…measuring value from governance,risk & compliance is [like] looking at things from the wrong side… It’s an opportunity cost. What’s the cost of not doing something? If you add up what it takes to recover from a breach, from the bad PR that happens, from the lack of trust that some customers may have, then how do you quantify that? How much does it cost me to not have a bad thing happen? How we look at GRC is that it’s valuable when it’s a part of culture. We try to look at it from the standpoint of a process. If you know that there are ten steps in a process, you can tie a particular part of compliance to a part of a process. If you can embed compliance into a process, then people become compliant without knowing it.
Original Article: http://goo.gl/qreWGE