How to Get Executive Buy-in

GRC needs executive buy-in to succeed

Does your leadership appreciate you?

To put a finer point on it, does your leadership appreciate the value of GRC and what you and your team do each day? Do they understand why GRC is a crucial undertaking? Do they understand the impact a mature GRC program can have on the overall success of the business?

Getting leadership to understand and then appreciate the importance of GRC activities can be an uphill battle. At the lowest level of GRC maturity, 71% of surveyed GRC practitioners told us their leaders see GRC as a burden. Their top obstacle to achieving full GRC maturity is tied between “lack of executive support” and “insufficient budget and resources” — also at 71%. Coincidence? We think not. The implication is clear: Without sufficient executive buy-in, you’ll find your journey marked by roadblocks in every direction, your efforts thwarted, your requests shot down.

On the other hand, GRC programs thrive when leadership sees GRC as a competitive advantage or a business enabler.

In short, if you want to be successful as a GRC leader, you need executive buy-in.

In this guide, we’ll explore best practices you can start implementing today to show leadership the value of your work. These techniques can help you demonstrate to your leadership the value of governance, risk and compliance across the organization and secure the backing you need to drive growth.

Everything you need to know to win over leaders

As a GRC leader, your job is filled — brimming, in fact, with challenges. You are tasked with chasing people for evidence, hounding stakeholders to stay accountable for their controls, and convincing leaders to support initiatives they may not understand or care about. This last point is especially problematic, as the ripple effect from unsupportive leadership will create a disconnect between GRC’s goals and those of the rest of the organization.

Leadership tends to focus on and care about activities that are mission-critical and issues that impact the bottom line. While we know that GRC meets both of those criteria, it’s not obvious to them. Unless they understand why they should care about GRC, you will just come across as a stickler. While leadership in many mature organizations is abstractly aware of the importance of risk management, that doesn't mean they’ll appreciate you, your team, or your collective endeavors unless you make it crystal clear that you’re contributing to the business.

Let’s explore the key elements you need to nail if you want to get your leadership appreciate your work — not for your own sake (okay, maybe a little bit for your own sake) — but to show them that GRC is a tool for expanded and accelerated growth and get the backing you need to leverage GRC to its fullest.

Align with their goals

Before you do anything else, make sure you are aligned with leadership’s goals. What makes them tick and what keeps them up at night? Don’t try to bring them into your world before you’ve firmly planted yourself in theirs. Some leaders might resonate most with reputational risk, others with financial risk. Others might light up about opportunities to improve efficiency.

The more deeply you understand your leaders’ goals and concerns, the more you’ll be able to empathize with them and build meaningful lines of communication.

Speak their language

As a GRC leader, you need to learn a lot of departmental lingo to communicate effectively with various teams across the organization. The same goes for leadership: speak to them using their own language. Don't focus on the importance of governance or compliance in and of itself, but rather on how it relates to their domain.

Instead, give leaders a reason to see GRC as a business enabler. Focus on the ROI that comes with a mature program, and show them how being compliant can serve as a competitive advantage and a vehicle to impress prospects.

Our research found that the highest-maturity GRC programs are proving ROI with business-driving metrics, including:

• Incident costs
• Sales cycle length
• Customer trust scores

Give short, business-driven updates

The typical execs are, understandably, very busy people. They don’t want extra information or long stories without direct impact on the business. It’s not enough to pull information from external sources and expect them to sift through it; you’ll need to extract the EXACT information they need to be aware of.

If you want to draw executives’ attention to an issue, you will need to present the information in a way that’s to the point and business-driven, with the dollars-and-cents impact clearly explained. Visual tools, like charts and infographics, can be super helpful for delivering memorable messages at a glance.

Deliver information on
a consistent basis

Building on the point above, once executives begin to see that GRC does indeed affect the bottom line, leadership will expect to be informed of any issues impacting the organization’s GRC posture. Use this to your advantage by creating a continual feed of compliance and risk-related information to share with them at regular intervals.

Create short reports covering:

• Any changes to the compliance ecosystem, such as what regulations or frameworks are set to change in the near future
• Any major news items touching on issues that may affect your organization, such as emerging cyber threats
• Any significant wins you've had since the last update

Use numbers and 
percentages – and give context

You definitely want to convey to leadership that under your guidance, the organization’s risk and compliance posture is improving. But it’s not enough to tell leaders that you’ve improved and now your controls are more effective; you want to quantify that information.

Provide numbers and context by saying things like, “Last quarter we had 15 control failures, and this quarter we only had 10.” Or, “It took us 3 weeks to close control gaps, instead of 6 weeks like last time.” Or, better still, “We used to catch the majority of control gaps and failures during audits. Now that we’ve implemented continuous monitoring, we’re finding and fixing 90% of control issues immediately and seeing fewer surprises in audits.” Statements like these provide much-needed context and tangible numbers that can help leadership quantify and measure the improvements you've made and the return on their investment in GRC.

Demonstrate an ability to learn and change

In the fast-evolving GRC ecosystem of changing regulations, growing contractual obligations, and shifting security threats, constant change is one of the only certainties. Showing leadership your ability to adapt and learn new tricks will go a long way to proving your worth as a flexible, dynamic problem solver. The cumulative impact of showing leadership that, time and time again, you rise to new challenges will cement your reputation as a leader in your own realm and someone they can count on.

Once you have this baseline of trust, you have a great opportunity to onboard new tools to help you do your job even better. Leaders who are confident in your ability to problem-solve and think outside the box will know that when you tell them you need something, they can trust your word.

Be a likable person

Okay, this may sound obvious — but honestly, in high-tension, high-stress environments, it bears repeating. In addition to the tips above, likability is your golden ticket to becoming a truly valued person within your organization. Listen before you speak, smile, admit to your mistakes, drop the combative stance, and be open and sincere.

Not only will this serve you well as an individual, but it will also help solidify the function of GRC as a key focal point across the organization.