Building Business Value for and with Your IT GRC Program

Introduction

IT Governance, Risk, and Compliance (GRC) management is becoming increasingly integrated across a wide and expanding set of use cases, including IT risk management, IT compliance, policy management, threat and vulnerability management, IT third-party vendor risk management, and more. The core promise of an IT GRC program that integrates needs across all stakeholders is the efficient management of risk against business objectives and better business performance amid an evolving threat landscape, technological and business developments, and regulatory changes; all of which can lead organizations to thrive on risk. 

While many organizations have seen benefits from their IT GRC investments, it is critical to build a case for the business value of IT GRC, in order to a) understand the true impact of the GRC program against investments made into it and b) gain enterprise-wide commitment supporting the implementation of a high-value, sustainable IT GRC program. It all comes down to one point – leveraging risk information efficiently to achieve business outcomes. 

Experience shows us that those organizations that manage IT GRC as an integrated program involving people, processes, and technologies are more successful in delivering value to their organizations, compared to those that simply focus on deploying technology or processes without accounting for the larger picture. Not only does an effective, integrated IT GRC program strengthen IT risk, governance, and compliance management, but it also aligns these processes with the larger enterprise governance framework.

Understanding IT GRC Business Value

Business value is the measure of a program’s qualitative and quantitative benefits, as well as other intangible expected benefits, such as improved decision-making through better analytics. Together, these values provide a complete picture of how business performance can improve over the long run through a portfolio of initiatives. 

The business value can be realized at two levels through an integrated IT GRC program: 

1. Integrated IT GRC across the organization – Benefits include risk-based decision-making translating to efficient risk management, higher efficiencies in operations, and improved governance and decision-making 
2. IT GRC within a domain – Benefits include the implementation of upgraded process and technology improvements in domains such as IT risk management, IT compliance management, policy management, threat and vulnerability management, and third-party management, which enable the domain to move away from inefficient and error-prone manual, offline methods. 

It’s important to remember that any business value derived from an IT GRC program, is ongoing and continuously improving – it accrues over the years with substantial returns stacking up as the adoption of the IT GRC program grows, and as processes are continuously improved. Only when benefits are realized can the initial value proposition of the IT GRC program be achieved, but also perhaps exceeded. As these benefits become “business as usual,” new initiatives and continuous improvements will drive constant upward revisions to the overall value equation.

Benefits of an Automated and Integrated IT GRC

Let’s understand this with the help of an example. 

Consider an organization’s IT risk management team of 12 people that is not able to complete risk assessments at the required depth due to the lack of time and resources. Management reporting is difficult and incomplete with only a few metrics and, occasionally, with errors that take time to be hunted down and resolved. 

Let’s assume that 400 risk assessments need to be performed in the organization; of which only 200 are currently being completed with a team of 12. It can be implied that the organization can achieve the goal of performing 400 risk assessments if it increases its team size by 100%, from 12 to 24. 

Further, assuming the average time to complete an assessment is 10 days, 400 assessments will be completed in 4,000 days. But, assuming 200 working days per year, the total number of team annual days is 2,400 (for a 12-member team) for 200 assessments and 4,800 (for a 24-member team) for 400 assessments. 

Also, from the budget standpoint, assuming the average time to complete an assessment is 10 days and the fully loaded cost is $400 per day, the total cost of 200 assessments with a 12-member team will be $400*10*200*12 = $96,00,000. 

Considering the organization can increase the team size to 24, the total cost of 400 assessments would be $400*10*400*24 = $3,84,00,000. 

This, however, is not realistic. An organization will not have infinite human and financial resources to continue scaling up the team and assessments to meet the growing demand, especially if it is using manual methods, spreadsheets, and emails to perform the risk assessments. What is needed is to lower the average cost per assessment and improve the efficiency of the current team by automating the process.

Improved Efficiency with IT GRC

Implementing an integrated IT GRC solution, such as MetricStream CyberGRC, can help achieve this goal. Based on MetricStream’s customer feedback and business value calculator, an organization can achieve a 66% reduction in the time taken to complete risk assessment. This is mainly attributable to: 

• Use of automation to consolidate and continuously update regulations/frameworks to ensure compliance requirements are always accurate and up to date 
• Use of automation in use cases such as continuous compliance, incident management, threat/vulnerability identification, and escalation, to improve the time taken per task/event 
• Consolidation of threats, vulnerabilities, and controls across all risk vectors to be able to receive a wholesome picture of outstanding risks 
• Effectively connecting the dots between risk, compliance, policy, and third-party risk management, where incidents/issues arising in any one stream, can be viewed as a whole, the impact assessed collaboratively, and the availability of analytics which translates to better decision-making 

In the above example, where the average time to complete an assessment is 10 days and the fully loaded cost is $400 per day, the organization can 

• Reduce the time to complete an assessment to 3.4 days (a 70% reduction) 
• Complete 400 assessments in 1,360 days and with $400*3.4*400*12 = $65,28,000, i.e., at 90% reduced cost without the need to increase the number of team members

In this example, factors such as travel expenses, errors and remediation efforts, financial losses due to fines/failures, etc. have not been taken into account. So, realistically, the cost would be much more than calculated here. 

Of course, there will be costs associated with an IT GRC solution as well, such as consulting fees, people costs, technology implementation costs, and ongoing direct costs for cloud services. If the deployment is internal, the team can consider additional hardware and infrastructure costs, as well as support and maintenance costs. 

But the payoff is significant. By building an integrated IT GRC program with supporting frameworks, processes, governance, information architecture, and working groups, organizations can achieve better business performance as we can see above.

IT GRC implementation is a journey that can span several months with multiple tracks/initiatives and stakeholders. It’s important to regularly review the implementation plan/roadmap and maintain a living document that demonstrates the benefits that have been realized as each initiative is launched and fully adopted.

How MetricStream CyberGRC Can Help

MetricStream CyberGRC helps organizations implement and elevate their IT GRC program with automated and autonomous capabilities, integrated approach, and advanced risk quantification and analytics. It offers several benefits: 

• Significant time and cost savings and reduction in errors 
• More bandwidth for the team, enabling them to focus on other high-priority areas 
• 360-degree view of risk and compliance posture, risk relationships, and impact 
• Effective reporting and communication of key metrics with stakeholders, regulators, and customers 
• Ability to scale as per evolving business requirements

Interested in learning more? Request a personalised demo now!