One of the biggest challenges in GRC is demonstrating the effectiveness of a good program. An effective program identifies the key risks and implements controls where they will have the greatest impact. If everything works properly, then nothing happens. Success is commonly measured by the absence of an event such as:
- Fraud
- A regulatory change invalidating a product line
- A successful network breach
- A critical system failure and work stoppage
After a couple of years, a strong GRC program often faces pressure to reduce expenditure. Regardless of the risk, an excellent track record in controlling it means that is no longer seen as a top threat to the organization, and as a result, funding gets reallocated. The following questions then remain:
- How should a team distinguish between essential program activities and areas of over control? What controls can we stop doing? What are the areas for legitimate savings versus essential concerns that the business depends on?
- If the team reallocated $X from a well-controlled risk to a new emerging risk, is that a good change? Is the net impact better for the organization?
- How does the team know whether the program is highly effective at mitigating all incoming threats, or not needed as a result of a change in the risk environment?
Setting controls that detect, transfer or mitigate an event is difficult, but possible. The team needs to identify the number and severity of “almost” risk events—the events that were detected and mitigated—and contrast gross and net impacts.
Setting controls that prevent an event on the other hand, is extraordinarily difficult. How does a team identify the number of events that were prevented because a control pre-empted it? How can the organization evaluate the effectiveness of a policy or entity-level control that changed the environment to prevent an attempt? Is that policy still important? Is the training still required? Can/should these programs ever be reduced, or do they just grow indefinitely?
The solution to this problem is excellent record keeping.
“If you can’t measure it, you can’t improve it.”
— Peter Drucker
An event management system needs to document and track all events. When a new risk treatment is implemented, the pre and post-treatment data needs to be contrasted, and the pre-treatment data needs to be preserved as a reference point for years to come. This reference can then be used as a quantitative ROI for evaluating program effectiveness.