Establish a Clear Business Case

By Matt Caston  |  Posted 2008-12-10 Print this article Print

Step No. 4: Establish a clear business case, considering both short-term and long-term value

Assuming compliance management is the entry point for your GRC programs, it is important to quantify your existing investments to help provide proof points to garner support for the initiative. Every business case will require inputs for solution and project costs. Make sure to work with your software and hardware partners to leverage their ROI, TCO and business case tools.

This step can dramatically reduce the amount of effort required to inventory and document your environment. Even if the specific tools do not meet your needs, partners can be an excellent source of information for building the basic worksheets and questionnaire you will use to organize your requirements and data.

While a robust business case and ROI analysis will cover topics such as scope, cost, TCO and operational benefits, the following four key questions must be addressed from a high level:

Question No. 1: Drivers and Benefits: What is driving the GRC initiative and what are the desired benefits?

Question No. 2: Labor: What is the project's labor investment (hours times cost) across audit functions, business units and legal? Be sure to include both inside and outside counsel.

Question No. 3: Controls: How many controls are currently under management? Are there 1,000, 2,000 or more?

Question No. 4: Control Failure: What percentage of controls fail during the audit cycle? How many audit issues are open?

Against this backdrop of insights, it is also important to understand the forecast improvement for the initiative: What are your priorities? Is it reduction in effort, cost or fines? Perhaps it's a need for overall agility in responding to new or updated regulations. Defining these priorities will help complement the business case while anchoring your organization's short-term and long-term GRC objectives.

Matt Caston is Global Vice President of the Governance Group at CA, Inc. Matt's current areas of responsibility include Governance, Risk and Compliance (GRC), as well as Records and Information Management. Matt has more than 12 years of experience providing strategy and guidance to the Global 2000 in the areas of Security, Risk and Regulatory compliance management. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel