Credit Union GRC Done Right

businessman touches screen with the words for GRC spelled out
Robyn Marsi Photo
Risk Services & Technology Practice Leader
Lynx Technology Partners LLC

5 minutes

Governance, risk and compliance done right has to be a wholistic and integrated approach.

Sponsored by Lynx Technology Partners

Today’s challenging business climate and shortage of cybersecurity risk management expertise makes establishing an approach to the people, process and technology you choose critical to address uncertainty and act with integrity, which are hallmarks of GRC done right. 

Why is GRC so critical for credit unions? Credit Unions are one of the most regulated industries in the world.  This will only continue to increase since banking and personal information are the most valuable and targeted information sold on the dark web. That will also continue to grow since financial gain will always be the top motivation among cybercriminals. As the frequency and severity of these risk events continue to rise, reliance on risk management expertise increases. This creates numerous challenges for all industries and especially for credit unions who have been slow to evolve from old practices and frameworks and their inflexible processes. Forward-thinking organizations must view GRC as an integrated collection of all capabilities necessary to support performance.

According to a study conducted by the Boston-based cybersecurity firm Black Kite, which evaluated critical security controls of 250 credit unions from all asset categories identified by the NCUA and 150 associated vendors, 86% of credit unions and 76% of vendors that serve them have breached employee credentials available on the dark web, and 66% of credit unions and 88% of vendors have not deployed the necessary cybersecurity configurations that can protect against attacks. The NCUA has also proposed a 72-hour deadline for regulated companies to report cyberattacks. This doesn't just apply to incidents solely affecting your company. The proposed rule also includes a requirement to report any incidents affecting third-party suppliers.

Even more concerning for credit unions is a recent FICO study that noted, “US consumers are beginning to address … unmet needs by turning to non-bank financial services providers as opposed to traditional banks or credit unions. 34 percent of consumers have at least one account with or engage in financial services activity with a fintech company, large technology company, merchant, or other non-bank provider. That percentage jumps to 47 for Millennials.” How do we stem this tide? How can credit unions adapt to protect their members and their bottom lines? After all, security and compliance can come at a high cost. 

Despite popular opinion and contrary to what you might have been told by large consulting firms and technology vendors, credit unions can take action to protect themselves, their data and their reputations in a cost-effective way. Governance, risk and compliance done right has to be a wholistic and integrated approach across your credit union. It needs to be aligned with both business decisions and current regulations from a strategic perspective. And most importantly, it needs to be prioritized at the very top. It’s important to remember GRC is not technology alone. That doesn’t mean that credit unions should ignore the emerging technologies and continue to use outdated and disconnected tools like spreadsheets. There are systems and tools to help manage and monitor ongoing risk. But your people and processes are just as important and ignoring that means spending money on technology that won’t make a difference when applied singularly.

GRC Best Practices

What are the best practices and controls you should be applying to ensure GRC done right? You must define and execute a cohesive strategy that’s aligned to business objectives and priorities.

Governance: Ensure organizational goals, culture and processes incorporate accountability to clients and stakeholders.

Risk: Identify, mitigate and monitor potential threats to the integrity of the organization.

Compliance: Establish and ensure appropriate guidelines are followed to achieve proper and consistent business practices.

One of the keys to successful GRC is to simplify your risk management processes and addresses the obstacles in a constantly changing regulatory landscape. When done correctly, GRC should result in:

  • Reduced costs
  • Reduced duplication of activities
  • Reduced impact on operations
  • Achieved greater information quality
  • Achieved greater ability to gather information quickly and efficiently
  • Achieved greater ability to repeat processes in a consistent manner

With the help of a panel of 100+ experts, OCEG studied 250+ organizations to document best practices in the GRC Capability Model (commonly called the OCEG Red Book).

  • Unified vocabulary across disciplines
  • Defined common components and elements
  • Defined common information requirements
  • Standardized practices for things like policies and training
  • Identified communication for everyone involved; including strategic decision-makers.

Start by addressing your current GRC program maturity. Be honest about where you stand and what blind spots or gaps exist. Evaluate and understand what data you are trying to protect and the business value it represents. It’s amazing how many credit unions are surprised by the amount of digital assets that enable their business. Define, implement and maintain your security systems. Make sure that security is considered a business imperative. As part of the cultural shift, make sure all involved parts of the organization work to make the process easier for all. And train your people thoroughly and consistently. People are the first line of defense and must be armed with training and resources to report suspicious activity. Below is a comprehensive GRC implementation model that can help guide the process.

Enterprise GRC Considerations Components
Enterprise GRC Considerations Components

As credit unions, you are facing unprecedented times with a tremendous strain on employees and members. But addressing some fundamentals around GRC or even considering GRCaaS can ensure that you are protecting both and making better decisions that are aligned with business goals. The result, GRC done right and the ability to manage, monitor and take action on risk and compliance in real-time.

Robyn Marsi is risk services & technology practice leader at CUES Supplier member Lynx Technology Partners LLC. She is a solution driven executive with over 33 years of experience providing strategic direction and program oversight in  developing and delivering large-scale enterprise and international solutions. Robyn has worked primarily in the financial services industry where she has established a strong proven track record of successfully implementing GRC programs and technology platforms on an enterprise-wide basis.  She was part of a team recognized by RSA as an Industry Leader in GRC 3 years in a row. Robyn has lead teams in successfully building and implementing  Global Risk Management Programs providing governance, oversight, awareness and continuous monitoring related to third-parties.

CUES Learning Portal