When launching a new governance, risk and compliance (GRC) program or deciding to select a software solution to support it, one is usually asked to provide the ROI of the project. In short, the return on investment (ROI) is defined as the outcome of an investment – be it positive (gain) or negative (loss). For many non-GRC stakeholders, a GRC project is just like any other project—you invest capital, so you expect to gain something out of it. This is what justifies the budget request.
Unfortunately, GRC doesn’t really work like this. It’s more like insurance—you’re relieved you have coverage when a 12-ton truck reverses into your brand-new Mini…
Nevertheless, there are ways of showing and even calculating the value that a GRC program will add to your organization. And in this short post I’d like to share a few ideas with you, hoping that it could help you make the case to management that you need more than just reactive measures; you need a real comprehensive GRC program that not only helps your organization be compliant, but also helps it foresee any potential potholes in the road and thrive in your market.
Qualitative benefits: Not easy to quantify, but very valuable
- Meeting compliance requirements: The very first step of any GRC program is ensuring that your business is compliant with its regulatory environment. A direct benefit from this is a reduction in fines and penalties.
- Decrease in audit findings: Since you’ve documented your GRC process and will run it accordingly, internal audit should find this appropriate and not require more from you.
- Reduction in operational surprises: Here, it’s much like insurance. You know you need it when you (or one of your peers) experience an incident. A good GRC program will help you avoid risks and hence reduce the number of incidents.
- More relevant mitigation strategy: A sound GRC program identifies not only risks, but also their specific impacts and drivers. So when you design your response strategy with controls, actions, and so on, you can target the real root causes and therefore effectively mitigate your risks.
Quantitative benefits: Where the rubber meets the road for a business case
- Drop in time for reporting: The final outcome of any GRC program is a report. If it can easily be created because all the information is structured, shared, and accessible, not only does this reduce manual time to produce it but it also means more up-to-date information => hours saved!
- Decline in inefficiencies and manual rework: A lot of “GRC time” is spent on administrative tasks such as reminders, harmonization of terminology, consolidation of assessment, reviews, and so on. This can all be reduced with an integrated GRC approach => hours saved!
- Reduction in number of controls: When controls are performed in silos, not only does this mean that you can’t benefit from “test one and satisfy many requirements” but you may also find that you have similar controls done multiple times by different teams => hours saved!
- Decrease in audit fees: As all the information is readily accessible and structured, you should find that your auditors are planning a shorter audit cycle because they’ll spend less time in preparation and execution => financial savings!
- More appropriate insurance coverage: Since you know your risks and have qualified potential exposure, you’re able to select the coverage that suits you, and not the worst case scenario on the market => financial savings!
As you can see, there are many more benefits to GRC than simply compliance.
If well adopted, a GRC program can help you free resources to work on more value added activities and take a more proactive approach to risk identification. It can also help reduce manual errors, and as a global result, increase your operational effectiveness.
Last but not least, let’s not forget that it can also result in more reliable data that will be invaluable for top management when making strategic decisions.
What about you—have you been asked to provide an ROI for your GRC program? What indicators did you use?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard.
For more insight on risk management, see Too Small To Think About Risk Management? Think Again.