Here’s my dream world: A world of infinite resources — infinite time, money, opportunity. Any step you take forecloses no other possibility. Any consequence can be unraveled.
Some dream. In the world we live in, resources are finite. If you’re a Compliance leader with a great idea for investment, the only thing standing between you and putting your suggestion in motion is explaining to leadership why they should expend resources as you suggest. In other words: What’s the projected Compliance ROI?
Return on investment, or ROI, is what makes sense to leadership. You might think a Compliance-related investment is a good idea because it shows your organization’s dedication to checking the right boxes. Isn’t that enough? Not to justify an investment. Compliance is too often seen as purely a cost center, and requesting money for checking more boxes just illustrates the problem. If you can change the way you present investments in Compliance by showing that it’s a business-enabling function, you can ensure top management support for Compliance and make it easier for leadership to see why the investment is worth their support. How do you show how an expenditure will benefit the organization? By showing its ROI. In a world of finite resources, ROI proves value.
anecdotes, the Compliance OS experts, have laid out for you exactly how to present the value of Compliance to management to garner their support. In this article we’ll talk about:
To approach leadership with expected Compliance program ROI, it helps to consider the kind of project you’re proposing. Are you aiming to capitalize on tools you already have? Implement new Compliance frameworks? Reduce resources like time/money your company already spends, or expand business? What kind of benefits do you expect, and how best to frame them?
In that dream world I mentioned, my dream kitchen has every gadget imaginable and a place to put each of them. That fancy pie server that only sees the light of day once a year on Thanksgiving? Got it. Yes, there’s a connection between pie and ROI. If you’re a Compliance leader reading this, chances are good that you’ve already invested in a data-driven Compliance platform. So you know the difference it makes in streamlining audits with easy preparation and evidence collection. If you’ve invested in tools, why not get more out of them? No one would ever think “Let’s buy this security tool and then we’ll only use it once a year.” Your Compliance platform isn’t just for special occasions, like that lonely pie server. You should be using that platform all the time, as much as the costs of human capital will bear, to get the signals it can give you and do something about them as quickly as possible.
So for example, let’s say you realize that pulling data from such a platform quarterly would give you more timely information about risk. And instead of doing annual risk assessments, you could do them quarterly. But before you tell leadership you want to move to quarterly risk assessments, consider the potential additional costs and how much the company could benefit. How would continuous risk assessments impact risks you recognize, such as insider threats or unauthorized user access? What could that data tell you about what’s going on that you might not be aware of?
And what if you didn’t stop at quarterly assessments? What if you pulled data every month? Or even more often? What would be the dollar value of Compliance to your organization of:
If you didn’t already have data-driven Compliance, the idea of starting to manually pull information more often, to have a better idea of where to invest in controls, would be disruptive. But if you’ve implemented an always-on Compliance platform that’s constantly gathering data, it’s an easier ask to approach management and say, “We pull information once a year from this platform to make our audits easier and let our people do their work. Let’s pull that information every day and get more value out of it.” (And that pie server. Why’s it still stuck in the back of the drawer? You can use it for quiche and brownies and flipping burgers.)
Consider whether you are making the best use of resources you already have—tools, people, etc. Don't just use your Compliance automation platform for the audits. It's there to enable Compliance leaders like you to have a conversation with leadership about whether controls are effective, and where the company should be investing. That platform can give you information all the time; it’s up to you to decide what you need and how it can benefit you. Your message to leadership: We already have this resource. Here’s how we maximize what we get out of it.
Sometimes you want leadership to invest in forms of Compliance that are not strictly necessary for business — not legally required — but are recognized business drivers. SOC 2, for example, enables business-to-business transactions, by showing that you take the security of customer data seriously and have taken steps to reduce the risk of a data breach; SOC 2 thus affords a competitive advantage over businesses that haven’t adopted SOC 2. The question, then, is how to measure the ROI of adopting SOC 2. To do that, consider what’s behind your wanting to implement or expand SOC 2 coverage.
For example, let’s say your organization already has a SOC 2 report that covers one line of business. You want leadership to approve expanding the scope of your SOC 2 report to cover two lines of business. Leadership may be concerned that expanding the scope of SOC 2 could make it more likely that the organization will fail the audit. They will want to know why expansion is necessary. So before approaching leadership, be prepared by determining and proving the ROI in Compliance. Have evidence of how much additional transactional volume will be under the umbrella of the SOC 2 trust services criteria (TSC) if you expand the scope. Look at the additional cost of increasing the scope of SOC 2, and how much it would be worth to your customers to have the assurance afforded by the TSC covering that much more of your business. So you won’t just be presenting a nebulous “good idea” to leadership; you will have already determined the value to the organization of your idea.
What if you’re considering taking on a Compliance regulation, like HIPAA Compliance? The traditional way of looking at that kind of regulation is: It’s a law we’ll have to follow or we’ll get a huge fine or be shut down by the government. But focusing on the costs that a business could incur if it violates a law like HIPAA ignores the reasons you’d want to expand business into an area that requires following that law. So consider the opportunity: For example, should you let your B2B customers store protected health information (PHI) on your organization’s systems? That would require HIPAA Compliance — so weigh the additional costs, including Compliance, against the expected additional revenue.
Show the value of Compliance. If you want to expand Compliance where it’s not legally required, use data to determine ROI — and then prove how expanding Compliance will drive business. And where Compliance is a cost of doing business, demonstrate the opportunity that the investment will enable.
Quick, what do you think of when I say “user access reviews”? If the words “rote,” “tedious,” “time-consuming” and their synonyms come to mind, you’re not alone. We talk more about user access reviews in another blog, but we just want to mention the advantage of using data-driven Compliance to simplify and speed up the process while making it a more reliable control. If you think of how many hours managers are spending on UAR (well, managers, and their managers, and their managers, etc.), and the hourly cost of all that time multiplied by all the people spending it, you see a situation crying out for automation. Some parts of UAR need the human touch, but so much of it can be automated.
So think about which steps of UAR could be automated. Don’t forget the crucial question: How do we make sure we do it on time? Now’s the chance to go to leadership and figure out the value of the hours wasted on manual UAR, plus the value of never forgetting to do UAR timely. That’s an ROI in Compliance that can support investing in automation.
If your proposed investment would save time across the organization, or avoid missing deadlines, determine the monetary value of those savings.
We’ve talked a lot about showing the value of an investment in Compliance to leadership. But why isn’t it just as good to show the value of risk avoided? Isn’t “money saved” just the flip side of “money earned”? Not exactly. The kind of people who head up companies are often risk-embracing, rather than risk-averse, individuals. That kind of approach is necessary to take the plunge as an entrepreneur, but it’s not conducive to making decisions based on avoiding risk. Showing how Compliance will save money that would otherwise be spent on fines and penalties is uninspiring. Leadership wants to hear about the benefits of an investment: the value, in money, that it will bring. You can talk about risk, but it’s more effective to talk about value.
To ensure top management support for Compliance, put the reasons behind your investment in dollars (or whatever relevant currency). The value to the organization expressed that way will mean more than if you just couch the investment in terms of risk avoided. Use data to quantify the risks, the costs, and the benefits. And while getting new stuff is always fun, don’t underestimate what you already have, like that pie server, to be taken out for a daily spin. Leadership will appreciate the appeal of extracting more value from a tool they already paid for. Resources are finite, but your creativity isn’t.
So are you hankering to talk to leadership about Compliance ROI ASAP? Here’s a simple-but-smart Compliance calculator you can use to start estimating ROI. (Because we’re all about actionable advice.)