Return on Investment (ROI) discussions are challenging
regarding GRC solution implementations for two reasons. First, GRC focuses on
improving an organization’s risk and compliance status, increasing security
controls and finding the balance between accepting and rejecting risks. Second,
GRC solution implementation and maturing an organization’s risk and security
posture occurs over a course of years. Therefore, ROI calculations may not show
immediate (within the first year) financial performance results. However,
knowing and understanding corporate budgets and decision-making, ROI metrics
become necessary to calculate and present to executives. Categories for ROI
metrics are as follows:

  • Decreasing time = Increasing Efficiency:
    Managers record the current time it takes employees to complete GRC tasks. For example,
    the time to manage the policy approval workflow, conduct business impact
    assessments or map policies to compliance regulations. Then managers project
    the future estimate of time to perform these same tasks after a GRC solution is
    implemented. Now, managers produce a time comparative analysis to provide
    evidence of increased efficiencies and in turn, discuss how employees will use
    their “extra time” to devote to supporting other company initiatives. SDS has
    seen such increased efficiency in organizations that have adopted some GRC
  • Effective Vendor Management = Reduced
    Duplication of Vendors: Centralizing vendor relationships into a single managed
    GRC solution will enable the business to identify duplication of vendor
    relationships including contracts and manage vendor risk with a consistent
  • Decreasing Risks = Cost Reductions: A GRC
    tool provides a database of risk information from all areas of the business and
    produces a comprehensive view of risk areas and impact. Organization strategies
    target the highest risks for remediation or address incidents effectively. This
    strategy results in less audit findings, reduced costs for security breaches
    and quicker remediation for risks because of the reduced number of risks.
  • Decreasing Silos = Strategic Performance:
    As an organization shifts operating from the GRC “silo” perspective to the GRC
    “integrated” perspective, that organization is equipped to use the
    comprehensive GRC information for making informed choices across typically silos
    areas of business. Examples of informed choices – faster availability of
    information to hire or assess vendors, administer information security awareness
    training and support marketing campaigns advertising the security program for
    your organization.