IT Governance, Risk, and Compliance (GRC) management is becoming increasingly integrated across a wide and expanding set of use cases, including IT risk management, IT compliance, policy management, threat and vulnerability management, IT third-party vendor risk management, and more. The core promise of an IT GRC program that integrates needs across all stakeholders is the efficient management of risk against business objectives and better business performance amid an evolving threat landscape, technological and business developments, and regulatory changes; all of which can lead organizations to thrive on risk.
While many organizations have seen benefits from their IT GRC investments, it is critical to build a case for the business value of IT GRC, in order to a) understand the true impact of the GRC program against investments made into it and b) gain enterprise-wide commitment supporting the implementation of a high-value, sustainable IT GRC program. It all comes down to one point – leveraging risk information efficiently to achieve business outcomes.
Experience shows us that those organizations that manage IT GRC as an integrated program involving people, processes, and technologies are more successful in delivering value to their organizations, compared to those that simply focus on deploying technology or processes without accounting for the larger picture. Not only does an effective, integrated IT GRC program strengthen IT risk, governance, and compliance management, but it also aligns these processes with the larger enterprise governance framework.
Business value is the measure of a program’s qualitative and quantitative benefits, as well as other intangible expected benefits, such as improved decision-making through better analytics. Together, these values provide a complete picture of how business performance can improve over the long run through a portfolio of initiatives.
The business value can be realized at two levels through an integrated IT GRC program:
It’s important to remember that any business value derived from an IT GRC program, is ongoing and continuously improving – it accrues over the years with substantial returns stacking up as the adoption of the IT GRC program grows, and as processes are continuously improved. Only when benefits are realized can the initial value proposition of the IT GRC program be achieved, but also perhaps exceeded. As these benefits become “business as usual,” new initiatives and continuous improvements will drive constant upward revisions to the overall value equation.
Let’s understand this with the help of an example.
Consider an organization’s IT risk management team of 12 people that is not able to complete risk assessments at the required depth due to the lack of time and resources. Management reporting is difficult and incomplete with only a few metrics and, occasionally, with errors that take time to be hunted down and resolved.
Let’s assume that 400 risk assessments need to be performed in the organization; of which only 200 are currently being completed with a team of 12. It can be implied that the organization can achieve the goal of performing 400 risk assessments if it increases its team size by 100%, from 12 to 24.
Further, assuming the average time to complete an assessment is 10 days, 400 assessments will be completed in 4,000 days. But, assuming 200 working days per year, the total number of team annual days is 2,400 (for a 12-member team) for 200 assessments and 4,800 (for a 24-member team) for 400 assessments.
Also, from the budget standpoint, assuming the average time to complete an assessment is 10 days and the fully loaded cost is $400 per day, the total cost of 200 assessments with a 12-member team will be $400*10*200*12 = $96,00,000.
Considering the organization can increase the team size to 24, the total cost of 400 assessments would be $400*10*400*24 = $3,84,00,000.
This, however, is not realistic. An organization will not have infinite human and financial resources to continue scaling up the team and assessments to meet the growing demand, especially if it is using manual methods, spreadsheets, and emails to perform the risk assessments. What is needed is to lower the average cost per assessment and improve the efficiency of the current team by automating the process.
Implementing an integrated IT GRC solution, such as MetricStream CyberGRC, can help achieve this goal. Based on MetricStream’s customer feedback and business value calculator, an organization can achieve a 66% reduction in the time taken to complete risk assessment. This is mainly attributable to:
In the above example, where the average time to complete an assessment is 10 days and the fully loaded cost is $400 per day, the organization can
In this example, factors such as travel expenses, errors and remediation efforts, financial losses due to fines/failures, etc. have not been taken into account. So, realistically, the cost would be much more than calculated here.
Of course, there will be costs associated with an IT GRC solution as well, such as consulting fees, people costs, technology implementation costs, and ongoing direct costs for cloud services. If the deployment is internal, the team can consider additional hardware and infrastructure costs, as well as support and maintenance costs.
But the payoff is significant. By building an integrated IT GRC program with supporting frameworks, processes, governance, information architecture, and working groups, organizations can achieve better business performance as we can see above.
IT GRC implementation is a journey that can span several months with multiple tracks/initiatives and stakeholders. It’s important to regularly review the implementation plan/roadmap and maintain a living document that demonstrates the benefits that have been realized as each initiative is launched and fully adopted.
MetricStream CyberGRC helps organizations implement and elevate their IT GRC program with automated and autonomous capabilities, integrated approach, and advanced risk quantification and analytics. It offers several benefits:
Interested in learning more? Request a personalised demo now!