Governance, Risk & Compliance (GRC) 2.0: The Future of Organizational Excellence Starts Now

The Significance of GRC: Navigating Risk and Compliance in Banking

Governance, Risk, and Compliance (GRC) is a comprehensive approach that unifies various organizational functions, such as governance, compliance, risk management, audit, performance management, and ethics. This framework, rooted in rules, facilitates the efficient management of avoidable risks by integrating activities across governance, compliance and risk management domains. GRC prioritizes the effectiveness of controls and takes a holistic view, akin to the Enterprise Risk Management (ERM) approach. By integrating these different components, GRC strives to establish a strong basis for effectively managing and reducing risks across the entire organization.

The Relevance of GRC in the Current Moment

In the fast-paced world of banking, stakeholders are demanding more transparency, accountability, and outstanding performance from companies. Meeting these expectations is no walk in the park, as organizations must navigate an ever-changing regulatory landscape that adds complexity to compliance efforts.

The growing number of third-party relationships and the associated risks have become a significant challenge for management. Ignoring these risks can have dire consequences, even putting the very existence of a business in

jeopardy. In this complex environment, adopting efficient Governance, Risk, and Compliance (GRC) practices has become crucial for sustainable business growth. As the stakes continue to rise, organizations must approach these challenges with extreme care to ensure long-term success and stakeholder satisfaction. Robust GRC frameworks help companies streamline operations, strengthen their risk management capabilities, and optimize performance. These practices involve a comprehensive approach that integrates governance, risk assessment, and compliance activities, empowering businesses to navigate the intricate landscape with confidence and resilience.

Balancing Responsible Innovation and Risk: The Role of Banking-as-a-Service in Community Banks

Banking-as-a-Service (BaaS) presents lucrative opportunities for community banks, driving revenue, deposits, and customer growth. However, it also brings compliance burdens and risks. To navigate this landscape, community banks should establish vendor risk management policies that address BaaS concerns, ensuring internal oversight. By investing in personnel and compliance systems early on, banks can enhance their ability to manage oversight and regulatory functions. Pathward Financial, a major BaaS player, emphasizes the importance of robust legal and regulatory compliance management for responsible innovation. Banks must understand their ultimate responsibility in regulatory and compliance matters, actively managing and overseeing BaaS partnerships to mitigate risks. According to the Bank Director ‘Insights Report: The Secret to Success in Banking-as-a-Service’,  dated April 12, 2023, “Banking-as-a-Service isn’t new, although technology has made it easier for institutions to build out this business line. Sioux Falls, South Dakota-based Pathward N.A., a subsidiary of $6.7 billion Pathward Financial, has been in this space for about two decades. The bank sees its legal and regulatory compliance management system as a “core strength” fueling its innovation with partners, says Lauren Brecht, senior vice president and managing counsel of credit and tax solutions at the bank.”

Considerations in Assessing Evolving GRC Talent Strength: Perspective through the Lens of a Risk SME

As both traditional and progressive community banks (and their perspective Fintech partners) come to terms with the realities facing them through the inevitable impact of Governance, Risk, and Compliance evolutions, bank leadership must take immediate pause to assess current talent bench strength and organizational structure around GRC.  This process requires a full commitment from executive leadership, the Board of Directors, and key stakeholders leading initiatives within the different buckets within GRC.  Taking a step back to examine current state, and building in regular re-assessment periods for regular review, banks can ensure they are dedicating the needed time, research, and investments into a sound operating structure surrounding GRC initiatives.

In speaking with an emerging Risk leader within the BaaS banking landscape, Janine Jakubauskas, Chief Risk Officer of BankProv in Amesbury, Massachusetts provides initial steps and advice to consider in conducting this internal reflection.

Who within a bank should help create and draft an ideal GRC org structure?

A Bank’s CRO should be the driver of creating this ideal GRC org structure. They should be able to evaluate an institution and its risk profile, and then build a commensurate structure.  The Risk managers underneath them should also play a vital role and be empowered to provide input. Of course, there also needs to be buy in and awareness by the Bank’s CEO and Board of Directors/ Board Risk Committee. It’s a joint effort to develop a strong risk culture and related org structure to support that. Partnering with your executive team and directors will help ensure strategic alignment between Risk and the Bank’s businesses.

What are the key trends in GRC and what are some notable shifts you have seen in light of the current banking climate?

Risk used to be seen as a regulatory exercise but as several negative events have unfolded over the years, the financial industry is starting to truly understand and see the value in having strong risk management practices. Risk departments are playing an increasingly critical role within Banks and with expanded responsibility to serve as a review and challenge function, advisor, and fierce protector of the bank’s strategic objectives. Being a protector of the Bank’s strategic objectives doesn’t mean you just approve and say yes to everything. It means your department is effectively able to carry out its risk responsibilities to keep the Bank sound from potential threats (internal or external).  In order to do this, you need GRC talent that are able to make risk-based decisions because ultimately the Bank needs to be able to make money and take on some level of measured risk to operate.  

In recent memory, when there is a major news event at a bank or bank failure, the first department people think of is Risk. If Risk departments aren’t important, why are they blamed for bank failures so broadly in the media? These points demonstrate how much has shifted culturally in the way GRC is viewed. Now I wouldn’t just solely blame a risk department for a bank’s failure but the point is just to show how important the public now views risk management if they think an entire entity will fail without a strong or effective program.

In conclusion, community banks seeking to benefit from embracing BaaS, or more traditional banking institutions must proceed cautiously in this new age of hyper-regulated oversight. By implementing robust third-party risk management policies, investing in qualified personnel, and establishing compliance systems in advance, these banks can embrace responsible innovation while safeguarding their operations. Only by maintaining diligent oversight and managing potential risks can community banks thrive in the evolving landscape of banking.