More than thirty (30) years ago, I made a list of what motivates people.
(I’m not sure why I was motivated to make the motivation list though.)
I have no recollection of where these pieces or parts may come from, but here they are:
1. Make money
2. Save money
3. Save time
4. Avoid effort
5. Get more comfortable
6. Achieve greater cleanliness
7. Attain fuller health
8. Escape physical pain
9. Gain praise
10. Be popular
11. Attract someone else
12. Conserve possessions
13. Increase enjoyment
14. Gratify curiosity
15. Protect family
16. Be in style
17. Have or hold beautiful possessions
18. Satisfy appetite
19. Emulate others
20. Avoid trouble
21. Avoid criticism
22. Be individual
23. Protect reputation
24. Take advantage of opportunities
25. Have safety in buying something
26. Make work easier
It’s not a perfect list, but it’s not bad either.
"Nothing happens at a dealership until something is sold."
That’s what pays the bills. It’s easy to see how this list could be parlayed into motivational leverage with the goal of selling something.
On the other hand, and on the “other” side from selling, in governing the business, some of motivators can be utilized to avoid problems, dodge pain, save money, protect your reputation, and avoid trouble.
Where the focus is eliminating or avoiding problems, that’s called governance, risk, and compliance (GRC).
Avoiding foreseeable problems (or “preventable risk”) will be the core motivation of this article.
At a dealership, a robust GRC program will extinguish issues which are obvious and avoidable. Here’s a summary of the eight (8) steps involved in a dealership GRC program:
1. Identify risks and compliance obligations
2. Prioritize the work by potential catastrophic problems and willful non-compliance penalties
3. Reduce exposure by building a proactive risk transference program
4. Create your internal policies and procedures for risk and compliance
5. Evolve from reactive to proactive to ameliorate your risks
6. Assign responsibilities and accountability
7. Track progress to protect the dealer (personally) and the dealership’s assets
8. Routinely review and audit people, processes, policies, and technology to document and revise compliance and risk protocols
A robust GRC program will translate into action when the dealership brings a keen focus on having a compliance program. Some dealers say they have a strong program, when, in fact, they (sadly) do not.
"For example, do you have a designated compliance person at each store?"
These duties do not have to be a full-time and they're exclusively focused job. Compliance duties can be a part of an employee’s other responsibilities.
If no one is designated as the compliance person at each store, then you really have no program. No one is actually performing the work. Now is a great opportunity to start your GRC program as enforcement activity against dealerships is on the upswing by the Federal Trade Commission (FTC) and the state Attorneys General.
In November of 2021, the FTC passed new regulations which dealers must comply as a part of the Gramm Leach Bliley Act (GLBA), originally effective on May 23, 2003.
There were two (2), new deadlines for compliance: January 10, 2022 and December 9, 2022.
The December 9 deadline was pushed to June 9, 2023.
(The update – alone - was forty-two (42) pages of three (3) columns of type of eight (8) point, small type in the Federal Register.)
Here’s a brief summary of what you need to know to be compliant on this issue:
The GLBA was born out of the need to protect customers Personally Identifiable Information (PII). It is a federal data security rule which requires dealers to keep customer information secure and protected.
The original rule added the burden to the dealers of ensuring that affiliates and service provider partners of the dealership safeguard the customer data, as well.
This has translated into these actionable items:
The overabundance of data breaches necessitated an FTC update in 2021.
By January 10, 2022, the dealership was to:
- Testing and monitoring
- Any material changes to you operation
- The result of your risk assessment
- Any other circumstances which may have a material impact on your Information Security Program
Unfortunately, there’s more work to be done:
- In transit, and at rest;
- If someone gets fired or quits, your program can continue through following these procedures.
- Controlling the lifecycle through procedure standardization to manage the risk and minimize the disruption.
- Identified security risks
- Criteria of existing controls
- Description of how the risks will be mitigated
- Some risk is acceptable but must be written as to “why”
- Must be updated as risks suggest
- Dealers must periodically perform these assessments
- Must have multi-factor authentication (MFA)
- Continuous monitoring of IT systems or annual penetration testing and vulnerability assessments conducted at least every six (6) months
- Anti-virus software
- Endpoint protection to remotely monitor and update all computers
- Documented with signed employee acknowledgements
- Everyone must complete training without exceptions
- How the dealership will respond to a data breach
- Who has what responsibility and can make decisions
- Communications inside the store and to third parties
Data encryption is the “biggie” here. All data which contains PII must be encrypted both in transit and at rest. For example, that means when someone is scheduling a service appointment through your website, that data must be encrypted between the scheduler and your service advisors. As another example, the data sitting in your CRM must be encrypted at rest.
There’s a lot here to work on here.
Another example, salesmen can no longer send PII to their manager through email, as typically, it is not encrypted. The GLBA impacts your relationship with most internet vendors.
Consider going to your payables department and have them develop a list of any vendors which have anything to do with email or the internet. Then contact them one by one to see whether or not they are compliant with encrypting their data. There are SaaS software solutions to help keep track of this activity.
"Fines for non-compliance are $50,120 per violation."
The FTC can take an expansive view of what a “violation” is, depending on the circumstances, particularly if there are issues involving multiple customer records.
Data breaches are real and happen every day. Currently, one dealership in northern Virginia is immersed in a class action suit over a data breach. These lawsuits are wildly expensive.
Consider that good data security is also a good business practice. Do you really want to call your third (3 rd ) generation customer and tell him his data is sitting out on the dark web as a result of a breach from your store?
While not part of GLBA, cyber insurance should be a consideration and a part of your GRC program in order to protect your assets. While volumes have been written about these policies, I think it is important to talk about a few niggles. To be diligent about your cyber policy, consider:
The overall philosophy with the GLBA (and the rest of your GRC program) here should be:
If you handle the preventative risk and ameliorate these issues, you can focus on the more positive side of the twenty-six (26) items above, like increasing your enjoyment and making money!
And that’s how you can stay on the black side of the ledger! Cheers!
For more information:
Phone Number: 757-434-7656
Email Address: email@example.com
YouTube Channel: https://www.youtube.com/channel/UC-yt...
LinkedIn Profile: https://www.linkedin.com/in/tompkline/
Tom Kline, a former franchise dealership owner with 30+ years of experience, specializes in risk mitigation by preventing and solving dealership problems through risk transference remedies, compliance, and dealership dispute resolution. Tom is the Lead Consultant and Founder of Better Vantage Point and has worked with both publicly-held and private dealerships. Kline speaks at national conferences and workshops, writes for six (6) publications, and has endorsements from multiple trade groups. Thanks for seeing things from a Better Vantage Point, where “We Get You Out of Trouble…and Keep You Out of Trouble."
Join our newsletter and get news in your inbox every week! We hate spam too, so no worries about this.