GRC & Me – Episode Summary
Episode Title: Evolving ERM in Credit Unions and Smaller Organizations
Podcast: GRC & Me by LogicGate
Host: Megan Manaval
Guest: Eric Herzberger (Security Services Federal Credit Union)
Release Date: July 30, 2025
Overview
This episode of "GRC & Me" explores the evolution of Enterprise Risk Management (ERM) within credit unions and smaller organizations. Host Megan Manaval interviews Eric Herzberger, a risk management leader from Security Services Federal Credit Union. Together, they delve into common misconceptions, the unique needs of smaller institutions, practical frameworks for getting started, and how to shift from a reactive to a proactive and strategic risk management mindset.
Key Discussion Points & Insights
Breaking Myths Around ERM
-
ERM as a Checkbox
- Myth Debunked: Eric asserts that ERM is not just a compliance checkbox but a strategic enabler.
- "ERM…can be a strategic enabler for us instead of just trying to prevent risks from happening. It can help us understand what are the right risks we can take."
- (Eric, 01:53)
- "ERM…can be a strategic enabler for us instead of just trying to prevent risks from happening. It can help us understand what are the right risks we can take."
- ERM helps organizations leverage strengths and seize opportunities, not just avoid pitfalls.
- Myth Debunked: Eric asserts that ERM is not just a compliance checkbox but a strategic enabler.
-
ERM is for Big Organizations Only
- Myth Debunked: Small organizations, especially credit unions, may benefit even more from ERM due to limited resources and exposure to similar risks as larger institutions.
- "It's critically important for small organizations, especially credit unions, to help them understand the risks that they have both internally and externally. They could use it probably even more than a large organization could."
- (Eric, 02:44)
- "It's critically important for small organizations, especially credit unions, to help them understand the risks that they have both internally and externally. They could use it probably even more than a large organization could."
- Myth Debunked: Small organizations, especially credit unions, may benefit even more from ERM due to limited resources and exposure to similar risks as larger institutions.
The Evolution of ERM in Credit Unions
-
Historical Context
- Early ERM in credit unions was focused mainly on "safety and soundness" as prescribed by the NCUA (National Credit Union Association), meaning “don’t break anything."
- The landscape is far more complex today, involving competition with fintechs, dealing with cybersecurity, and operating globally.
-
Modern Challenges
- Credit unions now face risks from technological change, cyber threats, and the need to remain competitive even without large in-house resources.
Getting Started: A Practical Roadmap
- First Steps for Organizations
- Begin with an inventory of business processes across the organization.
- Engage with compliance, audit, and business leaders to prioritize processes based on regulatory and operational impact.
- Use frameworks like RCSA (Risk and Control Self-Assessment) as a collaborative tool.
- "A risk and control self-assessment is a great way to start bringing the business leaders into this risk management mindset and helping them understand enterprise risk management…in a non threatening way because we're doing it together."
- (Eric, 05:30-07:43)
- "A risk and control self-assessment is a great way to start bringing the business leaders into this risk management mindset and helping them understand enterprise risk management…in a non threatening way because we're doing it together."
Overcoming Silos: Cultural vs. Technical Barriers
-
The Biggest Challenge: Culture
- Cultural barriers outweigh technical ones when implementing robust ERM.
- The key: ongoing education, not just single training sessions.
- Important to clarify that risk ownership doesn’t shift solely to ERM teams once a department is created:
- "One of the other myths is that once you establish an ERM department, they own all the risk, right?...We just keep running our business."
- (Eric, 08:26-09:10)
- "One of the other myths is that once you establish an ERM department, they own all the risk, right?...We just keep running our business."
-
Three Lines of Defense
- Not independent silos—they must cooperate.
- Internal audit, compliance, and first-line units have distinct but collaborative roles.
Shift from Reactive Firefighting to Strategic Partnership
- Mindset Shift
- ERM is like having a mechanic ride with you: it’s about uncovering hidden, preventable risks before they cause harm.
- "Here I am, I’m as like the business owner, right. I'm driving my business forward and I feel like I know a lot about this vehicle...But that didn't happen this time. Well, why is that? There were hidden risks underneath. Now imagine if I had a mechanic sitting in that passenger seat."
- (Eric, Car Analogy, 10:38-12:57)
- "Here I am, I’m as like the business owner, right. I'm driving my business forward and I feel like I know a lot about this vehicle...But that didn't happen this time. Well, why is that? There were hidden risks underneath. Now imagine if I had a mechanic sitting in that passenger seat."
- Proactive risk management enables organizations to anticipate and control risks rather than solely reacting to disasters.
- ERM is like having a mechanic ride with you: it’s about uncovering hidden, preventable risks before they cause harm.
Emerging Trends & The Current Risk Landscape
-
Increasing Uncertainty
- The only certainty is uncertainty, especially in U.S. regulations.
- "There's a saying like the only thing certain is uncertainty. That's kind of the role that we're ruling, especially in the regulatory environment here in the US."
- (Eric, 13:50)
- "There's a saying like the only thing certain is uncertainty. That's kind of the role that we're ruling, especially in the regulatory environment here in the US."
- ERM maturity models (e.g., Forrester, Michael Rasmussen) are useful for organizations to benchmark and progress.
- Risk management must align with business goals—risk is not a postscript.
- The only certainty is uncertainty, especially in U.S. regulations.
-
Avoiding Over-Engineering Controls
- Controls should be right-sized; don’t overdo controls in well-protected areas.
- "You don't need 10 controls here. Let's find your Kris, your key control...maybe get some automated controls, and then we're actually giving you capacity back."
- (Eric, 16:22)
- "You don't need 10 controls here. Let's find your Kris, your key control...maybe get some automated controls, and then we're actually giving you capacity back."
- Controls should be right-sized; don’t overdo controls in well-protected areas.
Gaining Influence: Elevating Risk Insights
- Effective Communication
- Use tools (like LogicGate) to visualize and present enterprise-wide risks.
- Tailor conversations for senior leaders by aligning risk management with their business goals.
- "If I'm coming in saying, help me, help me work with your team so we can help you achieve your objectives, that's a whole different conversation now."
- (Eric, 19:04)
- "If I'm coming in saying, help me, help me work with your team so we can help you achieve your objectives, that's a whole different conversation now."
Strategies for Success
- Building Relationships
- True ERM value comes from partnerships—not from policing.
- Continuous learning for risk professionals ensures value-added conversations.
- "Be a lifelong learner. Be someone who is continually learning and growing in your field so that when you do have those conversations, you can bring that expertise."
- (Eric, 21:09)
- "Be a lifelong learner. Be someone who is continually learning and growing in your field so that when you do have those conversations, you can bring that expertise."
Notable Quotes & Memorable Moments
-
On ERM’s Value:
- "ERM…can help us understand what are the right risks we can take."
- Eric (01:53)
- "ERM…can help us understand what are the right risks we can take."
-
On Small Organizations Needing ERM:
- "They could use it probably even more than a large organization could."
- Eric (02:44)
- "They could use it probably even more than a large organization could."
-
On Culture vs. Technical Challenges:
- "It's always been the cultural piece...that is a challenge and it can be very helpful to have a strong tone from the top."
- Eric (08:26)
- "It's always been the cultural piece...that is a challenge and it can be very helpful to have a strong tone from the top."
-
On Risk as a Partnership:
- "If I'm coming in saying, help me, help me work with your team so we can help you achieve your objectives, that's a whole different conversation now."
- Eric (19:04)
- "If I'm coming in saying, help me, help me work with your team so we can help you achieve your objectives, that's a whole different conversation now."
Timestamps for Key Segments
- Introduction & Guest Background: 00:09 – 01:32
- ERM as Checkbox vs. Strategic Tool: 01:32 – 02:29
- Myths about ERM for Small Orgs: 02:29 – 03:11
- History of ERM in Credit Unions: 03:30 – 05:30
- Getting Started with ERM: 05:30 – 07:43
- Cultural Barriers & Training Needs: 08:26 – 09:57
- Mindset Shift – “Mechanic” Analogy: 10:38 – 12:57
- Emerging Risk Trends & Maturity: 13:50 – 16:05
- Right-Sizing Controls & Breaking Silos: 16:05 – 17:22
- Communicating Risk Insights to Leadership: 17:49 – 19:04
- Strategies for ERM as a Strategic Advantage: 21:09 – End
Takeaways & Final Strategies
- Start simple: Map out processes, engage stakeholders, use RCSA.
- Prioritize culture: Build understanding and collaboration, not compliance through fear.
- Use analogies and storytelling: Simplify complex ideas (“the mechanic in the passenger seat”).
- Align with objectives: Reframe ERM as helping business leaders achieve their goals.
- Continually learn: Regularly update your skills and knowledge to remain valuable.
Episode in a Sentence:
This episode reframes ERM from a burdensome requirement into a vital, strategic asset for credit unions and small organizations—emphasizing culture, collaboration, and continual learning as the keys to lasting success.