Companies often struggle to justify investing in a governance, risk management and compliance (GRC) solution. It’s tough getting buy-in from senior executives to automate compliance, security, quality, safety programs, etc. They “know” they need to do it, but it never seems to reach the priority queue. Why?
In traditional financial justification, you look to balance the total investment versus the return in terms of hard cost savings or soft cost impact on the business. Or you may look at dollars invested versus the increase in revenues, etc. This is all well and good when those can be calculated, and much easier in revenue generating departments where there is a direct impact on the business.
But, what about parts of the business that aren’t customer facing? What about the departments that are so back office, no calculable return could justify the investment. We are not going to fire anyone by automating X, so the return on investment from automating a process argument is bunk. So what happens?
Either the fear of something terrible—like a lawsuit, fines, or penalties—is sufficiently tangible enough to trigger action, or the investment doesn’t get made. You almost have to be in a lot of pain or be facing some stiff financial costs to get this to rise to the top: “The hospital in the next county just got fined some serious dollars for a lapse in process. We gotta do this!”
In short, the risk of failure in a normal ROI calculation skews the equation. However, we can fool ourselves into calculating odds of success or costs. Just because you have a 2 percent chance of dying doesn’t mean the cost of failure is not real.
For example, skydiving out of a perfectly good plane with a low percentage chance of the chute not opening doesn’t make it safe. You are putting your life on the line. That is why even the best experienced instructors have someone else check their chute. That is why they follow best practices. That is why they carry a second chute. Things don’t go bad often, but when they do they can be catastrophic.
GRC as a category of programs is similar in that most companies can get by doing the bare minimum. But, the investment model is skewed. Leaders underestimate the impact of a failed GRC program, believing it’s more efficient and cost effective to remedy any problems that arise, than to invest in preventative measures up front. This could be a dangerous under-estimation.
Return on failure is often catastrophic to the business, our customers, society, or more real to people who are involved in the process. Insurance is a good example of ROF. I get no tangible value from insurance until something bad happens. Then it is supposed to kick in to prevent failure. Could your ROI justify insurance based upon the cost versus return if nothing happened?
GRC is becoming a more critical component to business. Not just because regulations are increasing; or because auditors are becoming stricter; or because fines are becoming more stringent; but, because all of these things are pushing up the ROF. The percentage of something bad isn’t increasing. The cost of failure in the process of preventing catastrophes is becoming more expensive.