I (esteban) spent a decade running security for a company that started with nothing and went to employ 10k people and 40 offices around the world in a span of 12 years. i fought budgets every year (even when i had very good friends as bosses) and one topic was the amount of work vs the size of our grc team.
the graph above shows an analysis in the average ratio we found doing some analysis some time ago: https://www.linkedin.com/company/eramba/?viewAsMember=true
What is the ratio in between the total number of employees vs the GRC team? the distribution shows an average of 0.6 security ppl / 100 employees. We looked at our customers and the number of GRC people they had and came up with that. Is not science, we know, but is aligned to what we thought the numbers would be out of experience. This number should be useful for consulting businesses when selling their VCISO services.
i had a lot of compliance on my shoulders (and risk too of course) so i used the per year total amount of hours spent on auditing internal controls (i would use a custom field on every audit to keep track of hours) against the team manpower (in hours) to make my point. our numbers were some 250 audits a year , some 3000-4000 Hs a year just to be conservative.
The situation would unfold like this:
My boss: are we gonna pass XXTTYY certification (or certification)? This is super important or we loose this and that business and that many millions in revenue!!!
Esteban: well … with the current amount of audit capacity (manpower) the level of assurance is low, if you need more assurance i need XXX hours more of testing, etc etc.
Typically the more we check things work the more assurance we can provide. That is my experience. In the end it worked well, i could fight with facts straight on. Still i always felt understaffed in other areas other than auditing.