Imagine this as a GRC professional. It’s April 2016. The European Parliament passes the General Data Protection Regulation (GDPR) with an enforcement date of May 2018. Your organization is impacted. You are going to own this.
At first, you ask yourself – should I get going on this now? The answer is yes; the reality is you won’t. A year passes and the media pipes up about the clock ticking. You start to hear in your peer groups that people are starting to think about what they are going to do, but there’s little action. The clock strikes Q4 2017, your anxiety elevates, the consulting firms and professional organizations inundate your inbox with updates, trainings, services, etc., so you start your journey (late). You get organized, start reaching out to HR, IT, anyone who could be impacted. Crickets. A month passes. Two months pass, and it’s Q1 2018. You follow up. Finally, a response, maybe two come in. Finally, some momentum!
You re-engage your stakeholders, you email, call, try and set up meetings. Crickets. Q1 earnings come around. Analysts are asking. Your CEO says you are all over it and ready for the go live. Senior leadership is looking for an update. You’re working on it as best you can. The emails get responded to, finally. It’s a fire drill. You work tirelessly. GDPR goes live. You’re not quite there, but close enough that you finish by your Q2 earnings release. It’s been a disaster, but it’s over (until the next time).
GRC professionals, a lot of them, live this awful cycle every time there’s a new regulation, accounting standard, etc. Why is this? Our jobs should be simple. We carry the big stick! Most of what we support is tied to law, standards and regulations. Our organizations have to comply or face potentially stiff penalties and reputational damage. Why don’t they? They claim no resources, or budget, or time. We’ve heard it all.
Why aren’t they listening? I argue that we don’t leverage persuasion and build the skills to persuade.
The reality we live in as GRC professionals is that we simply can’t be successful in our job if we don’t persuade, and if we can’t persuade, we risk insufficiently addressing or failing to address risks to the organization. The repercussions could be severe. We could hinder our own and our teams’ careers and damage our reputations. In the narrative above, we all know who’s going to be on the hook if there’s a problem. And it won’t be those who ignored us for the better part of a year.
Persuasion is a skill. Some of it can be taught; most of it we already know (or could be defined as common sense). We simply need to be aware of this and implement some simple (in most cases) techniques to tilt the scales:
- Rapport is critical. If they don’t like you, send in someone else they do. We can’t persuade someone who doesn’t like us.
- Acknowledge the stigma that may be attached to your title and role. Let’s be honest – colleagues not may really enjoy getting a visit from a GRC colleague. Acknowledging this might help remove the first barrier.
- Recognize the impact of mood. Having a bad day? Your counterpart having a bad day? Move the meeting; it simply won’t be productive.
- Get out of a negative environment. The workplace can be a source of stress, so go grab a coffee or lunch or a drink. This is the real reason so many folks utilize “let’s grab a coffee” or similar approach to get things done.
- In person is always better. Smile a lot and use your colleagues’ name when you see them – people like hearing their name. Keep your tone of voice positive and upbeat. And while you’re at it, avoid using the word “I” – it will turn them off.
- Use how, not why, when requesting support. To most people, “why?” feels like an accusation. Don’t believe me? Think about how you feel when your boss or your spouse ask “why” you didn’t do something. It puts most people right on the defensive. “How” invites both parties to strive toward a common goal. The simple statement “GDPR goes live in 6 months – how do we ensure our organization is prepared?” invites both potential solutions and a sense of ownership in both parties.
- Listen. I mean it. Really listen. Can you do it? I can’t. Why? Because when I’m not talking, I’m thinking about what I am going to say next. Is that really listening? Bring someone with you to important meetings, and make it their job, and only job, to listen (take note of tone), watch body language, take notes, etc. Review that feedback after the meeting.
This seems easy enough, but the reality is if you don’t thoughtfully leverage some of these steps routinely, you’ll never reap the rewards. These won’t work all the time, but they’ll help increase the chance of success in your GRC role.
Have they helped me? You tell me – ever convinced a subsidiary to upgrade their ERP as part of an audit report? I have. And it was by using these tactics.
I’ll be discussing this topic further at the GRC conference next week in Nashville, Tennessee, USA. Track me down at GRC; I’d love to speak about these topics and lend a hand if I can.
Brian Tremblay, Chief Audit Executive, Acacia Communications
[ISACA Now Blog]