flour on the countertop.

“No need to meet Jason this evening?” Rich asked, bringing Susan an apron.

“Nope, the phone call did enough damage for one night,” Susan responded, tying the apron on.

“Ohhhhh, did Mommy get in trouuuble?” Lucas asked as he wiped his flour-
covered hands all over Susan’s once-clean apron.

“Oh, Lucas,” Rich reprimanded gently. “Mommy didn’t get in trouble. There’s just a problem at her work. But she’ll fix it. That’s why she’s the boss,” Rich said with a smile toward his wife. He placed a big round of pizza dough on the counter in front of them. Flour flew up into the air, and Lucas laughed.

“What kind of problem?” Lucas asked as Susan spread sauce over the dough. “Did you talk while your boss was talking? Or break a rule? ’Cause Xian broke a rule at recess today, and he had to sit for the rest of recess and not play at all.”

“No, I didn’t break a rule,” Susan said. “There’s just some housecleaning at work that hasn’t been getting done like it should. And now we have a whole lot of cleaning to do in a short amount of time.”

“Is it like when Grandma comes for a visit and you get all crazy?” Lucas asked, dramatically flinging his arms around.

Rich stifled a laugh and turned to grab the toppings.

“No, no. It’s more like when I ask you to clean your room. That’s like an MRA—what we call a Matter Requiring Attention,” Susan said, adopting her most serious movie-trailer voice.

“I hate when you tell me to clean my room.”

“Yes, well, what’s happened is we’ve been asked to clean our room lots of times, but apparently no one has done it, or at least not very well, so now we have to deal with a MR-I-A, a Matter Requiring Immediate Attention.”

Lucas’s eyes widened.

“Think of it like you’re on your last warning and you’re about to get a time out,” Rich added. “Or get sent to the principal’s office.”

“Wow. Mommy really did get in trouble,” Lucas said. Then he reached for a huge handful of mozzarella and dropped it in the center of the pizza.

Susan suddenly realized she needed to inform her leadership team and set aside time tomorrow for assessing the situation.

“Rich, give me about five minutes before we top the pizzas. I need to do one last thing.”

Susan hurried back into the dining room and fired off a quick message to her senior staff using the inter-office chat system.

“Sorry to break into your evening, everyone, but this news can’t wait. Jason and I were informed of an MRIA coming our way. Please do what you can to clear your schedules between 10 and 2 tomorrow. We have a lot of work to do.”

She pressed send and walked back into the kitchen.

Susan settled into her side of the bed as Rich pulled up the latest episode of the comfort TV show they were watching these days.

“So, you’ve got quite a firestorm to settle at the office, huh?” Rich asked.

“Yes. An MRIA is no joke,” Susan explained.

“If I recall correctly, isn’t the next step some type of formal action by the regulators?” asked Rich.

“Yes, it is. Something like that would have a devastating impact on IUI and everyone who works there. No doubt it could end Bernard’s time as chairman, finish my career, and tarnish me for the rest of my working life. If it gets to that point, there are many companies looking to purchase our assets in a fire sale.” Susan frowned as she said all of this.

“You’ll figure it out. They didn’t make you CEO for nothing.” Rich clicked the button on the remote and started the show.

Susan’s mind wandered. She reflected back on how IUI had started fifteen years ago as a small company in a crowded industry clamoring for business. Like those nearby research centers, they sought to discover new ways to deliver investment and banking value to the world. She remembered the lean years where they struggled to get by.

In just the past twelve years, this small but big-hearted company had managed to not only survive but also thrive with its winning strategy of focusing on socially responsible investing. This differentiator resonated in the market and soon began to pay off. Three years later, the one hundred–person firm had expanded to a thousand employees and just topped $400 million in revenue and total assets of $20 billion. Things were looking pretty good.

They had also recently begun a digital transformation utilizing the business-accelerating principles of Agile and DevOps. Jason had been hired to help with this. He was given the charter to take intuitive digital products to the next level. He had a bold vision. He wanted to completely redesign the user experience, making complex financial transactions and products approachable, easy, safe, and reliable. He was doing all of this while helping their teams adopt more modern and Agile ways of working. The first releases of these intuitive tools or digital products proved to be way better than expected. Feedback from customers was astounding and conversion rates for new accounts were growing faster than ever. It felt like the next voyage of IUI was just about to set sail!

But now things were looking a little more like a sinking ship.

Susan wasn’t sure how she had found herself in such an uncomfortable position. She had assembled a great team to lead IUI into the future. Her CIO, Jennifer Limus, was brilliant. As a developer turned leader, Jennifer always seemed to have her finger on the pulse of technological innovation.

How did this get so out of hand? Susan thought to herself.

Susan wondered if she would be able to sleep. Her mind was spinning, searching for answers. Eventually she was able to drift off, dreaming of ships sinking under her kitchen faucets, dinner plates bobbing in the water, and regulators shouting from the countertops.

Tuesday, March 29th

Susan arrived in the company board room ahead of everyone else. Her admin accompanied her to set up the virtual teleconference, place the printed MRIA documents on the table, and adjust the lighting. Susan took her seat and looked out the window. Clouds were gathering. An apt metaphor, she thought to herself.

Jennifer, the CIO; Tim, the CISO; Bill, VP of Product; and Jada, the Chief Risk and Compliance Officer (CRCO), arrived a few minutes later and took their seats around the table. It was clear that everyone was anxious and tensions were high.

“Well, you all know why we’re here today,” Susan began. “I need answers, and fast. But first, I’d like to announce to everyone that effective today, Jada will act as Chief Risk and Compliance Officer, heading both Audit as well as Risk.” 

Murmurings began to fly around the room. Susan quickly held her hand up, a clear sign for everyone to quiet down. “I want to make this clear. No one has been fired. Fredrick has been looking to retire, and he has taken this as an opportunity to finally spend more time at that cabin of his and teach his grandkids to fish. I wish him the very best. I’ll be looking to fill the void he left, but it will take a while. I have every confidence in Jada’s abilities until then.”

Even with Susan’s attempts to quell the fear in the room, it was clear that everyone was tense. She understood. It had been a hard discussion with Fredrick early this morning. Despite her best attempts to assure Fredrick that she didn’t pass blame to him, he had made it clear that he didn’t feel he was up to the task anymore and that he had full confidence in Jada taking over.

“Okay, everyone. Now that that is out of the way, let’s get down to business. I’ve heard what Fredrick had to say, but now I want to hear from all of you. How did we get to the point where the OCC has hit us with an MRIA?”

Immediately, Jada spoke up. Jada had been with IUI as long as Susan, and she was always quick to offer her opinions. Her passion had made her a great CRO, and hopefully a great CRCO. But that same strength also made her come across as rigid and abrasive at times.

“I’ve been warning everyone about this for the past year,” Jada answered, looking around the room. She added, “Yet consistently I was told that product release deadlines were a higher priority.”

“Come on, Jada. You know we had no choice,” Bill said. As VP of Product, Bill was obsessed with shipping features and products that would delight clients and drive revenue. He was always pushing to get things done and could always be counted on to defend his team. He had been with IUI longer than anyone else in the room and knew their customer well. He was sometimes slower to accept new mindsets and ways of working, but his intentions were right. “Without these new features and updates, the apps would be deemed unusable, and our customers would vote us off the island. It’s like the Risk team doesn’t even know we’re running a competitive business here.”

“Of course we know that, Bill. We’re trying to help protect IUI and its competitiveness,” Jada responded. “We can’t be competitive if our applications and customer data aren’t secure. I’ve been cautioning you guys that we’ve let our delivery teams do whatever they want in the name of DevOps and digital transformation. We have no control. For heaven’s sake, we are a bank!”

Susan leaned back in her chair. She wasn’t pleased by the blame that was being tossed around the room.

“Jada’s right,” Tim began in his typical firm yet calm voice, obviously trying to rein in a discussion that was quickly taking a bad turn. “We’re all looking out for IUI.”

Tim had a commanding and official presence about him that fit his role as CISO. When he entered the room, people paid attention. His résumé included a long list of leading financial cyber groups, as well as some large IT audit firms. “To be fair,” he continued, “we have all of these MRAs listed in the product backlog. Why hasn’t the Dev team been delivering on them?”

Bill rolled his eyes. “Honestly, it seems to take forever to just get features out. I don’t know what our Dev teams do all day. They clearly can’t keep up.”

“Keep up?!” Jennifer looked perplexed. She was probably one of the youngest executive leaders at a company the size of IUI, but her knowledge and skill far outweighed many of her peers at other institutions. “I think everyone understands that we attack whatever is in our multiple backlogs with the engineers we have available. But each product’s backlog is growing on a daily basis with new features and demands.” Jennifer looked over at Bill and continued, “The problem is we never get enough time to address technical debt, much less the frequent ‘urgent new feature’ fire drills that the Product team keeps hitting us with.”

“So hire more people!” Bill shot back.

“You think it’s that easy? It’s not. The demand for quality engineers is extremely competitive, and then we still have to onboard those we do hire. We have many open spots right now, and the new engineers we just hired are still coming up to speed. I don’t think any of us saw the tsunami of new feature work that would be hitting us.” Jennifer took a deep breath, obviously trying, then looked over at Susan for support.

Susan sat at the head of the table, quietly watching and listening as her team bickered like teenagers. She had expected some finger-pointing, but this was worse than she imagined. Most of all, she was just confused. She had been receiving enthusiastic reports from all of her VPs about the great progress they had made with DevOps over the past few years. And after IUI had brought Jason in a year ago as SVP of Digital Transformation, the progress had only increased. However, now it seemed like the left hand didn’t know what the right had been doing.

“Look, this isn’t productive,” Susan said, standing up. “I need some real answers. What is the current situation with the MRAs and what are we going to do about it? I need to show the board that we have a clear plan of action. The regulators have informed us that we have just three months to address all of their concerns and show we have a plan to move forward. Three months before IUI gets hit with a formal enforcement action from the regulators. Three months before every one of you and every person who works for you is suddenly out of job or IUI is taken over by the government. Three months before everything we have built comes crashing down around us.

“Now, I don’t think anyone in this room wants to have to tell their entire team that their leaders failed them.” Susan paused and looked at each person around the table. She was relieved to see some of them squirm slightly under her gaze. It meant the message was hitting home.

“We get it,” Jada said, breaking the silence. She took a breath. “The MRAs that led to this MRIA deal with a lot of issues related to our IT governance—the way we develop, run, and manage our software. We’ll get a summary list for you.”

“Thank you,” Susan said, sitting back down in her chair and looking at Tim, who was sitting next to Jada.

Tim looked at Jennifer, then back to Susan. “I’ll work with Jennifer to put together our action plan to get these addressed. But it isn’t going to be easy. We have a lot of work going on right now  .  .  .  ”

“There’s always a lot of work going on,” Susan interrupted. “And I don’t need to be told that this will be hard. What I need are solutions. IUI’s survival could be in jeopardy, with serious consequences to our thousands of employees and their families. This must be our top priority.”

Susan looked around the room and worked up a grim smile. “I know we can get through this. There’s plenty of talent in this room and on your teams. We have just three months to fix this mess or it’s game over. It’s as simple as that.”

Susan stood again. “Now, I have to go and meet with the board, who will likely want us to bring in an external auditor to review and sign off on our closure package with regulators. But I want regular updates on your progress. My assistant will be putting a weekly huddle on all of your calendars. I expect great things from you all. Let’s figure this out. Let’s make this happen.”

Heads nodded. Susan grabbed her tablet and exited the room.


That was a dramatic start! Tune in next week as Susan urgently calls an emergency leadership meeting to address the serious MRIA concerns over inadequate IT governance at IUI. Can Susan and her team develop a credible action plan in time? Join us next time for the continuation of the story. Or, go to your favorite book retailer and pick up Investments Unlimited today.

- About The Authors
Avatar photo

IT Revolution

Trusted by technology leaders worldwide. Since publishing The Phoenix Project in 2013, and launching DevOps Enterprise Summit in 2014, we’ve been assembling guidance from industry experts and top practitioners.

Follow IT Revolution on Social Media
Avatar photo

Helen Beal

Coauthor of Investments Unlimited.

Follow Helen on Social Media
Avatar photo

Bill Bensing

Bill Bensing tranforms Shadow IT into legitimate software development organizations. Bill's recent thought-leadership is proving software devliery velocity and highly secure and compliant software are not mutally exclusive. He lives in Tampa Bay, FL, area.

Follow Bill on Social Media
Avatar photo

Jason Cox

Director, Global SRE @ Disney | Speaker | Co-Author of Investments Unlimited

Follow Jason on Social Media
Avatar photo

Michael Edenzon

Michael Edenzon is a senior IT leader and engineer that modernizes and disrupts the technical landscape for highly-regulated organizations. Michael provides technical design, decisioning, and solutioning across complex verticals and leverages continuous learning practices to drive organizational change. He is a fervent advocate for the developer experience and believes that enablement-focused automation is the key to building compliant software at scale.

Follow Michael on Social Media

More Like This

Audit to the Rescue? – Investments Unlimited Series: Chapter 12
By IT Revolution , Helen Beal , Bill Bensing , Jason Cox , Michael Edenzon , Dr. Tapabrata "Topo" Pal , Caleb Queern , John Rzeszotarski , Andres Vega , John Willis

Welcome to the twelfth installment of IT Revolution’s series based on the book Investments…

Mastering the Art of (Re)Recruiting Talent in Times of Transformation
By IT Revolution

In today's fast-paced and ever-evolving business landscape, organizations are constantly undergoing transformations to stay…

What to Expect at Enterprise Technology Leadership Summit Europe Virtual
By Gene Kim

Holy cow, Enterprise Technology Leadership Summit Europe Virtual is happening next week, and I’m…

Boardroom Showdown – Investments Unlimited Series: Chapter 11
By IT Revolution , Helen Beal , Jason Cox , Michael Edenzon , Dr. Tapabrata "Topo" Pal , Caleb Queern , John Rzeszotarski , Andres Vega , John Willis

Welcome to the eleventh installment of IT Revolution’s series based on the book Investments…