Posted by: David Schneier
assessment, Audit, bank, banking, compliance, credit union, CU, exam, examination, examiner, exams, governance, GRC, regulation, regulatory, Regulatory Compliance, risk, risk assessment
We were having an internal conversation this past week about governance, risk, and compliance (GRC) and I was asked about its role in the small and mid-sized community banking space. The question, to be more specific, was did I think that GRC would work for smaller institutions whose business infrastructure wasn’t nearly as complex as the larger ones that typically are at the forefront of such initiatives.
I couldn’t spit out my “yes” answer fast enough. Not only did I think it would work for scaled down institutions, in some ways I thought its impact would be more dramatic.
GRC at its core is really just about coordinating the related disciplines so that economies of scale are realized where applicable and ensure that all three work with and not against one another. While some of my fellow practitioners are all too happy to bury that simplified interpretation under a deluge of formula’s and/or related methodologies I prefer to keep things simple. I do so because the only way GRC works at an institution is if it receives the full support from the C-level community (tone-at-the-top is a must) and if you make the message difficult to understand, well, no one understands it.
So the question begs to be asked; why wouldn’t a CEO/CFO/COO be interested in applying a methodology that would allow their institution to address compliance in a way that encourages efficiencies and reduced effort? The answer of course is that they would be interested, likely very interested. The problem is that for the small and mid-sized banking space no one is offering or marketing GRC in any measurable way and so business continues as usual.
As it stands right now, most conduct the related GRC work in a one-off fashion. They schedule audits to occur based on when they were last conducted and independent of a recent risk assessment. They schedule Board review and approval of the various policies at the same time each fiscal year regardless of whether the related audit and compliance activities have occurred to validate their effectiveness. As for risk assessments, those typically only occur if they’re required and almost never happen as part of an overall strategy. Then there’s almost always a mad scramble before each of the exams trying to pull everything together.
But think about how applying the principles of GRC would benefit a smaller institution. Imagine if all of the work required over the balance of a year is organized so that they work together and are timed so that one feeds into the next. Imagine if they kick-off the compliance cycle by conducting the various risk assessments that are either required or recommended and use the output to adjust their audit plan so that they’re testing what needs to be tested. Consider how effective their efforts would be if at various points along the way they assessed these activities against what’s required to ensure that where applicable they’re tied together. How much stronger would a financial institutions risk posture be if when senior management and the board of directors signed off on the various elements it conveyed more than a tacit approval of the work; what if their acceptance was more than a required step to appease the examiners and actually allowed them to make informed decisions?
GRC solves a different set of problems for scaled down institutions than those encountered in the larger ones. It requires that a true plan be developed to coordinate the related activities, something that’s often missing in smaller banks and credit unions. It allows for a review of these activities to both understand their interdependencies and identify reusable artifacts and test steps which just about never happens because no one has time to spare to do such things. It also allows management to achieve a holistic view into these activities thus affording them a chance to make corrections when or where necessary and before they become a bigger issue waiting to be discovered by an examiner. Perhaps the best byproduct of applying GRC – it allows your institution to avoid the all-too-common mad scramble leading up to an exam. If you can demonstrate to an examiner that a required activity isn’t scheduled to occur until later in the year, show them the plan and provide evidence that it’s being adhered to they typically consider that a valid response. So instead of pulling the late nights and long weekends trying to update documentation or conducting assessments, you can wait to do the work when it’s scheduled to happen.
GRC doesn’t necessarily mean less work (though that’s likely) but it always results in an institution working smarter, not harder. In those GRC projects in which I’ve participated in, there was clearly an improvement in the value the company derived from its audit and compliance work. Regardless of the size and complexity of an organization, that has to hold appeal to its management.
GRC is not a one-size-fits-all solution, it’s a one-size-fits-all concept. Regardless of whether you’re a single branch CU or a global bank it’s a concept that will work if only you give it a chance.