Return on investment. Total cost of ownership. Productivity gains. Payback period? What am I – a financial wizard or a risk professional? If you are in the risk management profession today, you have to be both. Being a top notch security guru that can navigate SQL injection code or rattle off the NIST 800-53 control categories is great when you are fighting in the trenches, but as soon as you head to the board room, your language and your thinking has to shift. The conversation turns to dollars and cents – not bits and bytes.
Earlier this year, we published a study conducted by IDC on the business value in making GRC operations more efficient and effective at some of our RSA Archer customers. The report features some tremendous results – 496% average five-year ROI, increased efficiencies in risk management, regulatory teams, risk assessments, third party management and resolution of security breaches, and an 11-month payback period. A highlight: $17,931 per 100 users of annual benefits through productivity gains and cost reductions. Take that figure against your user base and I guarantee you that is an attractive figure to build a business case in improving your risk management program.
I used the IDC report in support of a webinar I presented last week for SC Magazine on “Bridging the Gap of Grief: Translating Security Risks into Business Terms”. I discussed the growing need of organizations to put risk in terms the business understands to drive better decisions. For the risk and security teams out there, more often these efforts also help keep the momentum going towards maturing risk processes. Crossing the gap of grief – that disconnect between technology risk and business risk – is a key step in achieving this goal.
When the business understands the security and risk management activities are HELPING the business – not just PROTECTING the business, the conversation can turn. The IDC report gave me tangible numbers to report. Risk Management maturity fueled by technology enablement with RSA Archer results in efficiencies that affect the bottom line. During the webinar, I also highlighted four key steps in getting your risk program on the road to maturity. These steps, featured in the RSA Archer Ignition program, lay the foundation to expand the risk management strategy and ultimately reach the substantial benefits outlined in the IDC study.
Risk Management can be a tremendous boost to your business strategy. Understanding the risks, putting in plans to mitigate or transfer risk, and being prepared to recover from a negative event are absolute necessities for today’s modern enterprise. Building your risk program with an eye on the return for your efforts requires planning: setting baselines, understanding current costs and efforts, identifying key metrics that will substantiate financial benefits, and other steps will enable you to report on that reward. As you construct your vision for risk management in your organization, keep this in mind. When you accomplish key successes, having evidence of not only the risk reduction, but the financial advantages of your efforts will go a long way when you enter that board room to discuss risk.