New Ways of Thinking about GRC Strategy, Part 1

August 27, 2021

Emerging best practices in governance, risk and compliance are inspiring GRC pros everywhere to rethink “the way we’ve always done things.” While leaders can’t possibly retool everything at once, there are small process and mindset tweaks they can roll out individually over time. Over the coming weeks, we’ll share a collection of small changes that can have a big impact within the various disciplines of GRC. 

Enrolling in the Collaborative School of Thought

There are essentially two schools of thought around enterprise risk management (ERM). Whereas one school of thought sees ERM working best under a single owner, another sees risk as a joint effort, preferring collaboration to isolation. 

Many of our partners say they like working with other risk owners internally. Collaborating with the leaders who are responsible for interest rate or liquidity risks, for example, helps GRC pros build a much stronger strategy.

If you or a colleague within your organization has been carrying the full load of ERM alone, consider shaking things up a bit. Start small, meeting quarterly with the heads of different units, like lending, operations, marketing, IT and accounting. Connect with them on a rotating basis to gather first-person perspectives on the state of new, emerging – and even long-time, well-known – risks. 

Bursting into Tiers

As organizations grow, and the needs of the people they serve change, the number of vendors and outside sources has a tendency to increase. Depending on the volume and speed of this growth, it can add quite a bit to the shoulders of GRC pros, especially those in charge of vendor due diligence and management. 

Here’s the deal, not all vendors require the same level of scrutiny, nor the same level of ongoing attention. Consider the differences between a landscaping company vs. an IT managed services provider, for example. Untrimmed bushes are not likely to cripple a business; unavailable systems, on the other hand, very well may. 

Work toward placing your vendors into risk-based tiers. This will enable you to put the greatest number of resources toward the vendors most critical to business continuity. Examiners are likely to appreciate the prioritization. Just be sure to document your process, describing how you determined the number and type of vendor tiers and the actions that would be applied to each. 

Stopping the Email Deluge

The biggest thing examiners want to see when it comes to policy management is that an organization is actively monitoring the process of reviewing and updating its policies. Many policies are required to be reviewed annually, so a rotating schedule works best. 

That said, it’s not unusual for an organization to have hundreds of policies. So, even with a rotating schedule, policy management can get tricky, particularly when each review requires multiple sets of eyes (and multiple email reminders). 

Finding a way to automate the policy management process via a technology and tracking tool not only removes a lot of the worry that something will be missed; it also provides a good history and strong documentation for examiners. (Not to mention, a good policy management platform has been known to reduce the size of the average GRC leader’s email inbox by a 1,000,000 percent.)

New Solution for Credit Unions

To help GRC leaders in the credit union industry more readily discover and implement best practices like the ones above, ViClarity launched a suite of integrated consulting services called AdVisor. Our clients now have access to a collection of services, including advanced onboarding and on-demand access to compliance experts. If we can talk with your team about how AdVisor works in conjunction with our proprietary GRC technology solution, please don’t hesitate to get in touch. 

To continuing learning about "New Ways of Thinking about GRC Strategy", check out the second blog in this series and third blog in this series where we share ideas related to compliance management, COVID-19 learnings and board strategy.

Services performed by ViClarity are compliance and not legal in nature, and do not form an attorney-client relationship or any of the protections attendant to the attorney-client relationship.