ROI vs. ROF – Return on Investment versus FailureJoe Wilson
We have seen a trend in companies struggle to justify their investment in a GRC solution. It is hard for them to get senior executive buy-in to investing in automating their compliance, security, quality, safety, etc. They “know” they need to do it, but it never seems to reach the priority queue. The directly impacted managers who own the programs are frustrated, the stakeholders who have to assist in manually updating information for the program are not particularly happy with the extra workload, but the investment never seems to meet the threshold. Why?
I suspect it is that they are calculating the economics wrong. Yes, I am talking to you, Mr. or Mrs. Degree in Finance who can run circles around me in reading a balance sheet or calculating the amortization schedule of a fixed asset.
In traditional financial justification, you look to balance the total investment versus the return in terms of hard cost savings or soft cost impact on the business. Or you may look at dollars invested versus the increase in revenues, etc. All well and good when those can be calculated. Much easier in revenue generating departments where there is a direct impact on the business.
But, what about parts of the business that aren’t customer facing. That are so back office that there is no calculable return that could justify the investment. We are not going to fire anyone by automating X so the return on investment from automating a process argument is bunk. So what happens?
Either the fear of something terrible in terms of a lawsuit, fines, or penalties is sufficiently tangible or it doesn’t get done. You really have to be in a lot of pain or be facing some stiff financial costs to get this to rise to the top. The hospital in the next county just got fined some serious dollars for a lapse in process. “We gotta do this!”
The board is worried that if we attest that we are securing customer data and we get hacked they are going to be held personally liable. “I won’t look good in an orange jumpsuit”.
But, that is rare even today. Most executives know that they are doing pretty well even though they have major holes and probably can get by enough on an audit to get minor penalties. So it doesn’t become a priority. In short, the risk of failure in a normal ROI calculation skews the equation.
But, we know from studies that we can fool ourselves into calculating odds of success or costs. Just because you have a 2% chance of dying doesn’t mean the cost of failure is not real. I mean, skydiving out of a perfectly good plane with a low percentage chance of the chute not opening doesn’t make it safe. You are putting your life on the line. That is why even the best experienced instructors have someone else check their chute. That is why they follow best practices. That is why they carry a second chute. Things don’t go bad very often, but when they do they can be catastrophic.
GRC as a category of programs is similar in that most companies can get by doing the minimum. But, the investment model is skewed. It shouldn’t be that “we have people doing it today, why should we invest in automating the process”. It should be “the return on preventing a catastrophic failure at the point of an audit, a process breakdown, or damage from the failure means that we need to invest in preventing that failure.” Return on failure is often catastrophic to the business, our customers, society, or more real to people who are involved in the process. Insurance is a good example of ROF. I get no tangible value from insurance until something bad happens. Then it is supposed to kick in to prevent failure. Could you ROI justify insurance based upon the cost versus return if nothing happened?
GRC is becoming a more critical component to business. Not just because regulations are increasing, auditors are becoming stricter, or fines more stringent; but, because all of these things are pushing up the ROF. The percentage of something bad isn’t increasing. The cost of failure in the process of preventing catastrophes is becoming more expensive.