Making the ROI case for GRC platforms

The ultimate goal of GRC is to support business agility, but be ready to supply your CFO with these additional details

As the governance, risk, and compliance market matures, product vendors and potential buyers alike are struggling to make the case for GRC implementations—whether it's being able to point to credible return on investment figures, or building a business case to justify the expense of a software platform. This is certainly not due to a lack of value, but rather a lack of parameters to work with when defining essential elements relating to cost, benefit, flexibility, and risk. When possible, the GRC proposition should be driven by a vision of better governance and performance, but when pressed for more specific justification, the following factors will help provide specific supporting evidence to make the case:

The Cost

The cost of GRC can be significant—most leading GRC platform vendors report their average initial customer deal size is between $200,000 and $600,000 including software, hardware, and implementation services. In addition to these cost factors, you will have to factor in maintenance and support costs as well as services such as strategic consulting that might be used to guide the organizational roles and responsibilities, process improvements, and other elements of the business that the GRC platform will support.

The Benefits

There are three major categories that encompass the more basic ROI argument for GRC value. These include efficiency benefits (e.g. faster report aggregation, decreased audit costs, faster time to remediate control deficiencies), risk reduction benefits (e.g. fewer incidents, fewer regulatory fines, lower insurance premiums), and strategic performance benefits (e.g. better strategic decisions using risk and compliance information, stronger reputation driving more lucrative relationships). Efficiency benefits are usually the easiest and earliest to demonstrate, while strategic performance benefits may take years to fully appreciate.

The Flexibility

Another key factor in building the business case for GRC implementations is the degree of flexibility it provides to help the business respond to opportunities and threats. For GRC programs, you should consider two distinct elements of flexibility: flexibility relating to extending the GRC program and flexibility supporting business agility.

Extending the GRC program is critical in an environment of new and changing regulations, risk factors, and business requirements —so for example: a company using a GRC product for operational risk management may be able to leverage that product's business continuity module for an additional $40,000, instead of implementing a separate business continuity software application that would normally cost $400,000. GRC programs can't truly succeed without this flexibility—it's one of the most frequent compliments from GRC customers when it goes well, and one of the most common complaints when it doesn't.

Also read Enterprise Risk Management: Get started in six steps

With flexibility related to business agility, organizations should consider how quickly they can react to new opportunities because of the speed with which they can consider risk and compliance information. Examples include the speed with which a corporation can train a new employee or partner so they are productive sooner or how quickly a business unit can understand and address the risks of an emerging market so they can open new business operations before competitors.

The Risk

Many of the risks associated with GRC implementations are similar to those in other IT implementations, but often involve top executives, a large number of employees, and significant costs—all of which can multiply the impact of any risks that manifest. When making the business case for GRC, risks that are most important to consider are associated with implementation, adoption, integration, and vendor viability. Many organizations will treat some of these risks by starting with a small proof of concept—such as policy management in one line of business or risk assessment and reporting in one region—before extending to a full-blown GRC roll-out.

Tips for Success

While it's preferable to focus on the vision of what GRC can offer to your organization, in order to get started with a large investment in GRC technology, it might be necessary to build a business case that appeals more to an accountant the CEO. But no matter who the business case is for, it will be important to follow a few best practices along the way: Make cost and benefit projections at least three years out to come up with benefits that are comparable to costs, and collaborate with other functions such as audit, business continuity, operational risk, and vendor compliance to build the best long-term business case, even if these functions won't immediately benefit.

Chris McClean is Senior Analyst at Forrester Research, serving security and risk professionals. He will be speaking at Forrester's IT Forum, May 25-27 in Las Vegas.

Copyright © 2011 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations