- Corporate Security Teams
- Risk & Compliance Teams
- Information Security Teams
Governance, Risk and Compliance
By Resolver Modified September 20, 2021
Return on investment is a key metric for any company – the bigger the return on the dollars spent, the more profit a company is driving. Usually, this is measured when a good plan is deployed, with companies spending money first in an effort to recoup these costs later on down the line.
With risk assessment, however, ROI can be more difficult to manage. Rather than assessing ROI by money earned, companies evaluate it by money saved. Risk management ROI is best described by analyst Elaine M. Hall as “the ratio of savings to cost that indicates the value of performing risk management.”
This cost-benefit analysis makes up the core of risk management ROI. The cost of a successful program is the total expenditure of resources on various risk assessment and control programs. If a risk management process is spread over a variety of programs, then the ROI can be measured in time saved, with the savings stemming from the time, money and staff not spent on these programs.
Resources invested into risk management aren’t necessarily exclusive to money, either, and that’s an important distinction to make. Management meetings, the cost of reporting risk information, the necessary staff to develop and execute risk action plans – these are all finite company resources and need to be taken into account when trying to determine ROI.
While determining ROI for risk assessment is different than other business processes, the objective remains the same: To convey to project managers that an investment was well worth the time and resources it monopolized. Without ROI data for risk projects, senior managers would be forced to rely on program managers and their word. While deception would not be an issue for most companies, it’s frequently difficult to assess something as complex as risk management using only perception.
In fact, ROI can actually build trust within a company. Trust will eventually erode over time. However, if audit committees can show their work has tangible benefits, then companies will be more likely to support their decisions. This is why ROI is so pivotal to both successful companies and audit plans.
“The business case for risk management is based on cost-benefit analysis. Cumulating the cost of risk management is a simple task. However, quantifying the benefit can be difficult due to uncertainty inherent in risk,” Hall concludes.
Using risk management software makes it even easier to measure the ROI of your efforts. Beyond the dollars saved by avoiding negative events, software can automate tedious and time-consuming tasks, resulting in significant time savings. Resolver has created a Time Savings Calculator, to help you compare the time spent on risk management using ERM software vs manual processes.