How BCU is Operationalizing Their GRC Vision, Continuously Improving, and Efficiently Scaling

Rewind the calendar to 2019 and you’ll find Stephenie, the newly appointed Chief Information Security Officer at BCU, on a mission to do more than simply manage the day-to-day of a cyber security program. The BCU Board challenged leadership to adopt a level 4 NIST CSF program in parallel with resolving findings of the National Credit Union Administration (NCUA) exam earlier that year. Stephenie had a vision to empower her people through a dynamic governance, risk, and compliance program.

“We initially focused on formalizing our vendor risk, policy, and business continuity management programs by adopting Risk Cloud, as the majority of our NCUA findings were within one of those three domains. Our biggest challenge before implementing Risk Cloud was a lack of process governance and actionable insights to guide our team’s priorities. The following year, those same programs had zero exam findings.” - Stephenie Southard, Chief Security Officer

With the immediate need for NCUA compliance addressed, Stephenie was ready to explore how the Credit Union could efficiently and effectively scale its existing GRC programs to support growing operations. Part of this exploration included bringing on one of LogicGate’s Technical Account Managers (TAM).

The “Alexa or Siri” of GRC

“I like to explain having a TAM as another resource to get you where you need to go. Jerry is kind of like our own Siri or Alexa. All it takes is a simple prompt like, ‘Hey? We need this.’ and Jerry is there to make it happen.” -Stephenie Southard, Chief Security Officer

This analogy comes to life when you see how Jerry works with BCU’s Sr Director of Business Resiliency, Kelli Bartczyszyn, and Sr Manager of Security Operations, Tiffani Tolbert.

“I just asked him for advice last week, ‘How do your other customers do this? Or how did you do this at your financial institution before you came to LogicGate?’ Even if Jerry doesn’t have the answer to a question, he's great about reaching out to other TAMs or folks in his network to bring that additional perspective and say, ‘You might want to consider doing it this way instead.’” -Kelli Bartczyszyn, Sr. Director of Business Resiliency

In addition to Jerry’s platform and industry expertise, his regular touchpoints across teams also bring a holistic perspective to the table. This ensures that the organization-wide impact of program and process updates is accounted for — paving the way for scalability, efficiency, and alignment with strategic objectives while keeping the respective GRC teams as lean and agile as possible.

Making Continuous Improvement a Reality

A key aspect of Jerry’s role as a TAM is supporting BCU’s culture of continuous improvement. Stephenie, Kelli, and Tiffani can carry out their day-to-day activities and focus on strategic planning while Jerry translates their GRC vision into a reality. Rather than program optimization waiting for all “fires” to be resolved, Jerry’s technical support allows Stephenie and her teams to offload any bandwidth shortages, maintain momentum on evolving their programs, and keep pace with new risks, regulations, and organizational growth.

“Jerry has the technical ability to translate what we're looking for into technical requirements and then turn them into something tangible. Sometimes we aren’t even one hundred percent sure what we’re looking for, we might only have a concept of what we need. We know we can count on Jerry to get us where we need to go.” - Kelli Bartczyszyn, Sr. Director of Business Resiliency

“If you tell me about a current process or what needs to be done, I instantly build a flow chart in my head because that’s just how I think. My goal is to translate what they’re looking for into both an efficient and user-friendly experience.” - Jerry McElyea, Technical Account Manager

In collaboration with Jerry, BCU has been able to achieve the following in just over a year without any increase to their LogicGate contract:

• Reducing the critical business function review process by 50 hours annually after migrating their business risk analysis process from a spreadsheet to automated workflows in Risk Cloud.
• Ensuring that business continuity plan testing happens at the appropriate cadence, lessons learned are documented in a centralized location, and findings are assigned and tracked in real-time.
• Standardizing and automating the regulatory exam management process to significantly reduce manual activity each exam cycle by migrating spreadsheet- and email-based processes into Risk Cloud workflows.
• Strengthening third-party governance and risk insights through standardized questionnaires, surveys, and an in-progress integration with Black Kite.
• Adopting Spark AI to provide task owners with critical background information, recommended actions, and concise writing recommendations in a single click.
• Roadmapping a new, enterprise-grade approach to risk management that unifies multiple departments and aggregates risk data in a single view.

Driving Tactical and Strategic Accountability

While selecting the right tooling is a critical aspect of maturing and scaling GRC activities, at the end of the day, people are at the heart of any program’s success. This element requires more of an artful approach than a strictly technical one. BCU has found that working with Jerry introduces a level of accountability to their programming that keeps strategic objectives on track.

“Jerry not only holds himself accountable to deadlines, but our teams as well. More importantly, his understanding of ongoing projects and priorities at the Credit Union makes those deadlines meaningful. He’ll often say, ‘Let’s focus on finishing this piece first, then we can circle back to this new idea that you have.’” - Kelli Bartczyszyn, Sr. Director of Business Resiliency

Jerry goes beyond project management at the functional level and ensures that each program owner is empowered to communicate key performance metrics from the bottom up, quantifying the impact of their efforts and contextualizing priorities.

“Jerry has enabled me to provide Stephenie structured, repeatable reporting that gets shared with the Board and our senior management team. This process runs more seamlessly and is much more impactful with the reports he has helped put in place.” -Kelli Bartczyszyn, Sr. Director of Business Resiliency

Preparing for $10B in Assets

BCU is fast approaching the $10B threshold, a bitter-sweet milestone in the financial sector that introduces regulatory oversight from the Consumer Financial Protection Bureau.

“As we evolve, I see greater collaboration across departments, with Risk Cloud becoming an enterprise-level tool that extends beyond its current application in individual programs. This will provide us with the unified, strategic insights we need to safely scale and manage risk from the top-down.” -Stephenie Southard, Chief Security Officer

Jerry’s industry experience, holistic oversight, and Risk Cloud expertise will play a critical role in delivering Stephenie’s vision. As a next step, Jerry and the rest of BCU’s LogicGate account team will host a 2-day GRC Maturity Workshop with leaders from across the Credit Union to benchmark where they are, create a mutual success plan that outlines where they’re headed, and roadmap key milestones to get them there. This cross-functional alignment will enable Stephenie, Kelli, and Tiffani to remove any remaining business silos, unify efforts, and aggregate data — paving the way for true enterprise risk management.