For GRC Decisions, Avoid The ROI Discussion If Possible . . . But If You Can't, Here Are Some Tips

This week we published the first in a series of reports I'll be writing to help clients calculate the return on investment of GRC technologies. This report, How To Measure The ROI Of A GRC Platform, outlines the key factors and suggested metrics to show what GRC can do for your organization. 

Of course, my first recommendation is to exhaust your arsenal of arguments before falling back into ROI terrain. GRC is about improving oversight, strengthening controls, and finding ways for the business to succeed within the boundaries of risk tolerance. But these board-level issues can quickly give way to questions of costs and savings... so it's good to be prepared.

The considerations for costs (software, hardware, maintenance, implementation, etc.) are not much different than other large IT projects, nor are the associated risks (requirements, scope, adoption, integration, etc.). What's tough is articulating the benefits. The report offers much more detail, but generally the success factors of a GRC implementation fall into three categories. These are:

  • Efficiency, which includes product and process consolidation as well as facilitation of processes such as policy development and distribution, risk and control assessments, incident/issue management, data/report aggregation.
  • Risk reduction, which  includes decreases in audit and examination findings, reduction in regulatory fines, faster remediation of issues, and the secondary benefits of these improvements, such as deceased cost of capital and lower insurance costs.
  • Strategic performance, which includes longer-term benefits from more risk-aware decisions related to technology, strategic partners, products, sales/marketing efforts, mergers/acquisitions, and any other part of the business in which GRC information is considered.

The one other aspect of GRC benefit to consider is the flexibility and agility it offers your business. This comes in the form of business agility, helping you for example to move into new markets or bring on new partners more quickly because risk and compliance processes are streamlined. It also includes risk and compliance agility, allowing you to react more quickly to emerging risks or changes in regulatory requirements.

If you've read the report or would like to comment on these thoughts, your input is welcome. Also, contact me at cmcclean@forrester.com if you have a compelling end-user GRC ROI story you'd like to share.