Step No. 4: Establish a clear business case, considering both short-term and long-term value
Assuming compliance management is the entry point for your GRC programs, it is important to quantify your existing investments to help provide proof points to garner support for the initiative. Every business case will require inputs for solution and project costs. Make sure to work with your software and hardware partners to leverage their ROI, TCO and business case tools.
This step can dramatically reduce the amount of effort required to inventory and document your environment. Even if the specific tools do not meet your needs, partners can be an excellent source of information for building the basic worksheets and questionnaire you will use to organize your requirements and data.
While a robust business case and ROI analysis will cover topics such as scope, cost, TCO and operational benefits, the following four key questions must be addressed from a high level:
Question No. 1: Drivers and Benefits: What is driving the GRCinitiative and what are the desired benefits?
Question No. 2: Labor: What is the project's labor investment (hours times cost) across audit functions, business units and legal? Be sure to include both inside and outside counsel.
Question No. 3: Controls: How many controls are currently under management? Are there 1,000, 2,000 or more?
Question No. 4: Control Failure: What percentage of controls fail during the audit cycle? How many audit issues are open?
Against this backdrop of insights, it is also important to understand the forecast improvement for the initiative: What are your priorities? Is it reduction in effort, cost or fines? Perhaps it's a need for overall agility in responding to new or updated regulations. Defining these priorities will help complement the business case while anchoring your organization's short-term and long-term GRC objectives.