Credit: Nuthawut/Adobe Stock
For nearly a decade, credit unions have confronted staffing shortages and notable turnover rates. A 2024 report by Wipfli showed that employee recruitment and retention was a top concern for nearly half (46%) of the credit unions that participated in their study.
Anecdotally, the talent gap feels especially acute within the governance, risk and compliance (GRC) function. Credit unions often share with ViClarity’s compliance team accounts of disruptive departures and prolonged job vacancies, each of which further complicates the already demanding responsibilities of GRC management.
And things may get worse before they get better. The job market for compliance analysts is projected to grow by 6% from 2018 to 2028, according to Zippia, indicating that competition for these professionals is likely to heat up.
The good news is that credit unions have a strong competitive advantage when it comes to hiring GRC pros. A mission-driven culture typically leads to greater job satisfaction. What’s more, the smaller organizational scale of the average credit union means GRC leaders can implement meaningful change faster, helping them see the direct impact of their work.
In addition to leveraging these and other key differentiators to attract and retain GRC talent, credit unions would also do well to prepare for the inevitability of staffing shakeups. While every GRC role contributes to the safety and soundness of a credit union, some are more crucial than others. What follows is a set of best practices for bracing for disruption within key GRC leadership positions.
Chief Risk Officer (CRO)
When there’s an open seat in the CRO role, credit unions run the risk of losing strategic oversight of the risk management function. They may also lose a critical point of contact for the board of directors, which often relies on reports from the CRO to stay informed about the credit union's risk profile, as well as emerging risks on the horizon.
To mitigate the impact of a CRO vacancy, credit unions may consider adding language to their policies and procedures that ensures adequate and regular cross-functional training of specific roles. A risk manager would be an obvious choice for such preparation, but credit unions may also involve other roles in CRO responsibilities, such as compliance officers, internal auditors or senior operations managers.
Risk Manager
The loss of a risk manager can have an equally significant negative impact on a credit union’s GRC operations. Whereas CRO turnover threatens strategic oversight of the enterprise risk management (ERM) function, the departure of a risk manager can lead to neglect of vital day-to-day ERM duties. Take credit risk monitoring, for example. Failing to keep tabs on credit risk can open the credit union up to the fallout of sleeper threats, like slowly increasing volumes of high-risk loans or defaults.
Risk managers know all the nooks and crannies of a credit union’s risk management strategy. In anticipation of this individual leaving the credit union, credit unions may want to consider onboarding regulatory technology (regtech). These platforms can be formidable allies to individuals charged with getting their arms around the status of various monitoring projects. Software that enables risk managers to compile documents and create reports, for example, creates a records hub that can be easily and quickly accessed by interim people in charge.
Compliance Manager
This leader is generally responsible for all things compliance across a credit union. Loss of this person presents a sizable risk to the credit union’s compliance program, and more often than not, a sizable risk to the day-to-day compliance reviews and overall compliance with regulatory requirements across all business units.
One of the most effective ways to prepare for the turnover of the compliance manager function is to include this role in the credit union’s overall succession plan. Although our team works with hundreds of credit unions nationwide, we rarely see the compliance manager included in leadership continuity strategies. Especially given the mounting competition for top compliance talent, this is a pattern that must change if credit unions are to avoid dangerous disruption after the loss of a compliance manager.
Bank Secrecy Act (BSA) Officer
Without a backup, loss of a BSA officer can be significant. This is a highly operational role that reviews large deposit and transaction activity daily. Neglecting these duties could put a credit union in a deep hole that may be hard to dig out of. It may also expose the credit union to the potential of criminal fines for non-reporting. While compliance managers can provide adequate backup for a short time, the workloads of typical BSA and compliance officers make this an unsustainable, band-aid solution.
Establishing a relationship with a potential external resource that understands BSA compliance is a sound way to prepare for the loss of a BSA officer. Collaborating with the partner ahead of such a disruption ensures the credit union has options in line should a vacancy occur.
Internal Auditor
The internal auditor is traditionally considered the third line of defense against non-compliance. Following behind the first line – managers directly involved in operations – and the second line – GRC leaders – the internal auditor is independent of the second and third line. This makes things like cross-training and information sharing much more difficult. Loss of an internal auditor, therefore, has a potentially serious impact on the success of regulatory exams.
The best way to minimize impact here is to create and nurture a culture of compliance across the credit union. In this type of environment, everyone is responsible for knowing and adhering to the regulatory requirements that apply to their area of the business. From marketing to lending, department heads and managers understand not only what is required but also how serious non-compliance can become. With everyone pulling their weight, the temporary vacancy of an internal auditor is less likely to impact the outcome of an upcoming exam.
From Painful Inevitability to Survivable Certainty
Every credit union will, at some point or another, have to deal with the departure of a GRC leader. Rather than simply accept the disruption as a foregone conclusion, leaders can take a proactive posture, developing and documenting procedures that turn an otherwise painful inevitability into a survivable certainty.
As their GRC leadership continuity plans come together, credit unions would do well to lean into their mission-driven cultures and agility. By keeping the long-term well-being of members at the center of their strategy, the task will feel less like a chore and more like an opportunity to reinforce the commitment to sustainability. In this way, even the challenge of leadership transitions becomes another chance to showcase the credit union’s promise to do what it takes to advance the financial goals of its membership.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
