Marketers don’t grow up daydreaming about risk management and compliance. Personally, I never gave governance, risk or compliance (GRC) a second thought outside of making sure my team completed required compliance or phishing training from time to time.
So, when I was tasked with leading the General Data Protection Regulation (GDPR) compliance initiative at a previous employer, I was far from my comfort zone.
What I thought were going to be a few, small requirements regarding how and when we sent emails to contacts based in Europe quickly turned into a complete overhaul of how the organization collected, processed and protected personally identifiable information (PII).
It is a risk leader’s job to facilitate conversations around risk and help guide business unit leaders to finding their own risk appetites.
As it turned out, I had completely underestimated the scope and importance of the project. My first mistake? Assuming compliance was “someone else’s issue.”
Risk management is a team sport
No single risk leader can alone assess, manage and resolve an organization’s risk cap. Without active involvement from business unit leaders across the company in marketing, human resources, sales and more, a company can never have a healthy risk-aware culture.
Leaders successful at developing that culture instill a company-wide team mentality with well-defined objectives, a clear scope and an agreed-upon allocation of responsibility. Ultimately, you need buy-in similar to the way a football coach needs players to buy into the team’s culture and plays for peak performance. While the company’s risk managers may be the quarterbacks when it comes to GRC, the team won’t win without key plays by linemen (sales), running backs (marketing) and receivers (procurement).
It is a risk leader’s job to facilitate conversations around risk and help guide business unit leaders to finding their own risk appetites. It’s not their job to define acceptable levels of risk for us, which is why CMOs, HR and sales leaders have no choice but to take an active role in defining risk for their departments.
Shifting my view on risk management
If I am being honest, I only used to think about risk management in terms of asset protection and cost reduction. My crash course in risk responsibility opened my eyes to the many ways GRC can actually speed deals and furthermore, drive revenue.
For example, post-GDPR cleanup we were better prepared to answer questions on RFPs regarding privacy and documentation, which most definitely helped us win deals we previously wouldn’t have. It doesn’t stop there, either. Proper risk management programs can extend an organization’s ability to execute contracts, generate new revenue, and build loyalty and trust with customers.
Making sure the entire C-suite understands this fact is no easy feat, but when you consider the entire market you’re ruling out if your organization isn’t GDPR compliant, the numbers start to speak for themselves. And it’s not just Europe anymore either.
We’re all familiar with the California Consumer Privacy Act (CCPA) signed into law in 2018, but did you know the state has already passed a second piece of privacy legislation, the California Privacy Rights Act (CRPA), and other privacy bills are moving through the legislative process in over a dozen other states?
From the looks of it, business leaders will need to get way more comfortable with risk and compliance if they want to achieve their goals in 2021 and beyond. That sightline to driving top line revenue? That’s exactly what execs/the board will want to see.
Getting a handle on risk and compliance in 2021
If you’re a business leader, you might be asking yourself how you can get up to speed on all things risk, compliance and privacy heading into the new year. If you’re not familiar with risk management and your responsibilities, I recommend taking these first steps:
- Figure out who owns risk inside your organization and schedule a time to meet with them. Simple enough, right? Have a conversation with your company’s risk leaders to figure out how your work connects to tracked risk and compliance initiatives across the organization. Once you have a better idea of how your output connects to risk, you can start contributing to the conversation.
- Understand your target market segments in the context of risk. At this point in 2020, you likely just finished up a 2021 strategic plan. Take another look at the markets you’re prioritizing in the new year, and consider how your company’s risk programs might help you break through to new prospects or create more conversations. Moving into the U.K.? GDPR compliance is a must. Considering the government sector as a target? You’ll need to be FedRAMP-certified. If you do find one you would like to move on, discuss with your risk leader how achieving compliance could help shorten sales cycles and make marketing initiatives more impactful.
- Reflect on recent RFP losses. Is there a big deal you recently lost to a competitor due to the lack of a certification? Whether it is an industry-specific certification as mentioned above, or a specific data privacy certification like SOC 2 Type 2, odds are it is on your risk team’s radar. If you point out the ways it can help build confidence with prospects and shorten deal cycles, it might get moved up the line in terms of importance, paying dividends in sales down the road.
- Connect with other business unit leaders. After you’ve aligned with the efforts of the risk team, share your wins with the rest of your leadership team, encouraging them to involve themselves in your company’s risk programs as well. Showing that your company is resilient, treats customer data properly and has the proper certifications in place to protect their operations provides you with strategic advantage in the sales and contracting process. The organization will be better for it.
When you start to see risk management for what it is (an opportunity) instead of the threat you previously perceived it to be, it creates an endless amount of potential for your organization. While my experience was specific to GDPR compliance, I was able to take the things I learned about risk and cross-functional collaboration and apply them to many other areas in my career.
That eye-opening experience actually led me to my current role as CMO at LogicGate. Most of all, I learned that bringing to light conversations often left in the shadows (like GRC) can result in new opportunities and organizational growth.