Integrated Risk Management Arrives in the Age of GDPR

GRC is Dead, Long Live IRM!

Gartner’s research and magic quadrants are often seen as a barometer of an industry’s collective (and evolving) thinking on any particular subject. So, in August 2017, when Gartner proclaimed it was the End of the Governance, Risk and Compliance (GRC) Era and that “Integrated Risk Management” (IRM) was the next level of business strategy in the prevention and management of adverse events, we knew a seismic shift was on the horizon even if we couldn’t quite describe what that might look like.

Now that the deadline for General Data Protection Regulation (GDPR) readiness (May 25th, 2018) is staring us right in the face instead of being in some distant future, it seems the likeliest candidate as a catalyst for Integrated Risk Management to arrive.

Is GDPR the catalyst?

There are a lot of folks who are probably wondering why GDPR is any different than the multitude of regulations that came before. That’s a valid question. For years now, big regulations have been the controls in place to encourage “good” behavior from businesses. However, until GDPR came along, businesses have been able to get by with fragmented risk management and siloed compliance efforts that occur almost entirely within one area of the business.

GDPR is really the first time when it will be vital for several key departments to be in sync to achieve effective management, especially if you view the law in light of Gartner’s Integrated Risk Management spectrum which defines three risk types that fall under the IRM umbrella: Strategic, Operational, and IT. There is a component of each in an effective strategy for GDPR readiness and a Chief Officer responsible to each.

While data security and network protection have traditionally been the domain of Information Systems (IS) and Information Technology (IT), GDPR’s requirements make this a C-Suite family affair. The CEO, CLO/GC, CCO, and CIO/CISO all need to be involved in the strategic risk  assessment and gap analysis at the beginning of a GDPR management program. With the full, visible support of the CEO and General Counsel, the CCO and CIO/CISO continue to work in concert to address both the Operational and IT Risks through the design, implementation and rollout of the program’s risk treatments and mitigation strategies – which will include a mix of technology solutions, awareness campaigns, trainings, and attestations.

We’re All in IRM

Initially, compliance with mandates like GDPR seems daunting, and the time commitment is an imposition, especially for those not “in” compliance or IT. Benefits of a strong program are also hard to define… it’s a bit like proving a negative; you can’t show cost reduction from the results. This makes sponsorship a tough sell to some top executives when you’re vying for support and resources with other, more concrete, methods of revenue protection.

The best way to quantify the benefits is probably to consider the aftermath of an incident occurring. In addition to the profit-killing 4% fine for a negative ruling on a court case under GDPR, which is the scariest and most concrete of the calculable consequences, CLOs should be concerned with the costs of time, legal fees, and expenses defending against a GDPR court case – win or lose. CIOs may well be concerned with the additional strain and scrutiny their team will endure should the controls in place for compliance be found inadequate. CCOs might consider what extra audits mean for their own teams and CEOs ought to be interested in how the public perception might founder when the brand’s name is reported on the news in a negative light.

All of this is to say an ounce of prevention, is worth a pound (or significantly more) of cure. GDPR compliance can be thought of as Business Continuity Management. So as your company travels its GDPR readiness journey, bring all the players together simultaneously so the monumental task can be broken down into small and manageable bits. Keep working to maintain open lines of communication between top executives, especially of Strategic, Operational, and IT risks. Finally, see if you can’t find a way to tie financial value into getting it right – like estimating the full cost of an incident, fine and fallout from a lawsuit. Once you’ve got that number, you can calculate the amount of money you will save daily with your strong compliance program. At that point, it might be useful to dust off those old Site Safety signs and give them a fresh coat of paint.

To learn more about how you can be compliant with GDPR, download The CCO’s Guide to GDPR. This eBook will teach you how to perform gap analysis to mitigate potential risks and help you identify key stakeholders within your company you will need to work with. Get your free copy now!