We’ve spoken about the risk of compliance, and how much you should spend on it based on the incalculable. But let’s go deeper, particularly as the holidays arrive.
What if your business has signed a contract to receive certain technology products or components, but they wind up getting held up in U.S. customs because they're manufactured overseas (which most are)? Result: You lose hundreds of thousands in potential sales or productivity due to lost time on a sub-$10,000 investment.
While IT managers should fear this outcome, the trick is to not let this possibility result in your company over investing in govenance, risk management and compliance (GRC) technologies. At most, compliance issues such as this should require five to six hours of work to resolve and maybe $800 of software. David Dadian of powersolution.com has seen this firsthand. The calculation of ROI in implementing the proper degree of GRC is based on what you do, not what you don’t. It may be as simple as being able to prove encryption in communication. In the simplest case, only 90 days of video that records car license plates entering your facility is all that is required -- meaning there is no need to invest in a massive amount of additional IT infrastructure.
Access control and internal auditing might require having someone eat lunch at their desk while they scroll through access reports, but the ROI equation is not losing business, and remember any cost of doing business is a tax deduction. How do you balance compliance against ROI? Internal measures first. One deal at a time. You’ll get your GRC budget from the CFO if you talk in these terms, rather than asking for funds for a major new IT project that has a murky return in investment.
This thinking empowers a CTO, because it shows that person is protecting the company’s rear without accepting a more expensive blanket GRC protection program that may add more reporting than necessary, not to mention taking more time and increasing costs. It's what you bring to the potential audit that will matter, and relying too heavily on GRC solutions may only serve to demonstrate to a judge you turned your back on managing the actual business process. You could lose more money in the end than if you simply made a reasonable, realtime investment in managing the each process one deal at a time.