IT Governance, Risk, and Compliance (GRC) management is becoming increasingly integrated across a wide and expanding set of use cases - moving beyond traditional IT security management into IT risk management, IT compliance, policy management, threat and vulnerability management, third-party management, and more. In OCEG’s 2017 GRC Maturity Survey, over 72% of organizations stated that they are executing an integrated GRC vision, and 89% claim that the benefits realized have met or exceeded their expectations.
The core promise of an IT GRC program that integrates needs across all stakeholders is better business performance in the midst of an evolving threat landscape, technological and business developments, and regulatory changes. Since strong performance is a pre-requisite for survival in today’s highly competitive world, leaders across the enterprise are asking for help in setting an IT GRC vision, plotting a course, and implementing integrated programs that deliver real value to all organizational units. While many organizations have seen benefits from their IT GRC investments, it is critical to build a case for the business value of IT GRC, in order to gain enterprise-wide commitment supporting the implementation of a high-value, sustainable IT GRC program
All IT GRC management comes down to one point – business outcomes. Everything we do is meant to ensure that negative or unplanned outcomes are kept within acceptable levels, and that business objectives are achieved. Experience shows us that those organizations that manage IT GRC as an integrated program involving people, processes, and technologies are more successful in delivering value to their organizations, compared to those that simply focus on deploying technology or processes alone. Not only does an effective, integrated IT GRC program strengthen IT risk, governance, and compliance management, but it also aligns these processes with the larger enterprise governance framework.
This paper discusses the business value that can be realized through an integrated IT GRC program at two levels:
1. Integrated IT GRC across the organization – Benefits include lower risk, higher efficiencies, and improved governance and decision-making
2. IT GRC within a domain – Benefits include process and technology improvements in domains such as IT risk management, IT compliance management, policy management, threat and vulnerability management, and third-party management
We will discuss several topics, and provide practical value equations that you can leverage, whether you are building a business case for integrated IT GRC, or expanding your existing program into a new domain area. We will cover the main drivers and benefits of an integrated IT GRC program, stages of maturity leading to risk intelligence, critical success factors, assessment of stakeholder needs and readiness, business case value equations to consider, roadmap development, and finally, the process of putting it all together in a living statement of benefits.
Let’s start by defining various IT GRC use cases that run from IT risk management, to IT policy management, IT compliance management, threat and vulnerability management, issue and incident management, and IT vendor risk management (See Figure 1).
“Time to Value” is a key concept in the business case for IT GRC. How long will it take for an organization to realize the benefits of an integrated IT GRC program, given the maturity of current processes and the effort required to make changes to people, processes, and technology?
In many use cases, the need for cross-functional collaboration is high; the benefits of IT GRC may be hard to realize if the effort to gain consensus on various aspects affects the ability of the team to deliver. It is critical to sequence initiatives thoughtfully, so that the IT GRC program begins on a strong foundation, and delivers early successes that build momentum for continuing support and commitment to the program.
It’s also important to remember that business value is ongoing – it accrues over the years with substantial returns stacking up as the adoption of the IT GRC program grows, and as processes are continuously improved. Therefore, organizations would do well to document not only the anticipated benefits, but also those that have already been realized, in a living benefits statement that acts as a testimony to the value of the IT GRC program
Here are the key terms that we will be using in this paper:
Benefits: The positive quantitative or qualitative results of changed processes.
Return on Investment (ROI): An equation, expressed as a % (net benefit/ cost of investment) increase over the initial investment, netting out a series of benefits to establish a break-even point where the sum of benefits accrued exceeds the investment cost. The ROI typically requires a sequencing of initiatives in the roadmap.
Business Value: The measure of a program’s qualitative and quantitative benefits, as well as other intangible expected benefits (example: improved decision-making through better analytics). Together, these values provide a complete picture of how business performance can improve over the long run through a portfolio of initiatives.
Business Case: A business proposal that develops a compelling case to support a go or no-go decision on a particular initiative. It is typically supported by priorities and benefit statements, and can include an ROI. Realized
Benefits: The projected benefits that are actually achieved; in many cases, the actual benefits may be unexpected, from new sources, under-realized, or over-estimated
The process of developing a business case for IT GRC is iterative, as seen in Figure 2. It begins with scoping and ranking IT GRC initiatives (e.g. IT risk management, IT compliance), measuring the value of integrating specific initiatives, and using that information iteratively to sequence the initiatives on a roadmap.
Roadmap sequencing enables cost/benefit projections over a number of years. It ultimately drives the process of breaking even and the overall investment.
Only when benefits are realized can the initial value proposition of the IT GRC program be achieved. As these benefits become “business as usual,” new initiatives and continuous improvements will drive constant revisions to the overall value equation.
IT GRC program execution is a journey. It often begins by consolidating efforts around priority initiatives such as IT risk management, privacy, security, or regulatory compliance, and then grows to embrace new stakeholders and use cases.
Every IT GRC program has a maturity curve, as shown in Figure 3. Most organizations are found between the risk identification stage -- where information is siloed and fragmented, risk management is mostly qualitative, and compliance management is often cumbersome -- and the risk analytics stage, where an aggregated, prioritized view of risk is achieved. The goal, however, should be to get to a more proactive stage where risk intelligence supports active decision-making through integrated, well-orchestrated processes.
For most CIOs and CISOs, the commitment to an integrated IT GRC program is based on three main benefit categories:
• Lower Risk: An integrated IT GRC program allows organizations to reduce risk exposure by gaining visibility into and context around the most urgent IT risks, security risks, and cyber risks across all business units – as well as external risks around third parties, suppliers, and customers.
•Higher Efficiency, Lower Costs: Organizations gain efficiencies, and reduce costs by managing IT GRC as a program that leverages a consistent IT risk and control framework, collaborative approach, and overall methodology.
• Effective Governance and Reporting: Organizations that focus on orchestrating IT GRC as a program can report the right information to the right people at the right time. A common classification and reporting framework supports a clear understanding of the information and analytics required for the board, regulators, leadership, and external or internal stakeholders, helping them make decisions that improve business performance.
IT GRC programs typically evolve in stages. To accelerate time to value, it’s important to engage the right team -- from executive sponsors, to business leaders and users, to enterprise architects and seasoned project managers. By understanding and taking the time to define the mission, scope, and priorities of the IT GRC program, it becomes much easier to design phased initiatives that deliver immediate value, while also building a solid foundation that will support continuous improvement and expansion.
Here are some key considerations to keep in mind while preparing to launch an IT GRC program:
• Have stakeholders identify the highest priority initiatives that are aligned with strategic objectives, as well as IT and security operational activities
• Understand the maturity and readiness of the organization as a whole and the business units that will be deploying high priority initiatives
• Gain consensus from the right set of stakeholders on what will be required to close the gap between current and desired future states
• Establish the right governance model for the program with the required executive commitment and funding to make it a success
• Ensure that you have a well-defined roadmap with high level estimates of effort and funding required for initiatives and technology implementations
• Prepare for organizational change – Integrated IT GRC requires teamwork, and results in a valuable transformation
• Finally, remember to communicate successes to stakeholders and enable continuous improvements as the IT GRC program evolves
Business value is ultimately tied to business performance. Successful IT GRC programs are those that are tightly aligned with the strategic objectives of the organization, and have the engagement of the right stakeholders across Risk, Ethics and Compliance, Audit, Legal, Operations, IT, and Security.
One of the first steps in establishing a program is to gain consensus on its vision, mission, and core goals (See call-out box below). These concepts will evolve through collaboration with stakeholders that witness the value of being part of an integrated program.
Once your program vision and purpose are defined, understand the Critical Success Factors (CSFs) for people, processes, and technology, as well as the disruptors that can impede the success of the program.
You will need to engage in and lead conversations with various stakeholders to build out detailed priorities and goals for the IT GRC program, and to develop and drive a sustainable, cross-functional set of initiatives. The CIO is likely to be focused on the enterprise-wide technology vision and information architecture for risk processes and systems, as well as the impact of the digital enterprise, big data, and cloud in delivering real-time risk intelligence. Aligning these objectives to board and executive requirements is key to a successful IT GRC program.
The CISO is likely to be focused on aligning information security, physical security, and cyber threats to business objectives, and ensuring that security monitoring systems can help share and link IT risk information with other risk programs. Dialogue will be required to define the risk appetite, and to institutionalize a risk culture across the organization where individuals act within boundaries to reduce the risk of non-compliance and adverse outcomes. In particular, the information security and IT risk management team will need to not only identify downside risks, but also continuously identify opportunities for the organization to execute on its strategic and operational objectives.
Table 1 below outlines each stakeholder group and their top needs. This information can help guide your conversations with them around the priorities and requirements for the IT GRC program.
Once you have a high level set of priorities and needs defined, you can begin to build the business case for IT GRC based on value. In Table 2 below, you will see a list of benefits with corresponding factors and equations for quantitative benefits and descriptions of qualitative benefits. With the emergence of big data analytics (i.e. BI tools, R, Python) and machine learning algorithms (i.e. Google predictive API), the benefits realized can be measured more effectively in some areas, particularly those that are heavily automated and data intensive, such as vulnerability management, business continuity, and security operations.
You can leverage this kind of information where possible, especially when establishing the current baseline and target goals for a business function. For example, a strategic goal may be to increase sales through ecommerce. The loss of customers due to security breaches or outages will be discussed as IT and cyber-related risks.
The benefit gained by reducing the response window to an incident may be calculated by looking at the current threat of cyber breaches measured through empirical data analytics, and predicting a reduction in response time by streamlining cyber monitoring, IT risk management, business continuity, and crisis management processes and data.
The key objectives for developing a business case for IT risk management are stated below:
• Lower the cost of risk assessments, right from planning, to procedure management and reporting
• Reduce the cost of losses
• Gain visibility with analytics
• Reduce issue response time
• Improve the ability to scale In the example below (Table 3a), the IT risk management team is made up of 12 people who aren’t able to complete risk assessments at the required depth. Management reporting is difficult with only a few metrics and, occasionally, with errors that take time to be hunted down and resolved. In fact, errors and remediation efforts consume 2 days annually per assessment
While the number of assessments is expected to grow, the team cannot be scaled up to meet the demand. The team size would have to increase by over 100% if they wish to continue performing assessments using the current combination of manual methods, spreadsheets, and emails. The key driver is to lower the average cost per assessment.
Let’s assume that there are 400 risk assessments that need to be performed in the organization; only 200 are currently being completed with a team of 12. There is no budget to increase the team size from 12 to 24 to cover the increased workload; we need to be more efficient with the current team by automating the process.
What does the ROI for automation look like?
• Tier 1 represents 400 risk assessments – the top 70% of the total 280 assessments are very critical
• The company’s external auditor has recommended that all 400 areas be covered with IT risk assessments
• 200 IT assessments are currently being conducted
• The average travel cost per assessment is $1,500
• The average time to complete an assessment is 10 days
• The fully loaded cost is $400 per day, per team member
• The current team size is 12
• The total number of team annual days is 2,400, assuming 200 working days per year
To support a more streamlined process for IT risk management, the team can implement the MetricStream IT Risk Management App in the MetricStream cloud that enables automated assessments and issue management (See Table 3b). The cost of implementation would be $40,000 for implementation fees in the first year, $30,000 for the app subscription, and $40,000 for cloud services, annually. Savings can be realized through improved efficiencies like % improvement in the process cycle time, reduced risk of regulatory fines, or retirement of systems.
The team can also consider anticipated costs including consulting fees, people costs, and technology implementation costs, as well as ongoing direct costs for cloud services. If the deployment is internal, the team can consider additional hardware and infrastructure costs, as well as support and maintenance costs. With a software solution, the team can improve the efficiency of reporting, while maintaining the team size at 12 people, including management and business contributors. Even better, the number of assessments can scale up to 400 with the same group. Assessment reporting can be automated, resulting in a significant reduction in errors, as well as metrics that are easy to share with stakeholders, regulators, and customers.
• The cycle time to assess risks drops from 10 days to 5.6 days (41%), resulting in over $1,480,000 in annual savings
• Regulatory fines are expected to drop by 10% - a $50,000 saving
• The cost of an assessment drops from $4,000 to $2,240 (see Table 3a)
• Free capacity of 160 team days (about 3/4 FTEs) will allow a key resource to be re-deployed to a growing vendor risk management program (See Table 3a)
• Breakeven is estimated at under 1 year with accrued benefits of over $4m over a 3-year period.
Once you have a high-level set of priorities, as well as requirements, and business factors defined, you will need to rank your initiatives to get more clarity on priorities – which may change depending on the factor used. Table 4 shows an example of criteria rankings that can be used to sequence IT GRC initiatives based on which the ultimate business case will rest
There are many aspects that need to be considered when developing an IT GRC program roadmap. It may have multiple tracks that span several years, and each of those tracks may yield a different stream of benefits. Every initiative will have its own project dependencies, charters, and critical milestones.
When planning, consider the IT GRC initiatives and apps that will provide the fastest time to value. Understand dependencies and pre-requisites, and think about how shared IT and security information will expand with each project initiative. Leverage new information available across dashboards and metrics to realize more value and wider adoption.
Consider new IT GRC apps, and leave room for innovation. Understand the organization’s IT and security operations roadmap, and leverage best practice content that can be used as a reference.
Remember to build in enough time to integrate new platform and app features. Create both a 12-month action plan and a multi-year view to match the planning horizon (2-3 years). Ensure that the plan includes project dependencies, charters, and critical milestones. Plan also for onboarding new stakeholders into governance and working groups with each new initiative. Table 5 on the next page shows an example of a high-level roadmap covering multiple work streams in an IT GRC program.
Once you have a roadmap that sequences key initiatives, you will be able to begin building a multi-year business value summary (See Table 6). It’s important to make this roadmap a living document that demonstrates the benefits that have been realized as each initiative is launched and fully adopted.
You can leverage MetricStream Business Value Worksheets – both integrated GRC and IT GRC domain level tools that will help you develop a strong business case for your IT GRC program. MetricStream customers may find these documents on the MetricStream Community – a great place where you can share best practices and discussions with peers. Participate in MetricStream Special Interest Groups, (mSIGs) and share aspects of your IT GRC program that you are looking to define and realize benefits from with those who have already done so.
Collaborating with a community of peers to leverage best practices and experiences is the foundation for success along an IT GRC journey. It takes hard work, focus, and teamwork. But the payoff can be significant. By building an integrated IT GRC program with supporting frameworks, processes, governance, information architecture, and working groups, organizations can achieve better business performance.
• Yo Delmar, Vice President, Customer Engagement
• Vibhav Agarwal, Director, IT GRC Industry Marketing
Key Companion Tools from GRC Journey Program®
• IT GRC Maturity and Capability Model • Business Value Worksheets – Investment and Benefits
• Business Value PowerPoint Deck