How’s your GRC ROI?

The Risk industry really, really loves TLA’s even more than tech (a ‘TLA’ is a Three Letter Acronym, one more to add to your arsenal).

We bounce GRC around. A lot. But what does it actually mean?

I see it like this:


The G in GRC can be anything from government regulations through contractual obligations and societal demands and on to organisational policies. Understanding the obligations imposed and the potential impact on the organization is critical to its survival. There are many examples of governance failures such as poorly implemented anti-bribery legislative requirements or plain old inept business practices. Perhaps the worst offender is non-specific contract language (“I didn’t know about that” is not a useful response).


Here it is critical to consider risk and reward — in its simplest state it’s “don’t risk a lot for a little”. It’s really a balance between what is enough risk compared with not enough risk. When the potential risk outweighs the potential reward you had better have some really effective control over the risks or be prepared to lose everything. Simplest examples can be found in the many media events where people do the stupidest things in the hope of getting some reward like a little money or fleeting fame. From a corporate perspective things are a little more painful: ranging from media reports of contract-gaining bribes to senseless cost cutting that ends in massive injury awards.


Simply, making sure the right things are being done in the right way at the right time. The trick is not to expend so much effort that the organisation grinds to a halt.

Extracting return on investment (ROI) from GRC is a bit like finding the lost city of Atlantis, the Holy Grail, or even an easy way to complete a tax return. It is important to at least establish some defendable parameters around the value to the organisation before even bothering about all this governance, risk and compliance.

This may seem a bit negative but we are at a tipping point in how all this can be brought together in a rational, cost effective way. Technology has changed the whole industry, even in the past 5-10 years. Creating a single view into the organisation-wide governance, risk and compliance makes overlaps and shortfalls jump right out. With today’s connectivity available at vastly lower costs and reduced time, managers can now see all the moving parts and take actions to manage the governance over their organisation, understand and appropriately respond to the risks this governance brings, and carry out the optimum level of compliance.

However, while ROI is hard to define accurately, the core cost of the technology that powers integrated risk management systems can be spread out as it scales across the enterprise. The ability to work with other parts of the organisation to get this integrated view increases the value of the Risk function to the organisation. Far from being a cost centre, Risk can become an integral part of making the strategy of the organisation work as expected.

None of this replaces the reliance on management to manage — but it will make that role more manageable.

About the Author: Russell McGuire

Russell McGuire joined Riskonnect in January 2012 as director, enterprise risk services. Russell is a proven leader in the insurance and risk management field, with more than 25 years of experience.