An effective governance, risk and compliance (GRC) program is an organization-wide enterprise; a part of a credit union’s culture.
GRC should improve overall performance, both operationally and strategically, says Tony Ferris, CEO of Rochdale Paragon Group, a CUNA partner.
He addressed the CUNA Governance, Risk Management, Compliance Leadership Institute in Denver.
Some outcomes that GRC programs help credit unions achieve:
Capital allocation. “When you get down to it, capital and resource utilization that optimizes the risk-reward scenario is the end all, be all of an effective GRC program,” Ferris says. “It’s very strategic in nature.”
Operational execution. Ferris says credit union GRC programs should engage the whole organization, proactively sharing information and breaking down silos where tasks are the focus rather than organizational objectives.
“The idea is to be proactive rather than reactive,” he says.
Defining workplace culture. “Every credit union has its own culture,” Ferris says. “The question is whether that culture is driving you towards your goals and objectives.
“Are people bringing you the information you need to move the organization forward—or are they simply keeping their heads down and just doing the job in front of them?”
Identifying opportunities. “If I miss an opportunity, is it going to cost me my job or result in losses?” Ferris asks. “Probably not. But it's guaranteed that your organization is worse off. A risk-averse or siloed approach hinders innovative and advanced decisioning.
"The decisions you make today determine how relevant your credit union will be in the future. How many opportunities is your credit union missing?"
Strategic focus. Ferris says it’s part of GRC’s responsibility to keep the management team and the board focused on what’s important strategically.
Risk programs, while they have an operational component, are ultimately focused on what has to go right to achieve the objectives of the organization at the strategic and mission levels.
Cost savings. “We can walk through our organizations and we see inefficiencies," he says. "But without an integrated and holistic approach, you will be hard pressed to fix them. Coordinated risk, compliance, and audit programs capture information once, fill knowledge gaps, and target those items that are truly important."
Examination strength. “A nice, clean exam” is among every CEO’s and board’s biggest expectations.
GRC helps to ensure “there are no gaps in the process,” Ferris says. “Most importantly, it demonstrates the capabilities to effectively and holistically govern, identify, analyze, and take effective action in a manner that is appropriate given the level of risk.
“In the end, our programs and cultures need to flip the equation to minimize tasks and maximize the intelligence we garner from the organization as a whole," Ferris says. "Holistic programs create organizational capabilities that keep meeting the business objectives front and central rather than chasing work. We need to get back to running the business and not working to simply check the box."