A number of my clients are getting approached by their customers and prospective customers with fairly huge security program asks as a condition of making the sale and then the task becomes working on redlining that contract to eliminate the most difficult/expensive things to do until some set of terms is agreed to (great, can make a compliance package for them and do the mapping to measure whether we’re in compliance with the requirements).
The sales folks will agree to most anything to hit their quota, and will often end up agreeing to things that will take a lot of time, effort and dollars to implement (yes, we can track that budget in the Project module). In the Internal Controls module, we can track the Cap/OP EX cost for each control as well. However, there’s not a way to track the overall value of that customer to the organization - most sales folks in the SaaS business speak in “ARR” or “MRR” (Annual/Monthly Recurring Revenue), and the size of such recurring revenue is how they guide their decisions - the higher it is, the more likely it is they agree to something crazy.
While there is the ability to add a risk multiplier to a liability, if we could also track it in terms of value and be able to report on the impact of not meeting their requirements in terms of revenue, it would be quite helpful from a business case perspective
If there was a way to report on the potential ARR/MRR impact of being out of compliance with a particular compliance item/package at the “Customer”, it would help the product teams realize that they should probably prioritize some of the items above new features.
In short -
- Add ability to track MRR/ARR at the Customer (Liability) level
- Enable reporting to show total/aggregate ARR/MRR per control that is not designed/operating as needed (linked through compliance packages for each customer) and linkage to Project Cost/Budget to remediate → basically to show that we can spend $10k to mitigate $200k of aggregate MRR/ARR risk
I realize this may be a bit beyond the intended scope of the platform - it just seems like a good fit since it will allow GRC teams to do a full analysis of compliance with proposed customer contracts and demonstrate to the business which initiative needs more urgent prioritization. Hopefully the request is clear and wasn’t mangled by all the backspacing I did!
oh - so on the other side of the pond works the same way !
my work involved the exact situation you describe, the opex/capex/resource utilization was what i “hinted” in terms of budget to cross-charge the mad sales man that wanted to sign just about anything
im working on charts today, new ones , fixing old ones and i wanted to make a chart that makes use of the opex/capex/resource utilization and cross those values against risks and compliance packages … quite a coincidence … this charts are not hard to do but will do:
1/ what controls are used in a compliance package, sum opex, capex and resource and graph those on a horizontal bar chart … every compliance package with three bars depecting those numbers
2/ same as above, but for the top ten more expenssive risks (on thre three risk modules)
the above is entirely possible … but since controls are shared across many things the resulting math from above is … not entirely accurate. perhaps another chart could take the leverage in consideration and therefore divide the cost if the control is used in more than one place. this chart needs a little bit more of thinking.
would something like this work?
The structure that you described would be fairly helpful, especially 1/ showing cost per compliance package, however, for controls that would exist anyway when you have say, a ISO and a NewCustomer1 compliance package, if you map an already performed ISO control to address a NewCustomer1 requirement, then you over-allocate the costs associated with that incremental customer to it (and well, double count in both packages). Perhaps it’s some form of hierarchy to consider which will complicate it - what’s the incremental cost of serving NewCustomer1 with the Information Security Program? (vs. What’s the cost of maintaining compliance with ISO).
Regardless of the cost of the control, there can be a disproportionate value that it brings →
Let’s say 10 customers worth, in aggregate, 1m/year to the company all have a requirement that your minimum password length shall be 9 characters and you currently require 8 characters. Also, any “breach” of their requirements gives them the right to terminate such that you could lose 1m/year in revenue by not having that setting done correctly. The Cap/OP EX of this particular control is near zero - suppose a simple configuration change and alignment of your policy docs, however, the impact of not doing it could cost the company 1m/year in lost revenue.
I think your approach is modeling the costs for each control is great, but I’m hoping a bigger picture where we can also show revenue risk associated with NOT doing the control (whether it’s current or future sales dollars) can help prove the value of it (or not).
I’m not sure there’s a ton of value in “most expensive risks” since you’ll end up adding the cost of a control every time it gets used and just because a control is associated to a risk doesn’t always mean that it’s a key control required for the risk. I suppose you could allocate the costs across risks (i.e. control used for 5 risks == risk cost is 20% of control cost), but if it’s a mitigating/compensating control that isn’t required if it wasn’t already there, then that math gets fuzzy (i.e. control is there mostly because of risk A, but B/C/D/E take credit for it even if they could live without).
Jumping around further - he’s an example I’ve built in Monday(.com) that does this sort of rollup - Item 1 would be a control and Subitems are the customers that such a control is committed to (or would be).
i think in general financial quantification on the GRC arena is hard , perhaps because you measure things in tangible deals / liabilities that explicit values in terms of total deal or penalties, the situation is different and could be quantified.
1/ the liability in eramba could have a value, that is the total liability cost or the penalty associated with it
2/ the liability is linked to a risk trough BU or Assets, so the cost of the liability could in some way reflect the impact of the risk. but i know you are focused on compliance.
3/ liabilities are linked to compliance packages , to the individual requirements not the compliance package as a whole.
so… you could work out:
1/ how much is at stake for a given compliance package based on liabilities associated cost
2/ same as above, for risks
3/ same as above, for data flows (we miss the association at flow levels)
would this make sense? i also want to make a “time spent (hs)” field on all three reviews (risk, asset, policies) and audits to keep track on how much we spend on doing grc.
thanks for the input as usual