How to Quantify the ROI of your GRC & Security Programs

Tejas Ranade

28 Jul 2023

How to quantify ROI of GRC

GRC programs are often viewed as cost centers. But, they can in fact be profit drivers by contributing to sales acceleration, cost and time savings, and risk reduction. The real question is, how can you prove that to the board?

TrustCloud teamed up with ISSA to discuss:

  • How CISOs and GRC professionals can calculate the ROI of GRC
  • Practical examples of how to gauge program success
  • The paradigm shift from GRC to RGC, or revenue-generating compliance

Speakers include:

Read on to see what they had to say, or check out their conversation on Youtube.

Transforming GRC into a Profit Center

In the world of GRC (Governance, Risk, and Compliance), many actions seem to be mere check-the-box exercises despite significant investments and efforts. When we question GRC teams and CISOs about the effectiveness of their controls or the reliability of vendor responses, the responses often reveal uncertainty and skepticism.

One of the driving forces behind creating TrustCloud was the observation that GRC is commonly perceived as a cost center rather than a potential profit center. We firmly believe that GRC can have a substantial impact on revenue and should be recognized as such.

In 2020, amidst the challenges of the COVID pandemic, we embarked on our journey to establish TrustCloud. Seizing the opportunity to make a difference, we began our venture and aim to address these critical issues in the GRC landscape.

Over the past four years, our efforts have paid off, and we have successfully gained customers who rely on our services for multiple purposes. These include preparing for audits, automating security questionnaires, and mitigating risk and liability in their operations.

A source of pride for us is the fact that our product is embraced by security and privacy-conscious businesses. Their trust in our solution has allowed us to gain valuable insights and observations over the course of the last four to five years.

In the following discussion, I will delve into some key topics that have emerged from our interactions with these customers and the knowledge we’ve acquired throughout this journey.


In my extensive conversations with security and GRC professionals, a clear picture emerges: today’s GRC teams face the challenge of managing diverse tasks simultaneously. From audits and security questionnaires to risk management and reporting, they juggle multiple responsibilities on a daily basis.

Adapting to ever-changing organizational needs and industry landscapes adds complexity. The constant influx of new security requirements and regulations, coupled with the growth of GRC teams, underscores the significance of their work. However, there remain certain challenges to overcome:

  • Leadership often struggles to grasp the true impact of GRC within their organizations.
  • Employees may not fully understand the purpose behind GRC activities, viewing them as burdensome tasks.
  • The value of security and GRC teams tends to be undervalued, resulting in resource and budget constraints.

How GRC Helps Sell Jeans

A thought-provoking perspective from former Levi Strauss & Co. CISO, Steve Zalewski, highlights the importance of aligning GRC efforts with business outcomes. The question “How does this help me sell more jeans?” exemplifies the notion that all roles should ultimately contribute to business success.

In response to these challenges, a positive trend has emerged in the industry. Many GRC teams are shifting their focus from mere checkbox exercises to building trust with their customers. This evolution is termed “trust assurance,” indicating a move towards more meaningful and impactful GRC practices.

As the landscape continues to evolve, GRC professionals are recognizing the need to demonstrate tangible value to their organizations and customers, transcending traditional approaches for a more impactful and purposeful role in the business ecosystem.

The prevailing compliance approach revolves around checking boxes and fulfilling regulatory requirements without a deeper connection to business outcomes. This traditional method is characterized by its static, manual, and document-based nature, lacking transparency and relevance to building customer trust.

However, a paradigm shift is underway, redefining GRC as a means to drive assurance. Now, GRC is evaluated based on its impact in gaining customer trust, facilitating business growth, and enhancing transparency across teams, boards, and customers. It seeks to answer essential questions: Is it programmatic, accurate, and intelligent? Does it enable business outcomes?

While automation is essential in streamlining processes, merely automating existing check-the-box exercises does not lead to substantial change. On the other hand, Trust Assurance elevates GRC to a level where it fosters trust and transparency between companies.

The significance of Trust Assurance lies in its transformative impact on GRC programs. By adopting this approach, GRC teams are no longer viewed solely as cost centers but as profit centers. The shift from tolerated expenses to revenue drivers aligns GRC with strategic conversations and secures a place at the decision-making table.

As a personal sentiment, the compliance personnel in GRC are increasingly recognized as trust champions for their businesses. This recognition reflects their crucial role in establishing trust and credibility with customers and partners, contributing significantly to the overall success and reputation of the organization.

The Promise Land

Lesson 1: Become a Revenue Ally

Transform your GRC programs into RGC (Revenue Generating Compliance) programs, and make them a driving force behind your business’s revenue growth. Leverage compliance efforts to propel net new sales and align your actions with revenue acceleration in the sales process.

When we engage in compliance-related tasks such as responding to security questionnaires or providing collateral to prospects and customers, it’s important to recognize that compliance plays a vital role in driving revenue. Companies undertake compliance measures to bolster their revenue streams, making it an integral part of business strategy.

By tying compliance efforts to revenue acceleration and sales enablement, you can become a valuable ally to your revenue team. Demonstrating how compliance activities directly contribute to revenue generation helps your team gain recognition and support from other business units.

Let’s explore some specific examples of tracking your revenue contribution within the context of GRC efforts:

Tie Compliance Efforts to Revenue Acceleration

When handling tasks like answering security questionnaires, consider linking them to revenue outcomes. Identify the deals that were successfully closed during the last quarter and determine the revenue impact of your contributions. Similarly, assess how answering security questionnaires for renewals has secured revenue for the company. This approach allows you to showcase how your efforts directly contribute to driving revenue growth.

Respond to Customer Demands

Analyze the most requested security and privacy collateral and documentation from your customers. It might be your SoC 2 report or pen test results, among others. Understanding what customers demand helps justify investments in various GRC activities, as they align with meeting customer expectations and building trust.

Enhance Sales Process Efficiency

Focus on accelerating sales through efficient GRC practices. By providing Service Level Agreements (SLAs) on security questionnaires or other compliance-related tasks, your team aids sales acceleration and helps the sales team in closing deals. Meeting tight turnaround times on questionnaires or other compliance requirements plays a crucial role in achieving the organization’s sales goals. Highlighting such accomplishments showcases your team’s value and impact.

By leveraging these revenue-centric tracking methods, GRC teams can demonstrate their strategic importance to the organization. Aligning GRC efforts with revenue generation, customer needs, and sales acceleration showcases the significant contribution of GRC in driving business success and achieving overall organizational goals.

In the pursuit of building trust, transparency is becoming a key differentiator. During security reviews, prospects seek insight into how your organization handles security and privacy matters. Companies that can confidently lead with transparency not only perform better in sales cycles but also establish stronger trust with potential customers. This trust leads to improved sales conversion rates, faster Service Level Agreements (SLAs), and a greater willingness for people to engage in business with you.

By embracing RGC programs and leading with transparency, your GRC efforts become instrumental in driving revenue growth, forging strong relationships with customers, and positioning your organization for long-term success.

Lesson 2: Tie Risks to Business Impact

Let’s talk about risk and how successful CISOs are effectively communicating and tracking them.

Linking Risk to Business Impact

Having a risk register is common in many companies, but the challenge lies in conveying the significance of risks and liabilities to the business. Successful CISOs are now tracking risks based on their potential business impact. By demonstrating how certain risks could lead to breaches of customer or contractual obligations, they make risks more tangible and relatable to business leaders.

Financial Impact as a Language of Communication

When presenting to leadership and seeking budget justifications, gut feelings are inadequate. Instead, CISOs are using financial impact as a more tangible way to communicate with decision-makers. Comparing last quarter’s top risks to the current ones, showcasing investments made to mitigate risks, and quantifying the progress in reducing risks and liabilities are becoming standard practices.

Quantifying Residual Risks and Liability

A key strategy employed by successful CISOs is tying residual risks to their dollar value. This involves calculating the financial impact of a risk and understanding how investments reduce residual risks. By correlating risk mitigation efforts to potential liability reductions, CISOs can make a compelling case for budget allocations.

Emphasizing Ownership and Accountability

Highlighting the individuals responsible for risk management and cybersecurity is crucial. Ownership entails accountability, and clarifying roles and responsibilities within the organization ensures that everyone understands their role in protecting the organization from risks.

By employing these strategies, CISOs can effectively communicate the importance of risk management to business leaders and demonstrate how their efforts lead to tangible improvements in reducing risks and liabilities. Quantifying risks in terms of financial impact and liability helps bridge the gap between technical security concepts and business priorities, enabling CISOs to gain support for their initiatives and secure the necessary resources to protect the organization effectively.

Lesson 3: Create a Culture of Trust

The third lesson I’d like to emphasize is how successful companies are fostering a culture of trust within their organizations through their GRC teams:

Decentralizing Understanding and Action

To ensure that employees keep up with their GRC obligations, it is essential to decentralize understanding. Every individual involved in GRC tasks should comprehend the impact of their actions on liability and business outcomes. This can be achieved by making GRC-related tasks more accessible and seamlessly integrated into their daily work channels. For instance, using device management software that operates within applications like Slack helps people easily stay updated and compliant with minimal disruption.

Demonstrating Impact and Motivation

By linking individuals’ activities to customer contracts, revenue retention, risk management, and sales, you empower employees to understand the purpose behind their tasks. When they recognize the significance of their contributions, they become more motivated to perform their duties diligently. Showing the tangible results of their efforts in terms of driving business objectives and reducing costs further reinforces their commitment to compliance.

Celebrating Compliance as a Team Effort

Position compliance as a team sport and actively celebrate individuals who keep up and fulfill their responsibilities. Recognizing and publicly appreciating their efforts reinforces positive behavior and encourages others to follow suit. Creating accountability through highlighted ownership and team responsibilities also plays a significant role in driving action and maintaining a culture of trust.

Some practical approaches used by successful companies to build a culture of trust include:

  • Demonstrating how each individual’s work contributes to organizational goals and cost reduction
  • Highlighting the teams and individuals responsible for maintaining commitments and accountability
  • Showing appreciation and celebrating compliance efforts in a way that resonates with employees

By implementing these tips and tricks, organizations can strengthen their commitment to trust, compliance, and transparency. A culture of trust fosters a sense of responsibility and motivates employees to prioritize GRC activities, leading to greater efficiency, improved risk management, and better overall business outcomes.