C-suite series: Why you need buy-in from the top for your compliance strategy to succeed

When most people think of the biggest threat to their business data, their minds are usually drawn to cyber hackers – an external group of online villains who are becoming more dangerous and skilled by the day. 

While it’s true that in 2021 cyber-attacks are more sophisticated, tailored, and frequent than ever, more often than not, inadequate internal processes, systems, and protocols are the main culprit for compliance issues and breaches.

To protect company data to their best ability and safeguard the business from attacks, compliance teams need the support and investment of one key group – the C-suite.

With the backing of executives, those in charge of compliance can achieve much better results for their organization and overcome common roadblocks they may face when creating a robust and strategic compliance plan.

In the first of our two-part C-suite series, we examine why buy-in from the top is crucial and explore the benefits of getting the board to realise the value of company-wide compliance.

1. C-suite is the key to securing sufficient resources and budget

It’s an inescapable fact that achieving company-wide compliance costs money. If the C-suite doesn’t recognize the importance of compliance, you run the risk of receiving a budget that is unable to provide you with the right tools and talent needed to safeguard company data.

When a compliance budget doesn’t reflect the needs and demands of an organization, this not only opens your business up to security risks, but can also lead to further difficulties, such as:

  • Hours of lost productivity: Rather than spending time on high-value work such as updating policies or risk analysis, compliance teams have to spend much more time on repetitive, administrative tasks just to meet basic compliance protocols.
  • Poor client relations: Today’s customers care about how you use their information. If your team doesn’t have the time or tools to carry out effective data mapping, they may be unable to tell a customer exactly how their information has been used, which is one of the requirements of GDPR. Or, they may take weeks to respond to a single SRR (an issue faced by two-thirds of those interviewed in Gartner’s 2019 Security and Risk Survey), putting hard-earned client relations in jeopardy. 
  • Knowledge loss due to employee turnover: If a compliance budget only stretches to a limited number of individuals and information isn’t made centrally available, vital knowledge about data storage, processes, archiving, and usage can be lost once an employee leaves the company.

Another major issue that we often witness occurs when a compliance team doesn’t have the right investment and backing from the C-suite, so they resort to taking budget sourcing into their own hands instead.

This means the person responsible for compliance often has to go from department to department to secure additional budget for compliance needs. While it’s undoubtedly beneficial to highlight the benefits that compliance software and expertise can bring to each division (plus, you’ll recruit some compliance allies as you go), this process is extremely time-consuming. It’s also risky, resulting in a sort of patchwork protection of a company’s information, with some departments left much more exposed than others. 

To achieve company-wide compliance, increase employee productivity and protect company knowledge, executives need to buy in to safeguarding their entire organization and allocate budget for data projects accordingly. 

Alongside budget allocation, the C-suite must block out enough time for themselves and their colleagues to fully understand and implement new systems and protocols, carving out time for company-wide training sessions and regular meetings for updates and reporting.

Compliance is an ongoing process, so commitment from the C-suite is vital for keeping data protection and privacy at the forefront of the minds of all employees and achieving long-term success. 

2. C-suite buy-in helps avoid higher regulatory fines

Another direct result of securing increased funding and interest from the C-suite is that your company is in a better position to mitigate high penalty fines. 

Whenever a breach or violation takes place, regulatory bodies in both the States, EU, and the UK will investigate which procedures and protocols a company had in place at the time to protect the data in question. 

For example, the US federal sentencing guidelines states that the following two measures could reduce (or even prevent) a fine: “the existence of an effective compliance and ethics program” and “self-reporting, cooperation, or acceptance of responsibility.”

Similarly, Article 83 of the GDPR outlines various factors that determine the value of an imposed fine, including “the intentional or negligent character of the infringement” (paragraph 2b) and “any action taken by the controller or processor to mitigate the damage suffered by data subjects” (paragraph 2c). 

Although other factors, such as types of data and sectors, will also influence fine calculations, if a business can show they matched effort and good intent with processes, resources, and planning, you’re likely to be looking at a much more lenient punishment.

3. Brand value is protected through C-suite investment in compliance

Most C-suite members are aware of the fines associated with poor data and privacy management. However, many aren’t prepared for the financial impact caused by the reputational damage of a breach.

Highlighted by research such as IBM’s 20th Global C-suite study, today’s leading businesses are not only data-led; they’re privacy-led. They take this approach as they know that “customer trust once endowed in brands is now contingent on data.”

No matter which sector you operate in, customer trust related to data management will impact your brand’s value and revenue. IBM’s report further backs this notion by stating: “how organizations transparently share data about their offerings, are accountable for the personal data they collect, and use that data to their customers’ benefit determines their market position.”

As a warning to those who aren’t taking their compliance and privacy program seriously, the report also suggests: “Organizations that lack customer trust—cut off from prized personal data—could find themselves slipping further behind.”

Another study that looks into the cost of customer fall out after a breach is The Ponemon Institute’s Impact of a Data Breach report. The investigation found that following a data breach, 65% of data breach victims lose trust in an organization, translating directly into loss of business. 

Organizations that lost less than 2% of customers after a breach suffered an average revenue loss of $2.67 million, and companies that lost more than 5% of customers experienced an average loss of $3.94 million. To add a further blow, stock prices reportedly dropped an average of 5% after a breach.

Then comes the cleanup costs that follow a data breach. Crisis management outgoings include PR and marketing costs needed to earn back customer trust, new systems to prevent another imminent attack, and consultant fees to help fast-track your business to recovery. 

Rather than following a well-thought-through strategy with an appropriate budget allocation and considered tools, you have to make expensive decisions under incredible pressure to demonstrate to regulatory boards, shareholders, and customers that another breach won’t happen. 

4. Establishing an organisation-wide compliant culture often needs C-suite commitment

For a company to be fully compliant and optimally protected against data threats, you need every single employee to follow the correct data procedures, policies, and practices. It only takes one employee’s misconduct to expose a company to a breach or penalty. 

However, how can you expect colleagues to be following appropriate data handling measures if senior members of staff don’t see compliance as a priority? Change needs to be driven from the top down; otherwise, your organization will also face an element of risk. 

Busy employees don’t appreciate new procedures, technologies, or rules being added to their workflow and are unlikely to engage with new protocols unless they know it’s a non-negotiable for their job. 

If your C-suite tells employees that they must take certain steps in their day-to-day activities, that instruction will carry a lot more weight than if it’s delivered by a compliance team. Personal accountability is then instilled across the company, improving organization-wide security.

Executives also have the power to make data protection processes mandatory and achieve compliance with incentives or disciplinary action. In some companies where compliance is so valued, C-suite members even link bonuses to compliance objectives, helping to drive a truly compliant culture.  

5. Preventing data silos requires C-suite support

A core part of compliance is effective data mapping – a process that gives a clear overview of exactly where a customer’s data is being stored, how it is being used, and who has come into contact with that data. 

If the C-suite doesn’t understand the importance of arming a compliance team with the time, tools, and knowledge needed for data mapping processes, a company will experience the undesirable effect of a rising number of data silos.

Data silos are extremely damaging for two main reasons. Firstly, they put your business at an increased risk of data leaks or security breaches. If different offices, departments, or individuals follow their own data steps and practices, there’s a much greater risk of business data being mishandled or compromised. Without a centralized overview and control of data flow, valuable information could be stored on unsecured devices, sent to unapproved parties, or be kept in circulation well past its deletion date. 

Secondly, data silos are a massive blocker for any company that wants to realize the full potential of its data. Rather than enabling the free flow of valuable assets, data silos limit company knowledge and potential. It’s only when data is shared between colleagues and departments that its actual value can be unlocked.

As discussed by Complyon CEO and Co-founder Julie Suhr in our recent interview, treating data in this way also has a detrimental effect on company culture. Divisions become isolated rather than collaborative, which again limits the potential and productivity of an organization.

By educating your C-suite that data value and company productivity are enhanced by compliance, you should have a more successful conversation about securing the buy-in and budget you need to run a smart compliance plan.

If you’ve enjoyed this article, keep an eye on Complyon’s LinkedIn for our next C-suite blog article, which will cover top strategies and tips for securing executive buy-in for your compliance plan.