It never ceases to surprise me how many organizations still use manual processes and unstructured documents to handle their GRC activities. Relying on spreadsheets, presentations and other documents to manage all that information takes a huge amount of time and effort, but delivers very little in the way of consistency or scalability.
On top of that, there’s no ability to aggregate risks organization-wide. This makes it practically impossible to present risk in meaningful ways, and to respond effectively to audit findings and compliance requirements.
Automation changes everything
Organizations that use a software solution, such as RSA Archer, to automate GRC processes tend to see a very rapid payback. Typically, IT is the first user group, the initial aims often being to improve the rate at which secure IT projects are delivered, and to support policy management processes for information risk management.
Because IT provides the underlying infrastructure for other domains, the initial investment in the software will often provide a strong foundation for adoption by other functions, such as finance, operations, legal and HR.
Everyone starts using a common GRC vocabulary. And you get visibility of collective issues, so groups can collaborate on understanding the aggregate issue, rather than fragmenting their efforts across two or more overlapping issues.
What’s the ROI?
Information risk management staff can be more productive and do more analysis work. IT security expenditure will be better directed. The organization will be able to lower its risk exposure and reduce incidents. And ensuring regulator-ready, accurate and timely output becomes a piece of cake.
A recent Forrester Consulting report, The Total Economic Impact of RSA Archer IT-GRC, indicates a 572% return on investment within a three-year period. One company interviewed said that 97% of the ROI they calculated was based on the reporting tool alone.
RSA is hosting a webcast with Forrester on May 22nd, 2012. The webcast will feature Jeff North, Principal Consultant, from Forrester who will discuss the report findings. Also featured during this discussion will be the VP of Security and Privacy from a F500 Media and Entertainment company who will provide insight into real-world benefits they have been able to achieve using a GRC Platform. Sign up for the webcast.
If you’ve already automated your GRC processes, what have been the payback and benefits of doing so? If you’re ready to automate, where do expect to see the greatest efficiency gains, and what ROI are you counting on?