GRC Is the New ROI

Maybe GRC is the new ROI, maybe not, but you can’t deny that ROI is getting old. ROI is simply a metric that measures the excess profit (or return) made by implementing (or investing in) a solution, minus the cost of the solution, when compared to not having implemented the same solution. GRC is governance, risk and compliance, three things people outside of the executive suite are not likely to care a lot about.

ROI was the holy grail of automation for decades, and it will never go away, but as an engine for the tech economy, it may be fading. If a technology vendor could show how implementing technology would reduce costs somewhere in the organization, the sale was at least pending. Unfortunately, for many people the savings were more often than not derived from reduced headcount.

Running Out of Steam

For years companies have been getting more productive by automating away jobs, but what happens when you reach the point where automation will not enable further headcount reductions (which in the real world are known by the less clinical term “job cuts”)?

Traditional business school logic says that there are two ways out of that dead end, product and financial innovation. With product innovation companies can build new things that people want to buy; with financial innovation they can tinker with the ways they count money and the way they position themselves in the market. Product innovation is hard and often unsuccessful, especially for large companies that become set in their ways.

That leaves us with financial or business model innovation, but as we have seen all too often, changing the business model is a Herculean task that very few companies of any size can pull off. You can’t say business model innovation does not happen, but it’s rare, like Halley’s comet or, in the 20th Century, the Red Sox winning a World Series.

What starts out as multiple options quickly dwindles to financial innovation, which can take multiple forms too, and in the recent past its metric has been ROI. Nevertheless, as the foregoing argues, the ROI gravy train is running out of steam, which is why I think that GRC may be ROI’s successor.

Avoiding a ‘Loss Event’

GRC is an evolving suite of solutions with a common theme — helping enterprises avoid what is euphemistically called a “loss event.” As we have found better, cheaper and smarter ways to do business, loss events have bubbled up to become one of the big bogies on the radar screen.

Loss events come in far too many forms. Consider these from the recent news that we’re all familiar with. Isaiah Thomas, coach of the New York Knicks, was found guilty of a sexual harassment charge by a coworker. The settlement against the Knicks went into the millions of dollars.

Dennis Kozlowsky, CEO of Tyco, was found with his hand in the company till, costing the company millions of dollars and tarnished its reputation with the financial community. (I was going to use Ken Lay and Enron as the example here, but did you know that because Lay died before he could appeal his verdict that the courts automatically vacated the verdict? Quite a justice system we have, but I digress.)

Then there is what seems like a never ending saga of retail organizations who find that their IT security is second to one — the bad guys who steal millions of credit card numbers and customers’ identities in the process.

All of these loss events can and should be prevented if corporations start to use technologies that help them analyze weaknesses and implement business rules that enable them to enforce best practices in virtually every area of their operations. Reducing loss events reduces losses and that hits — or doesn’t hit depending on your perspective — the bottom line, which is why I think that GRC is the new ROI.

Ah! If it was only that easy!

Being Proactive

We really have only scratched the surface where risk is concerned (think about your company’s carbon foot print, for example). Therefore, we have only an imperfect understanding of the solutions, the compliance rules that enable good governance. Out of this will come, of necessity, new job titles like chief compliance officer and whole new systems, some of which are now coming to market.

ROI is forward looking and it provides answers to the “what if” questions good managers always ask — if we did business differently, using different and better technology, would it be worth it? What would the pay off be?

GRC takes that idea forward and asks how a company can proactively eliminate a loss. It’s nowhere near as sexy as inventing the next iPod/iPhone/iDon’tKnowWhat, but it addresses the need for better management and the incessant demand that companies maximize shareholder value.

More than that though, GRC implicitly says there are more stakeholders than only the shareholders. For example, a company might use GRC in human resources to help avoid a sexual harassment lawsuit and the loss event that can accompany it, but the benefit to the workers is a better work environment. Inevitably, that has the makings of better productivity and maybe even ROI.