Farm Credit Canada’s Journey to an Award-Winning Enterprise GRC Program with Resolver

Farm Credit Canada achieved the honor of Best-in-Class Enterprise GRC Management — Medium Enterprise in GRC 20/20 Research’s 2023 Best-in-Class Awards. The comprehensive study, conducted by the firm’s experienced analysts, provides valuable clarity and practical insights into FCC’s journey towards best-in-class GRC management. Read on for a summary of the journey they took to create their award-winning GRC program or download the full study now.

customers (approx.)

employees

weeks saved on reporting

The Situation

  • Relying on a 75-worksheet Excel spreadsheet, updated quarterly, creating friction and inefficiency.
  • Overlap between Operational Risk and Enterprise Risk assessments led to redundant information requests, causing staff frustration.
  • Reporting took weeks and generated few meaningful insights, resulting in delayed action plans and changes.

In the summer of 2018, Farm Credit Canada’s (FCC) Manager of Risk Information, Paulette Beauchesne, came back from vacation to find a huge project on her plate. As a major federal lending body for farmers and agricultural enterprises in Canada, FCC had 75 Risk and Control Self-Assessments (RCSAs) tracked in a 75-worksheet Excel spreadsheet, which they updated quarterly for the Board. This sheet created an inefficient and manual process that poorly served their needs — and was not positioned to add value locally and downstream.

“Every quarter, we would ask people to attest to the effectiveness of the controls in their shop. We would post that spreadsheet via SharePoint  so everybody can access it simultaneously.” Beauchesne’s team chased people down via email, asked them to log into SharePoint, and then figured out which of the 75 worksheets was theirs to review. “Scroll down, then there’d be the list of all the controls, and then click a ‘yes’ or ‘no’ to the right, and if it was a ‘no,’ then put in an explanation and close the spreadsheet.”

While Beauchesne’s team focused on Operational Risk, the Enterprise Risk team approached many of the same staff a short while later. “For lots of people, there’s overlap,” explains Beauchesne. Risks identified as strategic to the organization are almost always included in RCSAs from an operational standpoint.

“So Operational Risk would send out this  spreadsheet to get an update on the detailed, tactical activities associated with the risk,” Beauchesne describes. “And then, lo and behold, two weeks later, somebody from the Enterprise Risk team would send out an email with a different link asking for an update on the same risk category asking for a higher-level enterprise-wide update on a particular risk. And then, shortly after the end of a quarter, someone from the Strategy team sends out a third email saying, ‘Provide a very high-level update on the risk that we can include to the risk committee of the board of directors.'”

Despite the fact that those three questions looked at risk from different angles, Beauchesne says, “To the individuals responsible for reporting on controls, it felt like the same question coming from three people in a one-month span. That was a big pain point.” Between chasing down information, duplicating work, and needing more definitive oversight over problem ownership and accountability, the process wanted to be thorough but felt cumbersome and inefficient.

Reporting took teams a few days to several weeks every quarter and generated few meaningful insights for leadership beyond control failure. When a risk owner identified a control inadequacy, there were often significant lags before an action plan was put into place and change occurred.

GRC Strategy and Approach

To address their policy and risk assessment challenges, Farm Credit Canada focused on enterprise GRC management strategy, process, and technology to create a more unified, functional, and agile risk assessment system.

Beauchesne says the strategic shift came when a new measure was implemented across the organization to close unacceptable risks within a specified period. “That’s what created the risk culture,” explains Beauchesne. Having a tangible risk goal presented the need to better track and execute risk control plans from beginning to end and unify these goals across the organization.

FCC’s process problem was figuring out how to meet risk control targets while using a shared spreadsheet and having to “do the math ourselves,” says Beauchesne. She determined that a process improvement would make the most significant business impact on the maturity and effectiveness of their risk assessment capabilities. A technology solution would help the teams deliver those improvements with agility and achieve their objectives more reliably while strengthening their ability to develop new solutions in the future.

The FCC team was also open to reviewing their existing processes and vendors to see if adaptation was necessary. “We have to be willing to change,” says Beauchesne. She encouraged others to keep an open mind while exploring their technology options. “If our procedures are so convoluted that they aren’t going to work in this system, let’s listen. And maybe it’s a time when we could change the order of a process or a procedure.”

Solution: Enterprise GRC Management Technology

When Beauchesne began looking for an online GRC solution, she put together two guiding principles. The first was to ensure different departments could report once into a central solution and that any stakeholder team could use the information to create multiple types of reporting. “Ask once, report multiple times.”

The second guiding principle came from frustrations with the SharePoint process. “The user experience had to be really dead simple,” says Beauchesne. Citing the difficulties of getting IT support and time to make changes, Beauchesne knew she wanted the system to be as self-serve as possible and not need many resources to build it out.

They sent out an RFP and picked the top three respondents based on the guiding principles, then asked for a demo looking for three things:

  • How accessible and robust are the tools to do RCSAs on a quarterly basis?
  • How clear, relevant, and accessible were the emerging and strategic risk-reporting features?
  • How would the product integrate with other processes and teams to help centralize and unify risk management efforts?

The FCC team created a rating system for their decision-making committee and scored their options based on the two priorities they had outlined for the decision. They decided to go with the highest-scoring solution to their needs: Resolver.

Results: GRC Benefits Delivered

For FCC, Resolver’s flexible, no-code solution was a key differentiator. Knowing the difficulties that can come with needing IT resources, “We wanted no customization, which would typically mean that I’d have to go to my IT department and say, ‘Hey, there’s a system upgrade tonight. I need resources to make this happen or do an upgrade at our end,'” explains Beauchesne. “Resolver’s system is highly configurable. Every company does things slightly differently. So when we talked through what our process was, Resolver’s Services team could fit the solution to what we need.”

This flexibility empowered Beauchesne’s team to be experimental. So, when the Resolver team presents a new solution to improve a program, FCC is willing to see if it works. Given Resolver’s preference for a pilot program, Beauchesne mandates that teams provide a process before building anything in the platform. “You have to go through a cycle to make sure it works effectively. If it doesn’t, you need to review the process because you shouldn’t be trying to solve process problems with software.”

Efficiency: The big, 75-worksheet spreadsheet took teams weeks to determine the risk score for each control. Implementing Resolver immediately saved FCC six weeks of work every quarter. The attestation process now takes only 20 minutes on the first day of a quarter, and risk owners have eight days to reply before the report is live and updated. The simplified and more streamlined reporting allows the team to spend the time gained, providing more business value.

Effectiveness: By integrating different risk reporting functions into Resolver, FCC eliminated redundant efforts and improved information flow. The platform enabled unified reporting for operational and enterprise risks, reducing stakeholder friction. Beauchesne adds, “We are getting to a point where people don’t have to report multiple times… Conversations about unfinished risk treatment plans are easier.” FCC achieved a clearer definition of risk ownership and accountability, maintaining momentum throughout risk management initiatives.

Agility: Resolver’s centralized data warehouse facilitated faster and more accurate problem-solving. When incidents or crises occur, FCC can quickly identify the relevant stakeholders and address the issues effectively. Beauchesne highlights the benefits: “We’re quicker to respond to issues and incidents that come up.” The team embraced experimentation and collaboration, continuously improving their GRC programs and adapting to new challenges.

Summary

Farm Credit Canada’s successful implementation of Resolver as their enterprise GRC management solution has significantly transformed their risk management capabilities. Through improved efficiency, effectiveness, and agility, FCC achieved remarkable results. The implementation addressed their immediate challenges and laid the foundation for further sustainable development of risk management capabilities. By embracing a unified and flexible approach, FCC positioned itself as a best-in-class example in the medium enterprise GRC management category.

Download the winning GRC 20/20 case study now!

FCC is a federal commercial Crown corporation reporting to Canadians and Parliament through the Minister of Agriculture and Agri-Food. We provide financing, knowledge and software to almost 102,000 customers. We’re a team of more than 2,200 employees operating from 102 offices located primarily in rural Canada and our corporate office in Regina, Saskatchewan.

See Resolver in Action: Request a Demo