In early 2016, a new piece of legislation known as the General Data Protection Regulation (GDPR) passed in the EU. At first, this news was a blip: As a marketer, I spend my days working to reach and influence potential buyers, not on governance, risk or compliance (GRC). I hadn’t yet considered my role in managing risk under my line of business outside of CAN-SPAM or phishing training for the Marketing department. So, it’s not too hard to fathom that when I was tasked with leading the GDPR compliance initiative at a previous employer, I was way out of my comfort zone.
I’ll admit, at first, I wasn’t intimidated by GDPR. I thought we’d just have to document and potentially tweak our processes governing how we marketed to clients in Europe. Easy, right? Wrong. GDPR compliance actually meant a thorough review of — and significant changes to — the processes and procedures used for collecting, processing and protecting personally identifiable information (PII). The project's scope and importance were much larger than I originally estimated, and required a large cross-functional team of IT, Legal, Sales and Risk Management professionals. Looking back on it, my first mistake was assuming compliance was someone else’s problem.
Risk Management Isn’t A One-Person Job
Just like a football coach needs players to buy into a team culture or plan of action for peak performance, leaders at a company need their employees to buy into a culture of risk. Those who succeed in doing this instill a team mentality with well-defined objectives, a clear scope and an agreed-upon allocation of responsibility. My analogy doesn’t end there. Even though an organization’s risk leader might be its quarterback for GRC, the team won’t win any games without full participation by linemen (IT), running backs (marketing) and receivers (procurement).
It’s a risk leader’s job to keep conversations about risk moving, helping other business unit leaders to find their own risk appetites. It’s not their job to define acceptable levels of risk for other lines of business. This is why it’s vital for sales, HR leaders, CMOs and the other business unit leaders to participate in defining risk for their departments.
Changing My Outlook On Risk
Truth be told, my previous notions about risk management centered around asset protection (make sure we don’t have a data breach) and cost reduction (make sure we aren’t fined for non-compliance). But through my experience with the GDPR initiative, I saw a whole new side to risk. The ways in which it can speed deals and even drive revenue. With our new GDPR-compliant practices, we were so much better prepared to answer regulatory compliance-related questions on RFPs, which helped us win deals we previously wouldn’t have. Moreover, a proper GRC program builds loyalty and trust with customers, thereby generating new revenue, shortening sales cycles and extending an organization's ability to execute contracts.
Getting this message out to the whole C-suite isn’t easy, but it is a vital step. Especially if you consider the market you’re missing out on if you’re not GDPR compliant. And today, it’s not just Europe. The California Consumer Privacy Act (CCPA) passed in 2018 and the state is already considering a second piece of privacy legislation. With this in mind, marketers (and all other departments) will have to familiarize themselves with risk and compliance if they want to keep winning deals in 2020 and beyond. Company execs and the board will want to see the strategic sightline driving top-line revenue.
When you have a deeper understanding of risk, you’ll likely see it as an opportunity rather than a threat. After all, a risk, like a new line of business, is actually an opportunity. Though my first foray into GRC was with GDPR compliance, I learned so much about risk and what it means to work cross-functionally to apply to other areas of my career. This led me to my current role as CMO at LogicGate, where I can help other organizations bring conversations like GRC to light for new opportunities and organizational growth.
Gina Hortatsos is Chief Marketing Officer at LogicGate, a leading provider of cloud software solutions for automating governance, risk and compliance (GRC) processes through its Risk Cloud platform. Prior to LogicGate, Gina served as VP of Marketing at FourKites, Inc., where she built and scaled the marketing function. As AVP, Global Marketing at Hyland, Gina oversaw global programs, field marketing, operations, events and demand.