Our GRC Services

Our roots go back to 1976, when we began providing consulting services to banks and credit unions. Since then, we have worked with more than 1,500 clients in all fifty states. Among banks and credit unions, we are best known for our compliant fee income improvement programs, including Overdraft Privilege, Rewards Checking and Value Checking. Because risk management and compliance have always been a big part of what we do, in recent years we have gradually expanded our focus to helping clients in all industries improve their risk management and compliance processes and productivity using our software.

We now offer six comprehensive, easy-to-use and affordable compliance management tools that are useful for clients in any industry:

Risk Assessor helps you prepare comprehensive risk assessments consistent with regulatory or other requirements, in days, not weeks.

Policy Manager organizes all your policies into a single database, mapped to the relevant standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Vendor Manager is a specialized tool for managing vendor risk that standardizes risk assessment methodology and organizes all vendor related documentation.

Issues Manager is a centralized database for tracking all compliance issues and incidents across your entire organization.

Skills Manager provides online testing and training to ensure employees are knowledgeable about your policies.

All our tools are securely and reliably hosted at Amazon AWS, from which they are available on a variety of devices from anywhere. We’ve gotten some great feedback from our clients. Here are a few comments:

Our policy and control structure is very complex having both a broker/dealer and an investment advisory firm. Policy Manager allows us to easily organize a large volume of policies and maintain our control testing documentation all in one convenient place—a significant improvement over our previous process! — Laura Hendricks: Woodlands Securities / Woodlands Asset Management

We currently use Strunk’s Policy Manager to update and track changes to our policies. We like the audit trail it leaves of changes and also the PDF Redline that indicates changes used for the Board to review and approve. Strunk Customer Support has been prompt and they always assist with any issues we might have. — Karen Lomax, Vice President and CFO Kinetic Credit Union

Strunk’s program brings efficiency to the process and allows us to focus on areas of high risk. Our team sees great value in the process and reporting generated by the Strunk program. It is an affordable way to manage regulatory required risk assessments. — Bob Sundquist, CFO/CRO, NebraskaLand National Bank

Our core customer base has always been smaller and medium-sized organizations and so, unlike most providers, we have tried to price Risk Manager at a level that is affordable by all. In order to encourage usage, we charge a flat annual fee based an organization size. That fee gets you unlimited access to the tools for an unlimited number of users, along with unlimited support from for our support team.

Strunk at WBA’s Education Summit & Regulatory Compliance Conference

Strunk is excited to be exhibiting once again at the Western Bankers Association’s Education Summit & Regulatory Compliance Conference next week, August 25th-28th. This year hosted at the Hyatt Regency Huntington Beach, the event always proves to have many learning opportunities for bankers to gain insight into the most current information facing our industry.

In addition to visiting with many current clients, we look forward to showing attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software. The solution now includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and the all new Vendor Manager.

Vendor Manager provides an easy to follow standardized process to assess risk, gather due diligence materials, evaluate contracts and stores all vendor documentation in one convenient place. Vendor Manager keeps everything organized, is simple to use and of course follows the latest FFIEC guidelines.

Please stop by booth 28 to learn how to improve compliance, streamline responses, and enhance collaboration… all with less effort. All bankers will also have the opportunity to enter to win a $250 Amazon gift card from Strunk. We can’t wait to see you!

Report from AICPA Vegas

Recently I had the pleasure of attending the AICPA conference in Las Vegas Nevada, where I was able to connect with some of the most interesting companies in the accounting and auditing space. I was able to learn about products from companies like Peerview Data, which specializes in “turning client data into actionable insights” and GruntWorx, which organizes and pre-fills tax documents, as well as many others. The biggest lesson I learned from the conference was the need for data protection and SOC 2 framework compliance.

Many of the companies I talked with had either completed a SOC 2 audit, were in the middle of an audit or were acutely aware of the need for a SOC 2 exam because of the many third-party vendor assessments they constantly must complete for prospective clients. As we discussed their different software applications, and how they deal with customer data, I saw what we always see: spreadsheets and word documents rule the day, creating frustration and wasted time responding to vendor assessment requests. The more we dove into the topic the clearer it became that the Strunk Risk Manager system of policy management was not just a nice to have but was a need to have. I heard from a managing partner at a tax software company that she spends two to three hours answering vendor assessments for nearly all of her new clients, as she was the only person in the company who could pull together all of the required information. Strunk Risk Manager allows your organization to respond with far less effort, freeing up your executive team for more important tasks.

One company told me that it took around 20% of one of their senior consultant’s time working with their CPA firm to complete their first SOC 2 and were planning on utilizing 10-15% of his time for future exams. When we started to discuss how Strunk Risk Manager transforms your policy and control documentation process they were instantly interested in learning more.

At Strunk, we believe that your challenges with compliance are our opportunity to provide best practice solutions and streamlined responses to managing all your compliance processes.

The Four Compliance Commandments

We’ve spent a lot of time working on and thinking about Governance, Risk Management and Compliance. Whole books have been written on this subject and there are graduate-level university courses on it as well. But in the practical world, for most businesses we think the whole GRC universe can be boiled down to four basic principles that we call the Four Compliance Commandments:

1) Know Your Risks
2) Ensure Your Policies Mitigate Key Risks
3) Trust, But Verify
4) Prove It

Every CEO and Board worries about this stuff … or should, so let’s break the commandments down:

Compliance Commandment I : Know Your Risks

Every organization must understand the risks it faces if it wants to survive. Organizations tend to get in trouble when they mis-perceive the risks they are up against. Many organizations falter because they under-estimate a risk, but over-estimating a risk can be just as bad, causing an organization to miss a key opportunity.

Over the years, society has created rules designed to limit organizations from taking risks unnecessarily or unknowingly. Often these rules come from the government, but there are other rules, like the SOC2 framework, that come from other sources, like accountants or professional associations. Good examples of these include:

  • Banks or credit unions must comply with regulatory requirements
  • Service providers must comply with external frameworks like SOC2
  • Health care providers need to show compliance with HIPAA requirements

Essentially these frameworks are checklists of risks to consider. These lists can run to a hundred or more items. Reviewing each item and assessing trends can be quite time consuming.

At Strunk we have extensively automated these checklists, making them easier to assess, easier to delegate and easier to summarize.

Compliance Commandment II : Ensure Your Policies Mitigate Key Risks

To keep your organization healthy everyone needs to understand what risks to avoid, what risks to take and under what circumstances. This is where policies come in. Policies communicate what is appropriate risk-taking behavior to your organization.

Strunk recommends organizations evaluate their policies versus the risks. Do you have policies in place that adequately address your key risks? If not, you might want to update your policies. Conversely, do you have policies that don’t really map to any of your key risks? If the answer is yes, then consider simplifying or eliminating that policy.

Strunk provides an automated tool for mapping your policies against your risks. At a glance you can then see which risks are not covered by any policies and which policies are not covering any risk. Strunk Policy Manager organizes all your policies into a relational database, with extensive version tracking, granular ownership assignment, and PDF reports for board or external use.

Compliance Commandment III : Trust, But Verify

Policies are pointless unless the organization follows them. Human nature being what it is, there is a natural tendency for people to cut corners. Too many times organizations let months or even years go by assuming that a policy is still being followed when, due to turnover or distractions or work pressure, that is no longer the case. To maintain policy effectiveness you must test periodically. You can only expect what you inspect.

Our Controls Manager automates the verification process. You create a set of control procedures for testing compliance with your policies, establish a testing schedule for these controls and assign responsibility. The system automatically schedules the testing, creates a calendar showing the month’s tests at a glance, generates alerts on upcoming or overdue tests and provides a dashboard summarizing testing status, including highlighting tests that are overdue or have failed.

You can map your controls to your policies. One control can cover more than one policy and one policy may be covered by more than one control. You can then use the maps to identify policies which need controls or controls which are no longer covering a policy and perhaps should be discontinued.

Compliance Commandment IV : Prove It

Unfortunately it is just not enough to adhere to commandments I through III. You must also be able to prove your adherence, which means abiding by what we call “the law of physical evidence”: a thing isn’t done until you can provide physical evidence that it occurred. You can’t just say you did it; your board, regulators, auditors and customers are going to want proof that you did it.

Many organizations approach this process somewhat haphazardly. They do some kind of paper-based risk assessment, write some policies, set up some checklists, fill out some forms, put some basic tracking in place … easy. The result is a patchwork of Word documents and PDFs and spreadsheets. Then they start emailing them around, and storing different versions on different computers and pretty soon you have a mess: multiple versions, unclear responsibilities, status hard to track. Managing risks, policies and controls is not rocket science by any means, but it really helps to stay organized.

We believe the best way to stay organized is to get out of spreadsheet land and move everything into a modern relational database. A relational database helps connect all the dots so you can keep track of the status of different policies and policy versions, know who is responsible for each compliance activity, log changes, produce consistent reports, provide a single source of truth, with fine-grained control over access and edit rights.

With a system like Strunk Access, when your auditors show up for their exam, you have at your fingertips your latest risk assessment, your compliance map showing how your policies map to your risks and your controls map to your policies, your log of all the changes to your policies over the past year, and a complete record of all your control testing. The result: fewer surprises, your auditors can get their work done more quickly, and your staff spends less time responding to auditor requests.

New Website Featuring GRC & ODP Software Tools

Strunk today announced the launch of a new public website at a new domain: StrunkAccess.com.  The new site provides more information about Strunk’s GRC and ODP software tools in an updated design.

In addition to fee enhancement consulting, Strunk provides comprehensive, easy-to-use and affordable Governance, Risk Management and Compliance software tools that improve compliance and productivity for financial, online and healthcare services providers. These tools are:

Risk Assessor helps prepare comprehensive risk assessments in a matter of days, not weeks.

Policy Manager organizes organization policies into a single database, mapped to the relevant audit standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Issues Manager is a centralized database for tracking all compliance issues and incidents across the entire organization.

Vendor Manager is a specialized tool for managing vendor risk that standardizes methodology and organizes all the documentation.

Skills Manager provides online testing and training to ensure employees are knowledgeable about organization policies.

According to Strunk CEO Dan Roderick, “Strunk has grown quite a bit over the past few years and we wanted our public-facing website to demonstrate more comprehensively our expanded services and growth into new markets. We also felt it was time to update our domain name to more accurately reflect who we are.”

Strunk’s old domain name, StrunkLP.com, will continue to work for the online application, which is being transitioned to app.strunkaccess.com.