Professional Documents
Culture Documents
Forrester Build The Business Case 2015
Forrester Build The Business Case 2015
Forrester Build The Business Case 2015
by Nick Hayes
November 6, 2015
forrester.com
For Security & Risk Professionals
by Nick Hayes
with Christopher McClean, Claire O’Malley, and Peggy Dostie
November 6, 2015
9 Supplemental Material
The ROI For GRC Is There, But Can You Get The Support You Need?
Is return on investment (ROI) for GRC the wrong message? If our ultimate collective goal is to develop
organizations that are high-performing, well-governed, and well-controlled, then the answer in most
cases is yes. Seen through a different lens, though, building an effective business case is a necessary
business practice that can actually lead to clearer strategies and more-advanced GRC programs.
If you’re lucky enough to have board and executive support for GRC initiatives, it’s because they
believe that such efforts are critical to business success. But for the rest of you, GRC is more likely to
start with a grass-roots campaign based on your business pitch that allocating resources to GRC (and
away from other revenue-generating functions) is more than a necessary evil, but an endeavor that
improves strategic decisions and bolsters corporate resilience. This is a land war not easily won, and
every attempt to gain ground is a heavily contested battle.
Build The Business Case With ROI Figures And Effective Persuasion
The following approach for building a strong GRC business case incorporates the key elements of
Forrester’s TEI methodology and applies effective advocacy tactics to help you position the value of
GRC beyond the numbers. This two-pronged strategy aims to help you gain the resources and support
from leadership your GRC program needs and deserves.
Provide Accurate Cost Estimates Upfront To Build Trust And Demonstrate Competence
It may seem counterintuitive to start by laying out the costs, but it’s a proven negotiation tactic, known
in psychology as the “door-in-the-face” technique.1 As the term implies, this is a shock and awe
method whereby you lay out all of the large (but necessary) costs required for your GRC program first.
By getting the costs out of the way, this leaves you with the remainder of the time to demonstrate
why the program is worth the investment and the business outcomes that will result. To estimate an
appropriate GRC budget, you will need to factor in the costs for:
›› Subscription-based GRC platforms. The de facto licensing model for GRC platforms today is an
annual subscription delivery model, most frequently as SaaS or hosted platforms.2 The average
customer deal size for GRC platforms is between $200,000 and $300,000, including software, data
storage, and ongoing support fees, in addition to one-time implementation fees for services like
data migration, configuration, and integration to other systems.3 For the largest instances, annual
costs can rise well above that range. Subscription-based pricing models are primarily based on
the scope of functionality along with number of users, commonly split into two main groups: 1)
infrequent users and 2) power users and administrators.4
© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 2
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook
about three times what you might pay for a SaaS or hosted version of the same product, in addition
to implementation fees, plus annual maintenance and support.6
›› Other risk management technology and services. In addition to GRC platforms, Forrester
identified 12 other relevant risk technology and service categories that support GRC functions.
GRC platforms can offer some of the capabilities found in these other categories, such as audit
management, regulatory intelligence, and risk and compliance training, but you will likely have to
source from different vendors other valuable risk capabilities, such as workforce risk analytics,
digital risk monitoring, and brand protection solutions.8
›› Staffing. The scope and size of GRC teams vary widely today, but all GRC programs require
experienced risk, compliance, and audit personnel who can implement and manage risk
frameworks, maintain legal and regulatory obligations, and assure process consistency and validity.
The professional staffing firm Robert Half estimates that the average annual starting salary in
2015 for operational risk, compliance, and internal audit manager roles at large, financial services
firms ranges between $86,250 and $144,250.9 And this doesn’t include other benefits and cost
considerations associated with any new hire. Additionally, you also need to consider internal
technology support staff, especially for on-premises instances.10
›› Strategic consulting. Another cost associated with GRC initiatives is for strategic consulting
services, which are often necessary to define organizational roles and responsibilities, guide
process improvements, and identify elements of the business that GRC will support. GRC software
vendors often have consulting capabilities, while they may refer more complex client challenges
to consulting partners for these services. There’s a host of strategic consulting partners to choose
from, including the big four (Deloitte, EY, PwC, and KPMG), large system integrators, and smaller
specialty consulting firms.
›› Time requirements of other business stakeholders. Whether it’s risk assessments, policy
attestations, vendor reviews, or ethics and compliance training, your entire company will participate
in GRC-related activities in one form or another. Although this won’t be a direct cost you have to
pay, it can be a key metric to track to demonstrate process and other efficiency improvements
related to the time required from the rest of your organization.
Building the business case for GRC ideally starts at the highest levels of the organization, where
objectives like improved oversight, greater control, and long-term value creation and protection
are critical. However, many of you will have to start with more basic ROI arguments upfront and
demonstrate higher-level value over time. Beginning with the least complicated, demonstrate how
effective GRC leads to (see Figure 1):
© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 3
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook
›› Efficiency improvements. Most GRC customers will point to improved efficiency as their first —
and most easily recognized — benefit. Because GRC implementations are so different from one
organization to the next, this category may include many different elements. Some elements to
consider are related to faster and cheaper policy and control management, risk management, audit
management, compliance management, and action management.
›› Risk reduction. Demonstrating a reduction of risk helps to elevate the value proposition, but
like efficiency, it’s going to be very different for each organization. It’s important to note that this
benefit must focus on the risk reduction enabled by the management of risk and control efforts,
not enabled by the controls themselves. Benefits to consider for your GRC platform business case
include improved compliance (fewer audit findings, regulatory enforcement actions, and lawsuits),
more effective risk treatment (prioritized remediation and faster remediation), and more tolerable
risk posture (lower cost of capital and insurance premiums).
›› Better strategic decision-making and performance. The benefits in this category are the
most difficult to achieve and most difficult to demonstrate. Programs that can show strategic
benefits usually enjoy self-sustaining support from executives and a culture that encourages
active participation in compliance and risk management from employees across the organization.
Strategic benefits of GRC include greater oversight (fewer unexpected loss events, accurate view
of risk and compliance posture), more-informed decisions (related to development, procurement,
and investments), and better performance (more successful product launches, market expansions,
branch openings, technology implementations, or partner engagements).
© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 4
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook
Risk reduction • Improved compliance (fewer audit findings, • Reduction in incident response costs
regulatory enforcement actions, and lawsuits) • Reduction in the number and size of
• Improved risk treatment (prioritized and fines and penalties
faster remediation) • Increase in risk exposure mitigated per
• Improved risk posture (lower cost of capital dollar/hour spent
and insurance premiums) • Reduction in cost of capital
• Reduction in insurance premiums
Strategic • Greater oversight (fewer unexpected loss • Reduction in costs required for
performance events, accurate view of risk and compliance unexpected, short-term injections of
posture) capital, staff, or other resources
• More-informed decisions (related to • Greater amount of relevant data to
development, procurement, and investments) support decision-making
• Better performance (more successful • Increase in financial or on-time
product launches, market expansions, performance (business units,
branch openings, technology partners, projects, etc.)
implementations, or partner engagements)
The level and type of value GRC demonstrates to the business is dependent on the degree of
technology integration and the maturity level of the GRC program (see Figure 2). For instance, if you
conduct manual assessments and manage numerous, disparate spreadsheets, it’s nearly impossible to
measure and track risk consistently across the organization, not to mention reaching the point where
risk data could be leveraged for strategic insights. As your GRC program and technology improve,
you enable more-advanced GRC capabilities and, ultimately, better performance and business value.
To determine where your program adds business value today and how you’d like to advance it in the
future, evaluate your organization’s GRC maturity using our self-assessment framework, the Forrester
GRC Maturity Model.11
© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 5
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook
• GRC coordination
• Risk measurement Risk reduction
• Interactive dashboards
Automated
• Spreadsheet tracking
• Manual assessments Basic compliance
• Ad hoc reporting
Account For The Risks Of The GRC Program Itself To Set Appropriate Expectations
Many of the risks related to GRC programs are similar to those in other business and technology
management programs; however, GRC initiatives often involve top executives, a large number of
employees, and significant costs, all of which can multiply the impact of any risks that manifest. Just
as you do in every other facet of your job as a risk pro, make sure you account for the uncertain events
or circumstances that could interrupt your GRC success:
›› Inaccurate risk measurements can a create false sense of security or danger. Miscalculating
the likelihood or impact associated with any risk can lead to poor, and even detrimental, decisions
and resource allocations. For example, Jason Spaltro, the former CISO for Sony, had the right
idea by making “risk-based decisions” with respect to Sony’s data protection strategy; he just
measured risk entirely wrong.12 While Sony’s massive data breach is an extreme example of the
© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 6
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook
consequences, you should incorporate a margin of error in your own risk calculations and set
expectations that risk measurement is primarily for prioritizing remediation efforts; the numbers will
rarely be perfectly accurate.
›› Operational miscues can derail your forward momentum. Rolling out a new GRC program, or
advancing your current one, can mean significant operational changes; and as with anything else that
changes, it’s possible things will go wrong. Whether the setback leads to missed project milestones,
slow user adoption, or process or system glitches, take into account the possibility that something
will go wrong and plan contingencies accordingly. Especially when it comes to major GRC technology
implementations, assume there’s a good chance the project will take longer than expected, as was
the case for close to a third of GRC customers in our recent Forrester Wave evaluation.13
›› Ineffective controls and oversight can create blemishes on your program. Even when you
have mature, comprehensive governance and controls in place, they can only take you so far;
employees can circumvent policies, and new technologies can leave outdated controls ineffective.
As you continue to improve your GRC program, set expectations that you won’t catch everything,
and that, at least for the foreseeable future, you will likely always have audit findings, risk events,
control gaps, and vulnerabilities to address.
›› Vendor viability and other third-party risks can collapse your ecosystem. All companies you
do business with are susceptible to a range of unexpected events, such as an economic downturn
forcing the company into bankruptcy or a sudden acquisition by a company that decides to
sunset a product you use. Current market growth suggests that imminent chances of this are
remote for the GRC market segment. Nonetheless, it’s worthwhile to include in any business case
consideration for the vendor’s viability and what controls or assurances are in place to mitigate
these risks.
Recommendations
›› Drive greater awareness and participation. A key indicator of an effective GRC program is
an active, engaged, and risk-aware workforce. Moreover, GRC programs can’t function without
participation from employees across the organization to conduct risk assessments, control tests,
© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 7
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook
policy attestations, and other critical functions. While awareness doesn’t equate to culture change
directly, it’s an important first step that often leads to more-efficient GRC processes, fewer issues
and accidents, and better performance (e.g., greater employee satisfaction and retention).14
›› Emphasize GRC and business flexibility. A key consideration when making any investment is the
degree of flexibility it provides to help take advantage of future opportunities. In the context of your
GRC program, determine how you could expand its scope to incorporate related risk functions
with similar requirements for documentation, workflow, assessments, and reporting (e.g., business
continuity, supplier and third-party risk management, etc.).15 With respect to your broader business,
consider how GRC methodologies and technology can improve the outcomes of other business
initiatives (e.g., how effective GRC support could enable smoother integration of new business
partners and recently acquired entities).
›› Equate efficiency gains to cost reduction and scope expansion. Some benefits that come with
a GRC technology implementation or process improvements lend themselves to cost reduction,
such as shorter compliance reporting time. However, you can show more strategic value by also
including elements of scope expansion, such as enabling auditors to cover a larger number of
processes and systems, or extending risk assessments to include a larger percentage of projects,
operations, or business partners.
›› Make projections at least three years out. Even simple GRC programs can take six months
before they start to show results, and it’s common for more-complicated programs in global
enterprises to take a year or more to get going. GRC platform implementations alone can take
a few months just to get all the data and processes into the live application. Although some of
the benefits discussed in this report will be seen almost immediately, many are based on audits,
assessments, and other functions that occur on a quarterly or annual cycle. Three years is likely the
shortest time frame you can use to accurately evaluate cost and benefit figures side by side.
›› Whether it’s GRC process or technology — apply a similar approach. The same principles you
use to build the business case for your GRC program are also directly applicable when you need
to advocate the business benefits of other relevant risk and compliance technologies and services.
Effective tools will help to advance the core objectives of your program across the same categories
mentioned above: efficiency, risk reduction, and strategic performance.
© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 8
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook
Ask a question related to our research; a Put research into practice with in-depth
Forrester analyst will help you put it into analysis of your specific business and
practice and take the next step. Schedule technology challenges. Engagements
a 30-minute phone session with the analyst include custom advisory calls, strategy
or opt for a response via email. days, workshops, speeches, and webinars.
Learn more about inquiry, including tips for Learn about interactive advisory sessions
getting the most out of your discussion. and how we can support your initiatives.
Supplemental Material
Survey Methodology
As part of our Forrester GRC Wave evaluation for “The Forrester Wave™: Governance, Risk, And
Compliance Platforms,” Forrester conducted an online survey of 50 governance, risk, and compliance
professionals in the spring and early summer of 2015. Approximately 74% of respondents were
governance, risk, and compliance professionals located in the United States. The remaining
participants were ethics and compliance professionals based in Africa, Asia Pacific, Europe, South
America, and the Middle East.
Endnotes
The door-in-the-face technique is a well-established persuasion tactic studied in psychology and various other
1
academic realms for the past 30 years. Source: Cialdini, R.B., et al., “Reciprocal concessions procedure for inducing
compliance: The door-in-the-face technique,” Journal of Personality and Social Psychology, February 1975 (http://
psycnet.apa.org/psycinfo/1975-11600-001).
According to participating GRC platform vendors in Forrester’s Risk Management TechRadar, two-thirds (66%) of
2
deals over the past 12 months were sold in SaaS, hosted, or managed service subscription delivery models. The
remaining one-third (34%) were delivered as on-premises implementations. For more information, read the upcoming
“TechRadar™: GRC, Q3 2015” Forrester report.
© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 9
Citations@forrester.com or +1 866-367-7378
For Security & Risk Professionals November 6, 2015
Build The Business Case For GRC
Business Case: The Governance, Risk, And Compliance Playbook
Implementation fees are typically 20% to 30% of the initial deal size, which includes initial product training, basic system
3
configuration, user and process definitions, and data migration to upload existing risk and compliance information.
4
Many vendors will incorporate different or additional variables like organization size, data hosted, desired functionality,
GRC program scope (i.e., number of use cases or “modules” addressed), or regulatory content when calculating the
purchase price.
Compared with other on-premises deployments, GRC hardware costs are relatively low, usually requiring an
5
Implementation fees are typically 20% to 30% of the initial deal size, which includes initial product training, basic
6
system configuration, user and process definitions, and data migration to upload existing risk and compliance
information. In on-premises implementations, standard support packages for GRC platforms are generally about 20%
of the software license costs, with less variability between vendors than there is for other costs.
7
Hosted and SaaS options will reduce many of these costs, but they’re not completely free of service needs — hefty
configuration and data migration are essential elements of any GRC technology initiative.
To determine other risk offerings to leverage and their approximated cost, read the upcoming “TechRadar™: GRC, Q3
8
According to the professional staffing firm Robert Half, at large financial services firms the average annual starting
9
salary range for a compliance manager position is between $86,250 and $113,250; for an operational risk manager
position it’s between $91,500 and $116,500; and for an internal audit manager position it’s between $100,000 and
$144,250. The firm estimates the salary range for these positions has increased between 3.6% and 4.2% year-over-
year since at least 2013. Source: “The Salary Guide for Accounting and Finance,” Robert Half (http://www.roberthalf.
com/accountemps/the-salary-guide-for-accounting-and-finance).
10
Depending on the complexity of the program, plan for at least one full-time equivalent for roughly every 50 to 75 active
users for on-premises GRC platforms.
11
You can use Forrester’s self-assessment tool to evaluate the current and desired future state of your GRC program
across four main domains: oversight, technology, process, and people. To download our GRC self-assessment tool
today, see the “The Forrester GRC Maturity Model” Forrester report.
12
Spaltro’s evaluation of Sony’s risk posture was entirely inaccurate and led to the deprioritization of security as a key
initiative for the organization. Spaltro said that he “will not invest $10 million to avoid a possible $1 million loss.” If
Spaltro had properly measured and tracked risk, he would have understood and been able to communicate to the
executive team and board that security risks lead to much bigger corporate losses — including losses for Sony that
now may well exceed $100 million, not to mention reputational damage and other intangible factors. See the “Quick
Take: Sony Breach — A Sad Tale Of Epic Failure That Could Have Been Avoided” Forrester report.
13
Close to one-third (29%) of customer references surveyed as part of our Forrester GRC Wave evaluation indicated
that their adoption took longer than expected. For more information, read the upcoming “The Forrester Wave™:
Governance, Risk, And Compliance Platforms” Forrester report.
14
Policies are only as good as the behavior and intentions of the people required to follow them. Without a well-tuned
culture based on the right ethics and compliance values, employees will find loopholes and control gaps that expose
you to substantial risk, leading to scenarios where: Enormous financial losses, regulatory fines, and legal settlements
hit bottom lines; employees lose motivation and loyalty; and customers lose confidence in the brand. For more
information, see the “Cultivate Culture For Sustained GRC Performance” Forrester report.
15
For example, if your executives are having difficulty seeing why a GRC platform is worth the $300,000, show them how
the company could leverage the same system to address needs of another related program (e.g., business continuity
or internal audit) for their risk and compliance requirements for just an additional $50,000. Similar support may come
from operational risk, technology management, corporate compliance, supplier and vendor management, HR, and
other functions.
© 2015 Forrester Research, Inc. Unauthorized copying or distributing is a violation of copyright law. 10
Citations@forrester.com or +1 866-367-7378
We work with business and technology leaders to develop
customer-obsessed strategies that drive growth.
Products and Services
›› Core research and tools
›› Data and analytics
›› Peer collaboration
›› Analyst engagement
›› Consulting
›› Events
Client support
For information on hard-copy or electronic reprints, please contact Client Support at
+1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity
discounts and special pricing for academic and nonprofit institutions.
Forrester Research (Nasdaq: FORR) is one of the most influential research and advisory firms in the world. We work with
business and technology leaders to develop customer-obsessed strategies that drive growth. Through proprietary
research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a
singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations.
For more information, visit forrester.com. 56677