LOGO

one cmo’s journey with risk management and compliance

AVATAR Gina Hortatsos
Gina Hortatsos
December 30, 2020
Topics:ColumnEC Future of WorkEuropeGeneral Data Protection RegulationPolicyPrivacyregulatory complianceriskrisk managementSecurity
one cmo’s journey with risk management and compliance

Marketing professionals typically focus on creative strategies and customer engagement, not on the intricacies of risk management and adherence to regulations. I, for example, rarely considered governance, risk, or compliance (GRC) beyond ensuring my team finished necessary compliance or security awareness training.

Therefore, when I was assigned to spearhead the General Data Protection Regulation (GDPR) compliance effort at a former company, I found myself operating outside of my usual expertise.

I initially anticipated a limited set of adjustments concerning the methods and timing of email communications with individuals located in Europe. However, this quickly evolved into a comprehensive re-evaluation of the organization’s practices for gathering, handling, and safeguarding personally identifiable information (PII).

In retrospect, I significantly underestimated the project’s breadth and significance. My initial error stemmed from believing that compliance was the responsibility of another department.

Risk management is a team sport

A single risk management professional cannot, on their own, adequately evaluate, handle, and address an organization’s overall risk exposure. A robust, risk-conscious environment requires the dedicated participation of leaders from all business areas – including marketing, human resources, and sales – throughout the entire company.

Those leaders who excel at building this type of environment foster a collaborative, company-wide approach, establishing precise goals, a well-understood framework, and a mutually accepted distribution of duties. Achieving success demands commitment from everyone, much like a football coach requires players to embrace the team’s values and strategies to achieve optimal results. While corporate risk managers may serve as the central coordinators for GRC (Governance, Risk, and Compliance), the organization will not succeed without significant contributions from all departments – sales acting as the offensive line, marketing as the running backs, and procurement as the receivers.

The responsibility of a risk leader is to encourage discussions concerning risk and to assist business unit leaders in determining their individual risk tolerances. They should not dictate acceptable risk levels; therefore, Chief Marketing Officers, Human Resources directors, and sales executives must actively participate in establishing risk parameters specific to their respective areas.

A Change in Perspective on Risk Management

To be frank, I initially perceived risk management solely as a method for safeguarding assets and minimizing expenses. However, a focused learning experience regarding risk accountability revealed to me the numerous ways Governance, Risk, and Compliance (GRC) can actually accelerate transactions and, additionally, increase income.

As an illustration, following the implementation of GDPR remediation measures, we were in a stronger position to respond to inquiries within Requests for Proposals concerning data protection and related documentation, which undoubtedly contributed to securing contracts that we previously would have missed. The benefits don't end there, however. Well-structured risk management initiatives can broaden an organization’s capacity to finalize agreements, create new revenue streams, and foster customer loyalty and confidence.

Convincing the entire executive leadership team to recognize this is a significant challenge, but the potential market share lost due to non-compliance with regulations like GDPR quickly demonstrates the financial implications. Moreover, this isn’t limited to Europe anymore.

Most are aware of the California Consumer Privacy Act (CCPA), which became law in 2018, but were you aware that California has since enacted a further privacy law, the California Privacy Rights Act (CPRA), and that additional privacy legislation is currently being considered in more than a dozen other states?

It appears that organizational leaders will need to become considerably more adept at handling risk and ensuring compliance if they intend to reach their objectives in 2021 and in the years following. A clear path toward increasing revenue? That is precisely the outcome that executives and boards of directors will be looking for.

Understanding Risk and Compliance in 2021

If you are a business executive, you may be wondering how to become proficient in all aspects of risk, compliance, and data privacy as the new year begins. If you are unfamiliar with risk management and your associated duties, I suggest you begin with these initial actions:

  1. Identify the individuals responsible for risk within your company and arrange a meeting with them. This is a straightforward first step. Engage in a discussion with your organization’s risk management leaders to determine how your work relates to the risk and compliance efforts being tracked throughout the company. Once you have a clearer understanding of this connection, you can begin to contribute to the discussion.
  2. Consider your target market segments from a risk perspective. Given that you likely recently completed your 2021 strategic plan, revisit the markets you are prioritizing for the coming year and evaluate how your company’s risk programs could assist you in reaching new potential customers or initiating further engagement. Planning to expand into the United Kingdom? Compliance with GDPR is essential. Are you considering the public sector as a target market? You will require FedRAMP certification. If you identify a market you wish to pursue, discuss with your risk leader how achieving the necessary compliance could expedite sales cycles and enhance the effectiveness of marketing campaigns.
  3. Analyze recent unsuccessful Requests for Proposal (RFPs). Did you recently lose a significant deal to a competitor because of a missing certification? Whether it’s an industry-specific certification, as previously mentioned, or a data privacy certification such as SOC 2 Type 2, it is likely already on your risk team’s agenda. By highlighting how obtaining this certification can increase prospect confidence and shorten sales timelines, you may be able to elevate its priority, leading to future sales benefits.
  4. Collaborate with other department heads. After aligning with the risk team’s initiatives, share your successes with the rest of your leadership team, encouraging their involvement in your company’s risk programs. Demonstrating that your company is robust, handles customer data responsibly, and possesses the appropriate certifications to safeguard operations provides a competitive advantage during sales and contract negotiations. The entire organization will benefit from this approach.

When you begin to view risk management as an opportunity rather than a threat, it unlocks significant potential for your organization. My personal experience, initially focused on GDPR compliance, allowed me to apply the lessons learned about risk and cross-departmental collaboration to numerous other areas throughout my career.

This insightful experience ultimately led to my current position as CMO at LogicGate. Above all, I discovered that initiating conversations about topics often overlooked (such as GRC) can generate new opportunities and foster organizational development.