PREVIEW: Chapter 5: Measuring value

Chapter 5: Measuring value (excerpt)

Do you remember the GRC value promise from the first chapter of this series? Let’s re-state it: A GRC program should help management achieve a timely understanding of the organization’s risk posture; they need to make informed risk-based business decisions supported by trusted and transparent data; and they need the ability to efficiently respond to regulators and standards bodies with a credible demonstration of due diligence and compliance.

So how exactly are you going to measure your program to see if you’re delivering on those promises?

The chameleon

Value is such an over-used term because it’s one of those words you can use without having any specific definition, or you can have it mean whatever you need it to. This can also work in your favour when describing the difference between “what was” and “what is”, and between “what is” and “what could be”. Unless you are dealing with tangible objects or described absolute values, this becomes a largely subjective exercise.

If we describe risk as “uncertainty of an outcome”, then anything that could reduce that level of uncertainty should be equitable to positive value.

I’ve had great results in describing value in terms of success. I have developed success criteria to allow business stakeholders to define a risk management challenge in terms of either not being able to perform a particular risk management activity; or being able to perform it with less-than-desirable results. Now all we have to do to show value is… do it better!

The other thing I’d like to discuss about value is the granularity of the value statement. In most cases, it should be specific enough that a difference can be described, but not with so much detail that the difference becomes onerous to describe. By keeping the value statement at a coarse level, it is still possible to describe the benefit realized by the before and after.

Chapter 5: Measuring Value