Gamechangers in Resilience is a series where we spotlight leaders who are redefining how organizations think about risk, compliance, and preparedness. In this edition, we feature Eric Flick, whose career spans community banking, technology, and governance at Jack Henry.
Eric shares his journey, from early lessons in risk-aware technology adoption to the philosophies that now shape how he approaches resilience.
Q: How did you get your start in GRC?
Eric: My career started in a community bank. As technology involving PCs and networking was just starting to permeate the workplace, I got a chance to do a lot of different things. The senior management was both technological and risk averse, so whatever we were considering doing with tech, they always talked through it from a risk perspective.
Q: What’s a misconception people still have about GRC in financial services, and how has that shaped how you lead?
Eric: People tend to think that regulations are hard and fast rules for how things are to be done. While that is mostly true, you can do things in such a way to check the box to satisfy the regulation while maybe not fully embracing the spirit of the regulation and thus in turn fully doing the right thing.
“Those that lean more towards merely checking the box likely have a higher risk profile than what they realize.”
Q: What’s one “invisible system” at Jack Henry that has helped sustain innovation across your tenure?
Eric: There are still a lot of people here who knew Jack Henry, and his co-founder Jerry Hall. They were both brilliant business people, but they were even better people people. The culture that the two of them started in the mid 1970s still exists today. Jack Henry the company will celebrate our 50th year in 2026!
Q: Was there a moment when you had to completely rethink your philosophy on resilience and compliance? What triggered that shift?
Eric: While I wouldn’t say completely, the terrorist attacks on 9/11 definitely created a shift. Prior to that, people didn’t really accept some of the planning scenarios that wiped out big locations, or disrupted communications for extended periods of time. Today, cyber threats are that next shift everyone needs to be navigating.
Q: What’s a hard lesson you’ve learned from a “successful” test that hid a real vulnerability?
Eric: Details matter and must be overcommunicated. Are we backing up everything? If yes, are we backing everything up in a way across all platforms that creates a unified recovery point for all systems in the event of a catastrophic failure? If the answer to that question isn’t a clear and resounding yes and you find yourself where you have to restore everything as the result of an incident, you’re possibly looking at a resume-generating event. Details matter and must be overcommunicated.
Q: How do you personally stress-test your own decisions before they become policy or product?
Eric: I am very fortunate to work with an incredible group of people who are super passionate about what we do. I tend to say that a lot of this is more art than science, so there’s often more than one way to do something. The challenge is finding the best way for the particular circumstance. Sometimes it just comes down to deciding and moving forward. And, putting your ego in check and being willing to course correct when necessary, after the initial decision.
Q: What’s a metaphor you often return to when explaining GRC to non-experts?
Eric: I’ve used this for years, well before there was AI. That said, this is one of AI’s top explanations, which wasn’t that surprising to me when I checked.
Think about an orchestra:
-
Governance is the conductor, guiding the sections and ensuring everyone plays from the same score.
-
Risk Management is also the conductor, but through the lens of monitoring how the score is played, ensuring the overall performance is delivered as expected.
-
Compliance is each musician playing their specific part according to the score, following the rules while making sure the performance meets the expected standards.
Q: How do you cultivate readiness without burning people out on risk fatigue?
Eric: We do a monthly Lessons Learned session about the various customer incidents we’ve responded to. Once or twice a year, we craft a complex customer scenario that really requires the team to think about how we’re going to be successful. I’m very fortunate that the team we have lives for this type of stuff, so they actually look forward to these.
Q: If we dropped you into a fintech startup with zero compliance infrastructure tomorrow, what’s the first question you’d ask?
Eric: It would be a two-parter, but I’d start with how and where you back up all of this, and who has access to it?
Q: If your resilience philosophy had a soundtrack, what would it be – and why?
Eric: I love music and there’s at least one song for any situation, so this is a tough one. I think the track changes depending on what’s going on. So, maybe I have more of a playlist for my resilience philosophy.
There are definitely days that it would be “Crazy Train” – with some of what we deal with, it begs the question, how did that happen in the first place? Other times it is “Life in the Fast Lane.” Incidents, coupled with the accelerating pace of technological change, can bring a lot, seemingly all at once. Our team handles it really well, in spite of hoping for a day or two here and there where we could just drift along on “The River of Dreams.”
