Up your GRC game: 10 steps

If there was ever an environment that provided sufficient motivation to elevate your governance, risk, and compliance (GRC) function, COVID-19 has provided it.

The pandemic is “an example of how a single event can trigger an explosion of risk affecting all aspects of our operations,” says Mark Beasley, professor of accounting and director of the Enterprise Risk Management Initiative at North Carolina State University.

“COVID demonstrates how we have to think of GRC from an enterprise view,” says Beasley, who addressed the 2021 CUNA Governance, Risk Management, and Compliance Leadership Virtual Conference. “It provides motivation to consider if we’ve set up GRC in line with strategic decision-making.”

He offers 10 ways credit unions can improve their GRC efforts:

1. Assess your current GRC ecosystem

Beasley reports 83% of executives surveyed by the North Carolina State University Enterprise Risk Management Initiative said their organizations experienced a significant operational surprise in the past five years, yet only 28% of those executives report their risk management process as mature and robust. 

“Risk management will not get easier,” Beasley says. “You need organizational buy-in to make that a reality.”

2. Retain silver linings from 2020

“Many organizations have benefited from improved communication, the elimination of silos, and outside-the-box thinking during the pandemic,” he says.

These efforts will pay dividends moving forward.

3. Evaluate your GRC ecosystem through a strategy lens

GRC should start with what drives value.

“Start with what is important for the long-term success of the organization,” Beasley says. “That provides the lens through which you view risk.”

4. Look up and out more

While GRC often has an operational focus, external risks such as geopolitical changes, cyberthreats, natural disasters, and social media issues also pose risks.

5. Elevate your business continuity plan

Cyberattacks are the greatest threat to business continuity, Beasley says. 

“Our organizations are so dependent on technology today,” he says. “Who owns management of that risk in your organization? Is it silo-focused or managed at the enterprise level?”

6. Watch for innovative newcomers

New innovators present a threat to traditional competitors within any industry. 

“They’re faster and nimbler than our legacy systems,” Beasley says. “Companies that don’t have the talent and labor to deal with it will be left behind.”

7. Broaden your GRC scope

Risk management should be an expected competency for all leaders within the organization, he says. “You need multiple layers to manage this complex world we’re in.”

8. Identify blind spots

Biases cause most blind spots, Beasley says. “Don’t make assumptions or favor data that will only confirm your biases.”

9. Take advantage of opportunities

Take risks that will advance your organization strategically. 

“Be creative in identifying new opportunities,” Beasley says. “Explore where you are too risk-averse and why.”

10. Support the board’s role in governance

Provide the board with sufficient information to engage in meaningful risk management discussions.