Playing My Role: A CMO’s Introduction to Risk Management

Last month, LogicGate hosted a webinar titled Risk as a Team Sport featuring industry analyst Michael Rasmussen and our CEO Matt Kunkel. Listening to the insightful and wide-ranging discussion reminded me of my own introduction to risk management. 

I’m a CMO and have spent my entire career in marketing—and honestly, never gave “risk management” much thought, outside of acknowledging a policy or making sure my team completed the required trainings to stay in compliance with state and federal laws. So it was an educational—and eye-opening—experience to take on responsibility for compliance with the General Data Protection Regulation (GDPR) when that law went into effect a few years ago. 

I liked the analogy referenced in the webinar: risk management isn’t tennis, where actions and responses are lobbed back and forth. It’s more like football: a coordinated set of plays that require strategy, collaboration, and everyone playing their positions well and consistently.  Building the process, documentation, and controls to comply with GDPR required all of this, and more. I had to stretch way beyond my comfort zone, and look at the Marketing function role in a way I hadn’t before: through a risk lens. 

A poll taken during the webinar revealed that less than 50% of the attendees don’t have a team strategy in place for managing risk. Looking back on my GDPR experience, I know I couldn’t have done it without a well-coordinated, cross-functional team to get the job done. 

I learned a number of other lessons, too, which I’d like to share with you today: the value in approaching GRC as a team sport, what it looks like when it goes well, and the bad and the ugly when it doesn’t.

My Risk Story

The GDPR project started innocently enough. The Legal department informed the Marketing team that we needed to look at our marketing email policies and procedures. At first glance, it appeared we just needed to avoid spamming anyone based in Europe and a couple other minor no-nos. Nothing too significant as far as I was concerned—and besides, the larger issues were “somebody else’s problem.” Not paying attention to how they all interconnected was my first mistake.

It wasn’t long before I realized this was going to be a bigger, hairier project to tackle. On top of those “minor” email requirements, I learned we’d have to look at all of our data practices as well: how we collect, process, and protect any personally identifiable information. 

Thankfully I had partners in our corporate and sales operations teams to help shoulder some of the burden, but it turned out to be a long, arduous process in a GDPR “war room” for weeks. That trial by fire was how I learned to care about managing the company’s risk.  

Managing Corporate Risk is Everyone’s Business

What did I take away from the experience? A lot actually—and not just the by-the-letter actions that need to happen to achieve GDPR compliance. 

Risk responsibility extends well beyond the risk management department. Taking a cross functional, team approach ensures the work is done right, because the business leaders understand the requirements and the risk managers understand how to translate those into processes and controls. In our case, as a result of the GDPR work, we were better equipped to answer privacy-related questions on RFPs since all our documentation was comprehensive and in one place. We were able to identify additional risks that affected our company in this cross functional way and spin up workstreams to address them. Just like in The Matrix—once you know what to look for, you start to see risk everywhere.

Personal Growth

The experience also got me thinking about my own career. It forced me to learn and extend my leadership skills in ways I wouldn’t have otherwise. 

The GDPR process touched every part of the business: from Marketing and Sales to Finance, Operations, and HR.  So I worked on incredibly cross-functional teams and learned much about the strategic, financial, and operational workings of our business. This in turn made me a better steward of the company.

The work I did with these other teams helped me realize that, as a leader, it is my job to understand the company’s risk portfolio.  Most importantly, it helped me see risk in a new light. I realized that risk isn’t something to be avoided—it’s something to be managed and leveraged in order to create opportunity. These learnings have helped catapult my career.

From Learning to Action

When you start to see risk for what it is—ubiquitous and an opportunity—it creates avenues for growth as a business and as an individual. My experience was specific to GDPR compliance, but I’ve applied those lessons learned in lots of other scenarios since then. Going through the process built teamwork and alignment on prioritization, and brought to light aspects that the company needed to address that weren’t talked about often enough.

How to get started? It’s easy. 

If you’re reading this as a business unit leader, and you don’t know who owns risk management (or Governance, Risk, and Compliance) in your organization, find out. Have a (virtual) coffee together. Learn how your team’s work maps to the various risks and compliance initiatives the team is tracking. And ask how you can be a better partner in the process (then follow through by actually BEING a better partner in the process).

If you’re reading this as a risk management or GRC professional, print out this blog and show it to your business unit leaders. Take it from me—it’s good for them AND good for the company for business unit leads to take this seriously.