Marshall Toburen

Estimating Return on Investment of GRC

Blog Post created by Marshall Toburen Employee on Feb 25, 2016

I recently had the pleasure of moderating a panel of practitioners at the Atlanta User Group discussing challenges and approaches to estimating the return on investment of GRC Initiatives.  Supplemental to these conversations I created an ROI EXCEL Workbook that may be used to estimate the quantitative and qualitative return on your GRC program.


Most organizations perform at least cursory estimates of ROI at the time software is acquired or a new project is approved.  In organizations with significant long-established GRC programs, senior management sometimes challenges GRC teams to periodically rejustify the value of the organization's overall commitment to GRC.


Performing ROI analysis on any initiative generally makes good business sense.  When the initiative is buying a physical asset or making a financial investment, the calculation is straight-forward and almost always quantitative.  When you look at GRC processes, however, ROI calculations not only include a quantitative component but a lot of qualitative measures, including:

  • Process Risk - How much the risk profile  or risk management process has improved.
  • Ability to Understand business context
  • Level of engagement of each of the three lines of defense
  • Change in the severity of audit and regulatory findings around the process
  • Speed / agility in responding to process change


Please download and use the ROI EXCEL Workbook.  If you think changes or additional measures should be added, please post a response to this blog so everyone can learn from your insight.  It isn't necessarily easy to calculate ROI on GRC processes but almost all of us will inevitably have to do it.



(The Workbook is posted on the private Archer Customer/Partner Community. If you do not have access to the private Community, you may complete the Request Form and submit and access will be granted promptly. A registered RSA Link account is also required as a first step to access the private Community.)