Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2016 > February

I recently had the pleasure of moderating a panel of practitioners at the Atlanta User Group discussing challenges and approaches to estimating the return on investment of GRC Initiatives.  Supplemental to these conversations I created an ROI EXCEL Workbook that may be used to estimate the quantitative and qualitative return on your GRC program.


Most organizations perform at least cursory estimates of ROI at the time software is acquired or a new project is approved.  In organizations with significant long-established GRC programs, senior management sometimes challenges GRC teams to periodically rejustify the value of the organization's overall commitment to GRC.


Performing ROI analysis on any initiative generally makes good business sense.  When the initiative is buying a physical asset or making a financial investment, the calculation is straight-forward and almost always quantitative.  When you look at GRC processes, however, ROI calculations not only include a quantitative component but a lot of qualitative measures, including:

  • Process Risk - How much the risk profile  or risk management process has improved.
  • Ability to Understand business context
  • Level of engagement of each of the three lines of defense
  • Change in the severity of audit and regulatory findings around the process
  • Speed / agility in responding to process change


Please download and use the ROI EXCEL Workbook.  If you think changes or additional measures should be added, please post a response to this blog so everyone can learn from your insight.  It isn't necessarily easy to calculate ROI on GRC processes but almost all of us will inevitably have to do it.



(The Workbook is posted on the private Archer Customer/Partner Community. If you do not have access to the private Community, you may complete the Request Form and submit and access will be granted promptly. A registered RSA Link account is also required as a first step to access the private Community.)


Findings. Defects. Whatever you call them, your organization’s security posture is full of them. At RSA, we use the umbrella term “Issues Management”. So many organizations handle their vulnerabilities, misconfigurations, failed controls, and policy and process gaps the same way: the hard way. The hard way is the reactive way, the just-in-time way, and the kick-the-can-down-the-road way.


The “now” version of you, who is always at risk of falling behind at work, is dealing with these findings and defects in what you think is a reasonable way. “Sometimes you have to kick the can down the road,” you tell yourself, just to keep your sanity and keep things moving now. Periodically, however, these kicked cans pile up and cause a lot of stress for the “future” you and probably some lost free time on nights and weekends as well. At those times, the “future” you is thinking that you’re a real jerk.


I know. I’m preaching to the choir. You’ve already heard this or thought this, and right now I’m just giving advice that’s easy to say, but hard to do. Early in my career, when I was broke, I asked my insurance agent how I could cut some coverage to reduce my rates. He gave me the “you can’t afford not to have good coverage” speech. Financial gurus give the same advice about saving for emergencies and saving for retirement. “You can’t afford not to.” It sounds contrary at the time. You already don’t have enough money, so how does taking more of each paycheck out of circulation supposed to help you? It’s annoying to hear, and hard to work through, but the plain, ugly truth is that they’re right. It takes personal maturity to learn lessons like this, and just like we as individuals can mature and learn hard lessons, so can our organizations.


So, how does this same “you can’t afford not to” lesson apply our organizations?
Well, in the case of issues management, it means several things. You have to streamline the issues management process so all the stakeholders can do their part with less effort. You also need to bring these stakeholders’ data and tools together so they can share information easier and learn more from each other. This provides new insights. New insights and metrics mean that you can prioritize your issues and work on the things that bring the largest security improvement. Visibility creates accountability. Visibility into trends and metrics across all domains of issues will also facilitate root cause analysis, and ultimately, reduce repeats of the same findings in the future.


This is breaking the cycle, and making things better for your future self. It is similar to eastern philosophy, when they speak of Samsara, the Wheel of Suffering, and karma, they are saying to quit doing things that you know will just cause you more pain later. This also reminded me of what Andrew Jaquith once called the “Escaping the Hamster Wheel of Pain” or what my colleague Patrick Potter recently compared to Groundhog’s Day.


Feel a little pain right now. Do the little bit of extra work, use the right tools like RSA Archer’s Issues Management and make your future self a happy person.


Thanks for reading!

Feel free to email me with questions or comments



The European Union General Data Protection Regulation (GDPR) will bring big changes for organizations that handle information of European citizens.  The scope of the GDPR not only encompasses European businesses but includes all businesses that control or process personal data related to the delivery of goods and services to individuals in the EU or are designed to monitor their behavior, whether those businesses are based in the European Union or elsewhere.  Although the regulation is not expected to be codified until this spring with implementation in 2018, the breadth and complexity of the GDPR warrants that organizations start planning their compliance strategy now.  Non-compliance with elements of the GDPR can bring fines up to 4% of annual world-wide revenue or 20,000,000 Euros, whichever is greater!


I have condensed and summarized here what I believe are the most onerous requirements of the GDPR but I encourage you to read the full regulation to make certain I haven’t omitted or misstated anything relevant to your organization.  Please take note of the highlighted words and phrases as they represent significant obligations your organization may have to fulfill:


Data Classification


Data covered by the regulation is classified in two ways:


Personal Data – any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity". Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link. Examples of such data include address, bank statements, credit card numbers, and so forth. Processing is also broadly defined and involves any manual or automatic operation on personal data, including its collection, recording, organization, storage, modification, retrieval, use, transmission, dissemination or publication, and even blocking, erasure or destruction.


Processing operations that present specific risks – “(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analyzing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behavior, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affect the individual; (b) information on sex life, health, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale; (c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale; and (d) personal data in large scale filing systems on children, genetic data or biometric data."


Implement Policies and Measures


1. Organizations must adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the Regulation.


2. Appropriate measures are defined as:


     (a)     Maintaining documentation of all processing operations, including


              -  Name and contact details of the business

               - Name and contact of the data protection officer, if applicable

               - Purposes of processing the data

               - Description of categories of data subjects and categories of personal data

               - Recipients or categories of recipients of the personal data

               - Transfers of data to other countries or international organizations

               - Time limits for erasure of the data

               - Description of mechanisms used to ensure verification of compliance


     (b)     Implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

               - Appropriate technical and organizational measures are to be determined by an evaluation of the risks to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access or alteration of personal data.


     (c)       Perform data protection impact assessments on planned processing that introduces specific risks (see above definition) and obtain prior approval of the Data  protection Authority before processing begins.


      (d)     Data protection officers must be appointed in those organizations that are public authorities or bodies, that process personal data and employ 250 or more persons, or process data that introduces specific risks (see above definition).

The Data Protection Officer’s obligations include:

               - Informing their organizations and their data processors of their obligations under the regulation

               - Monitoring the  implementation and application of policies, including training staff

               - Monitoring the  implementation and application of the regulation; and

               - That the required documentation is maintained to demonstrate compliance with the GDPR


3.  Organizations must implement mechanisms to verify the effectiveness of the technical and organizational measures it has implemented to ensure a level of security appropriate to the risk.  Where appropriate, this verification must be performed by independent internal or external auditors.


There are three key points of Contact with Individuals covered by the GDPR that must be addressed by organizations.


(1) When personal data are collected from a covered  individual,

     (a)     To be lawful, organizations must obtain explicit consent from individuals to process their data.  Parental consent is required for the processing of data for children under 16 years of age, except that EU member states may have a lower cutoff for parental consent so long as it is not lower than 13 years.

     (b)     At the time of data collection, the organization must provide the individual with at least the following information:

               - The identity and the contact details of the organization and, if any, the organization’s representative and their data protection officer, if applicable;

               - The purpose(s) of the processing of their personal data, including the contract terms and general conditions of a contract for processing, if applicable and the legitimate interests pursued by the organization;

               - Existence of the right of access, rectification of data, or erasure and the right to lodge a complaint;

               - The recipients or categories of recipients of the personal data;

               - where applicable, that the organization intends to transfer the data to a third country or international organization and the level of protection afforded by that third country or international organization by reference to an adequacy decision by the Commission;

               - How long the data will be stored; and the individual from whom information is being collected

               - Whether the individual is obliged to provide the information and the consequences, if any, should the individual not provide the information being collected.


(2) Covered individuals may contact an organization at any time on an ad-hoc basis requesting information about the processing of their personal data.  On request, organizations must supply:

               - Confirmation as to whether or not personal data relating to the individual are being processed. And if so,

               - the purposes of the processing;

               - the categories of personal data concerned;

               - the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries;

               - the period for which the personal data will be stored; and

               - provide, free of charge,  a copy of the individual’s data undergoing processing and any available information as to the source(s) of the information;

               - the individual’s right to transmit personal data to another party

               - the individual’s right to request from the organization rectification or erasure of personal data;

               - the individual’s right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;


   Organizations that receive requests for rectification or erasure of personal data must do so in a timely manner.


(3) When a Data Breach Occurs (breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed), organizations must:

     • Notify individuals without undue delay when a breach occurs which is likely to affect the protection of personal data or privacy.  The breach notification must contain:

          - The identity and contact details of the organization’s Data Protection Officer or other contact point

          - Recommended measures to mitigate possible adverse effects of the breach

     • Within 24 hours of becoming aware of a breach, the organization must notify the supervisory authority.


A few other obligations of interest contained in the GDPR

  • Organizations and their data processors must have contracts that must state that the processor will:

          - Act only on instructions from the organization

          - Employ staff committed to confidentiality

          - Fulfill all security measures required by the regulation

  • Processors are prohibited from sub-contracting processing of personal data without the written consent of the organization.
  • Information cannot be transferred to a country that has not been approved by the European Union as having adequate levels of data protection


Summary – The Practical Considerations


This regulation ups the ante around privacy and information security compliance.  It expands the definition of personal information to include not just what is being collected but what can be derived about an individual when you put pieces of information together.


This regulation isn’t just about electronic information security.  It applies to the processing of personal information of individuals in the EU whether the information is physical or electronic.  It requires protection of information from unauthorized access and destruction from disasters, and it applies to third party relationships that organizations may have in place to collect, process, or store the information.  Lastly, it requires organizations to know exactly when and where they are collecting information from covered persons, processing the information, storing the information (and how long), and sending information to others, including across borders.  Moreover, all of this has to be sufficiently documented, risks assessed, and appropriate controls implemented to bring residual risk within tolerable levels.  Because of the required level of detailed documentation, it is highly unlikely that an organization can fulfill their obligations under the GDPR and demonstrate their compliance using spreadsheets and Word processing documents. Compliance has to be independently verified so adequate and complete documentation will be critical to keeping audit costs down and audit and regulatory engagements and findings as short as possible.


Finally, consider the complexities associated with collecting information from covered individuals and responding to ad-hoc requests from covered individuals.  When collecting information from covered individuals, among other things, you must obtain their explicit consent to collect and process the information.  How are you going to go about doing that and create the necessary audit trail to demonstrate explicit consent was received?  When you receive an ad-hoc request from a covered individual, are you prepared with the infrastructure and appropriate tools to determine if and where you are processing and storing all the elements of the individual’s information, so you can provide a copy of the information to the individual, and to collect, validate, and apply requested corrections to the data?  And, the big question, are you in a position administratively and technically to effectively erase an individual’s data upon request?


Listen to the recording of a recent RSA sponsored ISACA webinar on What the GDPR Will Mean to Global Businesses.  Most organizations are not ready for this regulation.  It’s a freight train barreling down the tracks.  If you would like to learn more about how we can help you get ready, click here.

In the 1993 movie, Groundhog Day, Phil (Bill Murray), an arrogant weatherman, is out to cover the annual emergence of the groundhog from its hole. He gets caught in a blizzard that he didn't predict and finds himself trapped in a time warp.

Screen Shot 2016-02-01 at 12.33.07 PM.pngHe is doomed to relive the same day over and over again until he gets it right.


This reminds me of my days as an internal auditor and how during every audit we would identify issues, or gaps in internal controls or risk management, that we would ask management to address.  We would complete the audit and move on to the next one.  A year or two later we came back to review that same area and invariably would find many of the same issues as the previous audit and, lo and behold, the issues had not been addressed.  It felt like Groundhog Day. It probably also felt like Groundhog Day for management because once the auditors left, their day-to-day responsibilities to run the business took precedence over addressing the issues we raised.


Let’s look at how this probably happens for a lot of companies with a simple example. Finance department management performs control self-assessments during the year and identifies issues in their processes and controls they want to address.  They document the issues in a spreadsheet and begin to address them.  A few months later, the Compliance department is testing the company’s adherence to Sarbanes Oxley and finds issues that happen to fall into the Finance department’s responsibilities.  They document their issues and forward them in an MS Word report to Finance to be addressed.  Later, Internal Audit performs a Finance department review and happens to identify other control issues.  They document their findings in an audit report and send it to Finance department management to be addressed.  This broken record plays on and on.


By now Finance department management is pulling their hair out because they have a seemingly endless stream of issues they are responsible to address coming from different sources and in different formats.  They don’t know if the issues are duplicative or conflict with each other.  There are different priorities placed on the issues and deadlines, and they have to report status to multiple organizations.  It’s just confusing and uncoordinated and this approach does nothing to help the Three Lines of Defense (Check out this 3LOD Blog) organize their efforts.


All Three Lines of Defense need one method to track issues and their resolution, or lack thereof. From the perspective of the department responsible to address the issue, they need to see all of the issues assigned to them from whatever their source, be able to see if there’s duplication, how and if their teams are addressing the issues, if they are on schedule and the risk and impact of not addressing the issues.  This is a real advantage to management who not only own that issue but are responsible to run the business, because they can make risk-based, analytical and informed choices regarding how to address the issue and this provides them leverage and control over the outcome.  The other two Lines of Defense benefit because they can recommend issues and track their resolution even after they have finished their reviews; they can follow up as needed, run reports and even monitor issues across business units, owners, controls and risks.


Just like in the movie, only when Phil finally gets it right does Groundhog Day stop, there is now an answer to help all three Lines of Defense manage their issues and it’s called RSA Archer Issue Management.  RSA Archer eliminates much of the lack of communication and confusion that results from the myriad of issues companies are trying to address.  Watch this short video for more information RSA Archer Issues Management: Know your Gaps, Take Action.


One of my favorite lines from the movie is when Phil is sitting in a restaurant for the umpteenth time and asks: “Do you ever have déjà vu, Mrs. Lancaster?”  Mrs. Lancaster replies: “I don't think so, but I could check with the kitchen”.  Well, when it comes to déjà vu, let’s keep it to our favorite dish – when it comes to coordinating and driving real resolution to our risk and control issues, try RSA Archer Issue Management.  Email me at with your comments.  Also, follow me @pnpotter1017.

Filter Blog

By date: By tag: