A

Hi, everyone, and welcome to this episode of GRC and Me, Logic 8's podcast, designed to break down the complexities of GRC and turn them into practical strategies you can use every day. I'm Megan Manaval, and today we're tackling a topic that's critical for organizations of all sizes, the evolving landscape of enterprise risk. But before we do, I have a question for everyone. What does a sudden mechanical failure have in common with your organizational risk strategy? As you'll soon find out, quite a lot. To guide us through this, I am thrilled to have Eric Herzberger, a risk management expert from Security Services Federal Credit Union. Eric is here to demystify enterprise risk management, debunk common myths, and provide a clear roadmap for shifting your mindset from reactive firefighting to strategic risk management. Well, welcome, Eric. To kick us off, let's start with a pretty easy question. What's one thing that's not on your LinkedIn profile that we should know about you?

B

Well, thanks, Megan. And as you can see from my home office, I love music. That's one of my big hobbies. So if I'm not here, you know, working on the, erm, stuff, I'm pulling off one of these guitars off the wall and playing a little bit. You know, these days I'm just kind of a bedroom musician, but I do like to play with my kids. You know, we get together and kind of jam out. So that's a really cool dad moment to do and to share with, with family. So it's probably something people don't know.

A

I love that. That's really cool and I'm glad you explained it, because sometimes people collect guitars and sometimes people can actually play those so well. Very cool. Well, let's jump in and talk a little bit about some myths and misconceptions when it comes to, erm. So. So first one here, erm, is just a compliance checkbox, right? Is that a myth or a fact?

B

Yeah, Megan, that's definitely a myth. And so, you know, erm, has come a long way and really the way to think about it is it can be a strategic enabler for us instead of just trying to prevent risks from happening. It can help us understand what are the right risks we can take. It can help us understand where we have strengths in our organization and where we have some gaps and we maybe need to fill that in a variety of different ways. So it's definitely not a checkbox, and it's something that is critical to helping organizations leverage their strengths and really take the right opportunities okay, okay.

A

I had a feeling you were going to say that one, but it sounds like erm is really sort of like a big company thing. So our next question then, our next myth is that credit unions might be too small to need that enterprise level risk management. Is that true or is that a misconception?

B

Yeah, and I've heard this one too. Right. And it can be difficult for a small organization, whether it's a credit union or a community bank, to really find the value and invest in like an ERM department. You know, they probably don't have a huge budget for that. But I think it's critically important for small organizations, especially credit unions, to help them understand the risks that they have both internally and externally. They could use it probably even more than a large organization could.

A

Interesting, interesting. Well, we'll circle back to that in a little bit. So I want to, I want to start then with, you know, we're here to talk about the evolution and the future really of erm. So why don't we start off with a little bit of that history of ERM when it comes to credit unions. Where did it begin and what does it look like today?

B

Yeah, so I think when people think about credit unions and they think about risk management in general or ERM programs, they're really thinking about the ncua talking about safety and soundness. That's a big term. If you've been in the credit union world, you'll be familiar with that. And that that's kind of like this philosophy of like, let's just not break anything. Let's make sure that, you know, we don't make any strategic risk that's going to financially ruin this company and kind of stay on track. And so traditionally that's what NCU examiners have come in. In my, my experience, both in my current role and with previous previous credit unions and smaller credit unions, you know, they want to just kind of know that safety and soundness thing. They want to make sure you're following certain regs. But that's the key point in today's world. It's so much more complex, Megan. As you know, like we are facing, we're competing in a global marketplace. Whether you're a small credit union or a large one. You're competing for those same customers, those same members, and you also have the same vulnerabilities from a cyber risk perspective, for example. And you're trying to compete with fintech companies who are coming to market with new products and technology that you don't have the ability to build in House. So all that is really pointing to why ERMM can be help, a helpful tool to help you understand your business and manage in today's marketplace.

A

That's, that's really interesting. And you touched on something there with the ncua, the National Credit Union association obviously and you know, little known fact about me. So I actually once led an internal audit department at a credit union back in the early 2000s when ERM was really coming up there and so shout out to Tucson Federal Credit Union there. But we were, we were building that from scratch right at the time. And today what I think is really great is there's so much more guidance out there. You know, some of the things you just mentioned there. So for some of those folks maybe who are just starting out, what, what are, what should organizations, you know, really be looking at to, to start down this path and begin to shift towards that proactive risk management?

B

I think that's a great question, Megan, and one that I hope that many organizations are asking themselves. Like where can we start? You know, you might not have an ERM expert who can bring in all these tools, but you don't need a lot of expertise to get started. You can really start by, you know, the first step I would look at is look at your processes, make an inventory across your organization of what processes you do. Talk to your business leaders and this is a great piece that ERM can bring to your organization because that breaks down some of these silos. We start to understand where these processes have handoffs, where they have reliance on our IT or in the credit union world, the ET departments. So I'd make that list of processes I'd look to, try to prioritize those. Talk to your compliance folks, talk to your audit folks and figure out which ones do our regulators really care about, which ones carry some regulatory risk, which ones carry high levels of impact to the organization if there were problems. And then when you, you can prioritize that and maybe look to establish some operational policies and then you, once you have some of that framework and you say, okay, here's what we do, here's where we, we see risk associated with what we do, you can start building in programs. And I love rcsa. So a risk and control self assessment is a great way to start bringing the business leaders into this risk management mindset and helping them understand enterprise risk management, that we want to understand it, your particular process. We're going to do an evaluation, we're going to look at what controls you have and where ERM folks can be a guide and A helper to say, let me suggest some controls that would be effective. Let me show you a better way to maybe do this. And also, you know, we are going to find some things, especially when we're talking about transactional risk, we're going to find some opportunities where there's errors happening and we were not aware we have that unknown internal risk, especially on the transaction. And I think that's like, that's something that a lot of organizations have and they just don't realize. And that's scary when you have unknown risks happening. And RCSA is a great way to sort of uncover some of those in a non threatening way because we're doing it together.

A

I love that, I love that. And RCSAs are such a powerful collaboration tool. Right. Like you just mentioned there. And I think going into it with that mindset of, you know, we may find some things, but that's okay, that's the point. We're finding them together so that we can fix them ahead of time. And I think that's really key. Right. That's a really common struggle that that organizations see is, is really getting everybody on board. Because sometimes, you know, that risk management, that compliance piece can come off a little, you know, adversarial at times. So in your experience, you know. Yeah, exactly. And so in your experience, I gotta ask, what's harder to overcome? Those technical silos between departments are really these cultural ones that you're starting to see. Like where's that struggle?

B

I think, and I'm speaking for several organizations I work for, it's always been the cultural piece. Right. That's one thing that is a challenge and it can be very helpful to have a strong tone from the top that helps you understand that. But another piece that I would do if I was starting erm from scratch is I would really look into training and not just giving a training course, but how can I provide understanding and education of the value that risk management can provide and whose responsibility is it to do risk management? I think one of the other myths that we see oftentimes is that once you establish an ERM department, they own all the risk, right. They're going to just take care of it for us. We just keep running our business.

A

Yeah, why not?

B

Expert, they're going to have it. So that's where, you know, training is a big component of this. And I think it's a multifaceted training because you're really trying to affect cultural change. Right. And you're going to have, in many organizations that are evolving, going to have a three line of defense type of model. You'll have your internal audit that you've worked with. So helping folks understand that even on the internal audit side, we're not the bad guys. We're here to help make the organization better. And we all play a different role and we all have a different job to do, especially in that first line of defense role that the business owners have. You know, they may know their business really well, but they may not be able to look under the hood and kind of see the problems that are about to happen.

A

Yeah, but you know, you really, you really hit it on that too there about that culture. And the three lines of defense are not three independent lines of defense. Right. It's working together to cover some of those gaps. And that actually leads really perfectly into my next question, actually. So let's talk about that shift. Right. Because that mindset shift is so, so important in being successful in this evolution. And you know, like we talked about, I think many organizations, smaller ones, local credit unions, they might feel like they don't have a lot of the resources there and may often fall into sort of that firefighting. So can you help our listeners try to understand really why this shift is so important and frankly, now more than ever?

B

Yeah, I think that's a, that's a great question and I like to kind of share an analogy and share a little story if I could. You know, back when I was a teenager, like many teenagers back in the 90s, I love to drive any time I got the chance. So I would grab the keys from my parents. And there's one time we were driving our big van down a road I was really familiar with and I went to make a left hand turn and all of a sudden I felt the wheel just ripped out of my hands and I'm careening into the ditch, off the side, barely missing oncoming traffic, missed a pole. Everybody was okay. You know, the van got dented up a little bit. But what, what happened was there was a power steering belt that had snapped.

A

Now that was my guess.

B

Yeah, right. I don't even know if cars have power anymore. I'm not a car guy. But I think this is helpful analogy for us if you stick with me for a minute on risk management because here I am, you know, I'm, I'm as like the business owner, right. I'm driving, you know, my, my business forward and I feel like I know a lot about this vehicle. I know how to, how to maneuver it, I know how to drive it. You know, I've done this I've been on this road many times before, so I'm, I'm doing what I've always done and I'm expecting the same results. But that didn't happen this time. Well, why is that? There were hidden risks underneath. Now imagine if I had a mechanic sitting in that passenger seat and he was occasionally, he or she was occasionally helping me to lift up that hood and look under. We could have caught this error and probably many more. You can even stretch that analogy out further and say some organizations are doing some of the basic maintenance. Right. We might have good controls that, you know, occasionally we evaluate this, we look at a report. But just changing the oil wouldn't have fixed this problem. We needed someone with some expertise to come alongside the business owner. In this case, you know, myself driving the car. But I think that's a good way to think about, erm, right. Somebody who's seen lots of cars, you know, who have. In that area. He's not, he's not an expert in driving, know the, the car down the road, but he's an expert in knowing what could go wrong and what kind of maintenance and things we need to start putting in to prevent that.

A

Wow. Wow, what a, what an awesome analogy. And I, I might use that as well because I think that's something we can really relate to. Ironically, as I have a child who's gearing up to get their license as well, is, is thinking about that type of stuff and, and really knowing you might not be the expert in this situation, but there's probably is an expert who can, can help you with that. So that's, that's fantastic there. And I think another thing that maybe folks can really relate to too, is that the changes in risk. Right. If you even think about when we learned to drive, all then I won't say how many years ago, but compared to now, there's a lot of emerging risks. Right. So organizations, same thing. Right. New emerging risks and stuff. So that's my segue into looking at sort of that current landscape here. What do you see as some of those top trends then, when it comes to risk that credit unions really should be looking to get ahead of and have on their radar.

B

Yeah, I think that there's a. We're in a world of uncertainty. So, you know, there's a saying like the only thing certain is uncertainty. That's kind of the role that we're ruling, especially in the regulatory environment here in the US and so I think one thing that I think about when I think about an uncertain environment is what are, what are we doing internally to ensure we continue our maturation? Right. And I think this kind of goes to. You've seen a lot of models, and you can look out there online. You know, Forrester has some good ones, Michael Rasmussen has some good ones where it talks about a risk maturity model. You know, we're evaluating where are we and where do we want to be. Right. So if you go back to that analogy, you could have an everyday mechanic help you with your van. But if your goal as an organization is you want to be the best and the fastest and, you know, leading the way, then maybe you need a pit crew like you're about to go, you know, on the F1 circuit or NASCAR. So I think thinking about the business objectives of where we want to go, that's what kind of keeps me up at night a little bit, is, are we lining our risk management maturity with the goals and the business objectives that we have? And I think even in more mature organizations, that's not always a conversation. Oftentimes you see risk management, and I'm not speaking for one organization here, I mean, you see this all across the way is a little bit of an afterthought. Oh, shoot. We should get circling compliance and risk on this project. And I think we can do a better job in our organizations of bringing those folks to the table early on, having those conversations. And that means we as risk management folks, and especially in erm, need to be prepared with insights that can help drive. So, you know, I would say to other, ERM leaders, are you looking only at those internal things or are you looking at, you know, the external changes, what's happening in your marketplace, what competitors are doing? I think that's important, too, so we can speak intelligently when we do get that seat at the table.

A

Yeah, yeah. And I think it's a balance, right? It's, it's. You don't want to necessarily put the same controls or the same investment in an area that, you know, like you mentioned, if it's just your everyday drive to the grocery store car, you don't need the same level of maintenance as, you know, a nascar, you know, performance vehicle.

B

And I do see that all the time, Megan. You know, I've seen that, seen that many times. You'll have one particular area. You know, we have these silos and these different business units, and they'll always be one area that really wants to do it. Great. And they want to excel and they maybe go overboard with the controls. Right. And so that can be a way for Us to say, you don't need 10 controls here. Let's find, you know, let's find your Kris, let's find your. Your key control that you really need to have in this. In this space, maybe get some automated controls, and then we're actually giving you capacity back.

A

Yeah. Oh, absolutely. And I think that's really where a lot of those silos come from. You may even have duplicate controls. You could have competing controls even in that. And so bringing everybody together, like you mentioned, and having this collaborative approach allows you to look at the goals. Right. And then it's not necessarily about a certain regulation that you have to meet or a certain initiative like that. It's definitely more focused on the maturity and the growth there of protecting your business.

B

So.

A

All right, so now that you've scared us all with these emerging risks, let's shift a little bit. And as we wrap up here, really focusing in on, you know, you showed us the importance of being more proactive with, you know, that guidance and shifting your mindsets. But how do you get those risks insights to the right conversations at the right time with the right people so that you can really start to. To. To shape those decisions rather than it being an afterthought?

B

Yeah, I think that's a great question. That's the million dollar question, right, Megan? How can we have the right conversations with the right people? And I think it's many different conversations. So I think using a tool like Logic 8, creating those inventories and being able to show an inventory of risks or show it from an enterprise view, sometimes a picture can, you know, a picture is worth a thousand words. Right. And so that can really help to be able to make the case to those business leaders. And what I found, though, is oftentimes, you know, the people doing the work are very receptive and they really want to do a better job and they want to learn. So I think you've got to approach it in two different ways. With your senior leadership, you need to approach it in a way of how can we partner with you and come alongside you? Sometimes you have to sell that value and show that value and say, this is how we're going to help you reach those business objectives. I think that's a great phrase to talk about. If I were sitting down with, you know, a business executive, I've done this in the past, or, you know, a business leader, I would ask them first, what are your objectives? What are you trying to do this year? You know.

A

Yeah.

B

And then we can start building from there and we can say oh, well, we want to. We want to grow deposits, for example. Well, okay, where are we going to grow deposits? Are we going to pay for deposits? Like, what are. What are our plans to do that? And do we know so we can help them and say, what if I came back to you with a plan to work with your teams to look at where we might have risks in meeting that goal? I think that's a little bit different conversation and something that might change them from that mindset of I have to give up time from my team in order to check this box like we talked about earlier, that risk or compliance or whomever says they have to do if. If I'm coming in saying, help me, help me work with your team so we can help you achieve your objectives, that's a whole different conversation now. And they might be open to really opening up the doors, letting you come in and work with their team, finding some efficiencies, getting the right controls in place. Right. Or enabling them to take a risk that they haven't thought that they could do before by understanding our capabilities better.

A

Yeah, yeah, absolutely. And I think if you phrase it like that right, you know, you've got this objective, you've got this goal. Let me help you identify these risks, these things that could prevent you from getting there. And I almost think about it like, you know, I kind of joke with my teenagers of it's my job to point out the landmines and it's your job not to step on them. Right. And that's really where I think it comes in, is we can identify some of those risks, we can point it out to the business, and then let's figure out how to not fall into those gaps, how to not have those risks materialize. And really coming at it from that, it's all about working towards that goal there. So, yeah. Fabulous. Well, thank you so much, Eric. These have been some really great insights. And as we wrap up our podcast, we always like to leave our listeners with some strategies for success. So final question for you. What is the best way to ensure that erm does become that true strategic advantage? Advantage for the organization and not just a compliance checkbox.

B

Yeah. I think it's building relationships with your business partners. And I think another piece of that, and we touched on a little bit earlier, training for them, but training for yourself. Be a lifelong learner. Be someone who is continually learning and growing in your field so that when you do have those conversations, you can bring that expertise. You can be that mechanic with the knowledge that the business leader doesn't have, and they're going to see the value in your expertise and the partnership there. So that would be my best tips. But keep at it. I want to encourage everybody build out the enterprise Risk management program in your area because it really is going to make a difference in your organization.

A

Oh, absolutely, absolutely. And to those who are listening as you're building out those programs, let us know how it's going. You've heard what we've had to say here today, and we'd love to hear from you in the comments. So if you've got a tip on ways to ensure that erm becomes that strategic advantage, we'd love to hear it. Well, Eric, thank you so much for being here today. This has been an incredibly insightful conversation. You've given our listeners a fantastic roadmap for getting started no matter what their size. And I think we'll all be thinking twice before ignoring our next maintenance on our car. For everyone listening, thank you for tuning in to this episode of GRC and Me. If you found this conversation valuable, please be sure to subscribe wherever you get your podcasts so you never miss an episode. Until next time, thanks for listening.