Building the Business Case for Getting the Right GRC Technology
Megan Phee: (singing) Hi, I'm Megan Phee, and this is GRC& Me, where we interview industry thought leaders in governance, risk, and compliance, on hot topics, industry- specific challenges, trends, and more, to learn about their methods, solutions, and outlook in the space.
Matt Kunkel: Hey, everyone. Welcome to another episode of GRC& Me. My name is Matt Kunkel. I'm the CEO and one of the co- founders here at LogicGate. And I am your guest host today, and I am welcomed by Michael Rasmussen. Michael, welcome back to GRC& Me.
Michael Rasmussen: Oh, it's a pleasure to be here.
Matt Kunkel: Awesome. Well, we've got an amazing topic today that I think is super timely and relevant for what a lot of practitioners are going through, with the macroenvironment that we find ourselves in. And I want to talk to you a little bit today about kind of how we justify the spend for GRC technology and risk and compliance programs more broadly. How do we create business cases around that? And then kind of, what are some things that folks should be looking for in software, from a feature functionality perspective, to help them? But let's start with this one. Right? So, practitioners out there that want to create kind of that risk- aware culture in their organization, what are some of the key elements to the business cases that they need to create, to purchase GRC software?
Michael Rasmussen: Well, there's a couple different ways to answer that question. The first area I would like to point out is, in building a business case for GRC- related software, is the engagement and accountability. For years, the first decade of GRC software, from 2002 to about 2012, all the way up to maybe even 2017, a lot of the focus was on the back office, those second and third line functions. And that's important, but really, risk is owned by the business, from executive management, down to operational management. And risk is taken by frontline employees. And, so one of the key things for GRC software, building a business case, is how do we engage the first line, or what we call the front office, not just the back office? So, the back office of risk management's there to facilitate risk, but risk is taken and managed at all levels of the organization. And we need ways to engage an intuitive software that just doesn't overwhelm, but people can find the information that's meaningful to them in their context when they need it, when they're not risk experts. And, so, part of that business case is, how do we justify software that moves from just the back office, that's still important, of risk management, to also engaging the front office? And with that, the other key thing is accountability. And, so, in that context of accountability, risk is owned by the business, and how do we communicate and engage to risk owners? And, so, we need clear structures of accountability. And accountability is different from responsibility. Responsibility is, " I can hand to somebody else and outsource. I can give other people tasks or responsibilities." Accountability means, " I own this. If there's a risk issue, it hits my budget. It's my issue. It's an event I've got to own up to." And, so, two of the things that I really think to help enhance risk culture is, in building a business case for GRC software, is that accountability and engagement. The other things that we can talk about further is the idea of agility, being able to see what's coming at the organization, the resilience and being able to identify and recover from risk events quickly. And, of course, the era of integrity with ESG upon us as well. And, so, those are the five key trends that I'm identifying in 2023, the overall agility, risk agility, risk resilience, the era of ESG with integrity, the engagement, and accountability. Those are the five trends. But when it comes to actually building the business case, I define three areas with subareas that I build the business case in. The first one is efficiency, and which is typical ROI, return on investment. Time saved, money saved. And that's defining your current state. " What's it costing me to do GRC today?" Everybody's doing something, whether it's only doing something when somebody's screaming at us, to documents, spreadsheets, and emails, to structured platforms and software like LogicGate. Everybody's doing something. So, what's your current state? What's working? What's not working? What's it costing you? What's your future state you're going to get to, like if you implement LogicGate or whatever your plan is? And what's the difference in time saved, money saved? One firm I was talking to, they were spending 200 hours to build a report for the board of directors, on an annual basis, of risk events. Now, it's there to push of a button. That's a 200- hour- a- year time saving, just for that one report. A mid- sized bank that I was working with on their RRP, they're spending 80% of their staff time in risk compliance, audit security. 80% of their staff time was document reconcilers. They weren't managing risk. They were managing documents. And they may have been able to spin that around. So, the first angle in a business case is the efficiency, the time saved, money saved. The second angle of the business case is effectiveness, greater accuracy, less things slipping through cracks, greater visibility into risk, greater accountability into risk. And to me, the whole effectiveness is a risk assessment itself. Our current approach to risk, what are the gaps and issues, and what can cause us harm? So, here's our inherent risk, with our current approach to risk management. Now, if we implement this future state with LogicGate or whatever it might be, here's our residual risk. We expect this reduction in exposure to regulatory fines. We expect this reduction and potential loss to risk events and continuity and resilience and security and everything. The effectiveness really comes down to a risk assessment itself on our current state of GRC to our future state, and what's the delta there? And what does accuracy, gaining more assessments done, and less things slipping through cracks, how does that actually reduce our risk exposure and quantify that? The third angle is the area of agility and resiliency. So, the first one was efficiency, which is typical ROI. The second one was effectiveness, which really gets down to risk reduction. The third one can be a risk reduction too, but that is the agility and resilience. The business is changing. Regulations are changing. Financial services firms globally are dealing with 257 regulatory change events every business day, coming from 1, 217 regulators around the world. That's a lot of regulatory change. One- third of those are for North America. So, you might say, " Oh, well. that's global. I'm just a North American bank," or whatever it might be. Well, guess what? There's 80 changes in North America, on the average, every business day, coming from the regulators across the states. But then there's also risk change, geopolitical risks, economic risks, inflation risks, shifts in technology. And, so, we have a changing regulatory environment. We have a changing risk environment. We also have a changing business environment. Employees are changing. Processes are changing. Technologies are changing. When it comes from a compliance standpoint, you can be completely knowledgeable about the law or regulation or, from a risk standpoint, about the risk, but if that employee wasn't aware of the policy or wasn't trained properly, or that process changed, and that control wasn't in place anymore, guess what? You're not compliant, or you have risk exposure. So, the third angle of measuring value for a business case is the area of agility. How does the organization leverage software, like LogicGate, to keep up with business change? Because again, I mean, you take that report for example, that I was mentioning, that one firm was building for the board of directors. 200 hours to build one report once a year, but they find that they had risk events that started 11 months ago and are out of control now. That's not agile. Another firm, I was working their business case for policy management. They had a policy that was updated because of regulatory change, it took six months to get updated. It went through 75 different reviewers in a linear fashion of document, checking, and checkout, and being able to email a document to the next person, or the next person, the next person. Six months. That's not agile. You're behind the game at that point for a regulatory change that needs to be reflected on policy. And, so, what's the value of agility to implementing software, but also resilience, being able to identify risk issues and contain them before they become bigger issues?
Matt Kunkel: Yeah.
Michael Rasmussen: I threw a lot out there. So, I mean, one was the five elements I look for in software, and then three, and building a business case.
Matt Kunkel: Yeah, I couldn't agree with you more. I want to just parrot that back, so for our listeners can hear it. And I agree with you. A great mentor of mine once said, " Matt, there's three ways to sell anything in the world. You make someone money. You reduce the risk of someone's company. Or you save that money." Right? And I think you just nailed two of those with efficiencies. Right? When you're thinking about, " How do we justify the spend for our program and technology that we use to help operationalize that program?" is one, efficiencies, right? I'm going to make this quicker, better, faster, less resources potentially needed. And that's just pure ROI. Two, is effectiveness, right? That you were saying about how we can really take actions on the insights that we have and reduce the risk within the organization. And then three, agility and resiliency within the business, as the business changed. And I think that's a big one that you hit on, is that the only inevitability in any business is change out there. And if the corporate level is changing, then how do we need to change, as risk and compliance and security practitioners, to meet the new- changing business dynamics that we see ourselves in? And then how does the technology that we implement have to be agile to change to meet that? So, I think those are three great points around the justification. Around the business case, I caught the first three, around agility, integrity with ESG, and resiliency. For our listeners, what were the other two that you had in that five- thing business case?
Michael Rasmussen: So, agility, resilience, integrity, and integrity, particularly in the ESG era. And then it's accountability and engagement.
Matt Kunkel: Yes.
Michael Rasmussen: And accountability's critical. I mean, we have a lot of going on there. I mean, you have global accountability regimes like, SMCR in the United Kingdom. I mean, you got to define 28 senior management functions that are ultimately responsible for risk and compliance. And if there's willful misconduct, they can go to jail. If there's negligence or lack of due diligence, they could be fined out of their bank account, personally. But you have Ireland's SEAR, Australia's BEAR, now FEAR, Financial Executive Accountability Regime, Hong Kong's Managers- in- Charge, Singapore's Individual Accountability and Conduct. And now South Africa has one. But in the U. S., gosh, what are we seeing here? Well, you look at the New York DFS and what's going on in New York State and everything, there's increased focus on putting compliance officers liable for compliance failures. On top of that, you have the Department of Justice trying to hold compliance officers and other executives more personally liable. And you look at some of the Department of Justice enforcement announcements that went out just in the past few weeks, increased focus on accountability. And then you look at Uber's Chief Information Security Officer and how he has found liable too, for the breach there.
Matt Kunkel: Yep. Yep. The other thing that I think you hit on that we're seeing a lot, and I'm seeing a lot too, is just the concept of, when you're building a business case, it's not just about the second and third line, it's really about the first line of defense now. And they have to own the risk. They have to own the action. It has to be on their P& L. So, when you're building a business case, especially for software, one of the things that we are seeing that is super high on the scorecard is, is this easy to use for the first line of defense? Can the first line of defense get in there with little-to-no training and understand how to use the platform, understand what they need to do to identify, mitigate, and ultimately reduce the risk within their specific organization? So, I couldn't agree with you more on those points. I want to pivot the conversation a little bit to something that you've talked about before, this concept of agility and resiliency and kind of what you're seeing there. But first of all, can you just define those two? Will you just define those two kind of core pillars of GRC programs?
Michael Rasmussen: I'd like to use analogies and metaphors. So, put it this way, if I'm running down the street, and I trip over a pothole or a curb, resilience is how quickly can I get back up and start running again? So, if I have a risk event, how quickly can I recover from it? Agility is the ability to see what's coming at me and to be able to leverage the environment. And, so, agility is being able to see that pothole or that curb and be able to leap over it or go around it or use it to my advantage if I'm doing parkour or something, do a flip over it or something. And, so, organizations need to be resilient. And the last three years, with COVID-19, and this year with a war in Ukraine and sanctions and disruptions in supply chains and inflation and everything else, I mean, we need to be resilient, to be able to recover from risk events quickly. But we also need to be agile. And I'm seeing a lot of focus on agility. It's like, " How do we prepare the organization? How do we see what's coming at us, so we can either avoid a risk event, or we can mitigate our exposure to a risk event, or we can actually leverage the risk event for even greater gain and opportunity potentially, by out- doing our competition, in preparation?"
Matt Kunkel: Why do you think agility has taken over resiliency, as kind of the big thing in our space right now?
Michael Rasmussen: Because everybody's been sort of caught off- guard. People talk about COVID- 19 being a Black Swan event. It certainly was not a Black Swan event. And for those that aren't familiar with these risk terminologies, Black Swan event is the completely unexpected. And, so, European explorers used to think... Well, Europeans used to think all swans were white until, all of a sudden, some explorer finds a black swan in some corner of the world and changes their paradigm, well, what defines a swan? And, so, black swans events are the completely unexpected. But COVID- 19 was not a Black Swan event. I mean, every year, a few decades now, the World Economic Forum has put pandemics in some of the top risks that the world faces. And not being prepared for risk event or not listening doesn't make it a Black Swan event. So, we had COVID-19, and then we had the geopolitical risks and everything we've seen this year in 2022. And organizations are saying, " Enough. We need to be better visionaries and be able to see what's coming at the organization and go through risk scenarios and scenario modeling to prepare the organization, instead of constantly chasing things, caught off- guard."
Matt Kunkel: Yeah. That's a nice pivot question to kind of, what do you think organizations can do to be more agile right now and to kind of have that future vision and protect the company in that way?
Michael Rasmussen: And part of it is integrating geopolitical risk management into our GRC year- end platform. So, taking geopolitical risk feeds into LogicGate and being able to analyze those. But a lot of it's going through risk scenarios and saying, " This is how things can develop, six months to 12 months out. Here's the different scenarios and what the outcomes might be under these scenarios," and do scenario analysis, like with a LogicGate. And some of it is risk workshops and facilitation, where we can all sit in a conference room, physically or virtually, through Zoom and things, and maybe go through scenarios on a LogicGate platform, and get multiple perspectives on risk. Because part of what we need to be agile is to have accurate risk models that engage the left brain, but also have creative risk thinking that engages the right brain and be able to think outside the box, and what are our models and scenarios not telling us, and where are they weak? Where can they break down? And, so, that requires collaboration and multiple inputs. And, so, how do you leverage a technology like LogicGate to engage different types of risk thinkers on scenarios and how they might play out, particularly when it comes to the interconnectivity of risk? Because if you're managing risk in silos, like all I'm using like LogicGate for is IT risk, well, guess what? You've got blinders on at that point. I mean, you look at COVID-19, what starts off with the health and safety risks, impacts IT security risks. It impacts privacy risks, impacts bribery and corruption risks, impacts modern slavery risks, and so much more. It's an interconnected risk environment today, particularly in the era of digital business and everything being connected, we desperately need to be able to see the interconnections of risk, and just managing risk in a silo with blinders on, we failed to see these risk relationships. And we need to be able to leverage a full perspective of risk, situational awareness.
Matt Kunkel: Yeah, I couldn't agree with you more on the point of, we live in such a digital age now, that all of these risks are so interconnected and interdependent on the business. What do you think is kind of the hallmark, and you might have touched on a couple of those right there, but what do you think is the hallmark of those companies that are really, truly doing kind of agile risk management well, as opposed to just being resilient to things that come?
Michael Rasmussen: Oh, I would say that they have good collaboration and facilitation on risk. There's multiple departments working together. Enterprise risk management's not just IT security, but it's multiple departments having to view into risk. And the other big hallmark is being able to go through scenarios and do scenario analysis, with multiple types of risk thinkers that engage both the left brain and the right brain, to think inside the box, but also outside the box.
Matt Kunkel: Yeah, great. Couldn't agree with you more on that one. The last question that I got for you here, Michael, it's going back to kind of the budgeting question and really what do you think companies should look for when they're thinking about standing up GRC programs, and then when you're thinking about using some sort of technology to help operationalize that, from a feature functionality perspective, when they're putting that into their overall business case?
Michael Rasmussen: Well, one of the things is clearly defining that current state of, what's it costing me now? And that future state, if we move to this expansion of LogicGate or implementing LogicGate for the first time or whatever it might be, what's that delta on the efficiency piece that I went through? Also, the effectiveness and agility. But some other less obvious things that need to go into it is, what does it cost to implement a solution, and then what does it cost to maintain a solution? And that's where you find a big difference when you're evaluating solutions out there. Some of the big players in this space, for every dollar you spend in software license, you're spending between three and$5 in implementation costs, to configure it and build it out. They're very expensive to implement, and they're expensive to maintain, and you might not see all that up front. And you really have to unpack that a little bit. While other solutions, I mean, you have probably more accurate data on this than myself, but my experience and my research with LogicGate is, typically, for every dollar you spend on software, you're typically probably spending more 50 cents to a $1.50 on implementation, significantly different implementation costs and ownership maintenance costs, for software out there. And, so, just because somebody's pulling in$100, $ 200 million a year in revenue and software, guess what? They can also be very costly software too out there. So, you need to understand what is it cost to implement and maintain, not just the cost of software license? The other thing is how well do upgrades go? And I also talk to client references and find out how satisfied they are. And you have to be careful with client references because, a lot of times, it's the decision- maker that was the budget holder, and they only have great things to say about the product. And you have to ask them hard questions. And it's like, " What didn't you like about the solution? Where's it not delivering? Where's it fail?" They typically avoid those answers, but then I ask them the same question a different way. I say, " What would you like to see added to the product in the next release?" But they're really telling me, at that point, is what it's not delivering today. But the other thing is when I do client reference calls, I talk to the decision- makers, but at the end of the call, I say, " Can I talk to somebody on your team that's using the product every day?" And there's a lot of times I get a completely different story from somebody down in the trenches using the solution, compared to the decision- maker that bought the solution.
Matt Kunkel: Yeah. Those are great points. I mean, just anecdotally, that's the reason why we created LogicGate. I know you've heard the backstory, but we were in consulting for a long time, building custom GRC solutions for big organizations. And there were just so many change orders, so much cost to implement, from the company's perspective. We wanted to give kind of the keys to the kingdom back to the practitioners and the risk and compliance group and dramatically reduce the implementation and the ongoing support cost. And you're right. It's more like 25 cents to 50 cents, as opposed to those big numbers on some of the legacy folks. The other thing that I would kind of say on this one too is, understanding where you are, from a maturity perspective. We work with companies that are just getting started, and we work with companies that have been doing this for 20 years, and doesn't mean one's better than the other. It just means that's where they are on the journey. And putting in a piece of software that can morph with you over time, that you can maintain and own. Right? That you don't need a consultant or you don't need these developers to help develop on there, I think is a big, big, big, critical component for what you want to be looking for in a piece of technology. Well, Michael, thank you so much for being on the podcast. I think that this was some great information for our listeners, especially in the era of the macroeconomy that we live in and just the uncertainty out there and the world that we're all in today, which is the world of" Do More with Less." Right? So, I really appreciate you joining me on the podcast today.
Michael Rasmussen: Well, it's my pleasure.
Matt Kunkel: Awesome. All right. For GRC& Me, my name is Matt Kunkel, and remember to risk with confidence.
This episode takes a deep dive into creating a business case for investing in GRC technology by proving its cost-saving impact. LogicGate CEO Matt Kunkel spoke with Michael Rasmussen, a renowned GRC expert, to discuss the past, present, and future of GRC spending. Listen to discover how to build a business case for upgrading to the latest and greatest in GRC.