Assessing the ROI for IT Compliance A systems approach works best when measuring return on investment for IT compliance. BY DR. VICTOR BERLIN, Founding President, University of Fairfax

How much should enterprises invest in IT compliance or in a specific IT-compliance tool? Executives and managers at all levels in public and private enterprises face increasing challenges as the regulatory environment becomes more complex and the cyber-threat environment creates more losses.

Not only must executives and managers answer this question, they must also provide a rationale for the IT-compliance investment decisions they make. The regulatory and cyber-threat environments pressure the executives of the enterprise to effectively plan and respond. The C-suite puts pressure on senior and middle management to generate justifications for the investment in expanding IT-compliance budgets. Senior and middle management struggle with presenting credible evidence. How can all these stakeholders first justify their investments in IT compliance and then demonstrate their investment, in fact, is paying off?

These challenges also present the enterprise with opportunities for improving performance and bringing more value to its customers. The increased IT-compliance requirements offer an opportunity to develop methods for assessing the actual benefits and costs of compliance. These methods enable the enterprise to first begin to measure the level of IT compliance and then to develop and use metrics for assessing its impacts. These efforts ultimately can result in reliable measures for assessing the return on investment (ROI) in compliance for the enterprise. What follows describes a strategy for the enterprise that seeks to utilize its IT-compliance investment to increase the value of the enterprise and to provide benefits to its customers/clients.

A Systems Approach
Enterprises use ROI models to assess whether to make a particular investment and how much to invest. Typically, such a model relies on simplifying assumptions and estimated data to generate a forecasted ROI.

This article proposes an alternative approach that can forecast the ROI for an IT-compliance tool as well as validate and improve future forecasts of the ROI for a specific tool or even a whole program. This systems approach to generating an ROI uses a real-time assessment methodology that can focus on a specific IT-compliance tool or program of the enterprise. It includes the following five elements:

• IT-compliance metrics monitoring system
• Annual IT-compliance metrics assessments
• Annual IT-compliance financial statement
• Calculation of a five-year IT-compliance internal rate of return (IRR)
• Validation of IT-compliance tools with subunit pilot tests

Using the systems approach for assessing the ROI involves two phases:

• Phase 1: Implementing methods for generating the annual IT-compliance ROI
• Phase 2: Testing and validating IT-compliance tools by using the ROI

This article first provides an overview of both phases and then a detailed description of phase 1.

A Systems Approach to Assessing the IT Compliance ROI - Phases 1 and 2
Phase 1 of the systems approach for assessing the ROI involves establishing the methods for generating an annual IT-compliance IRR for a specific tool within the enterprise or its subunits. Phase 1 involves:

• Selecting and implementing compliance metrics
• Implementing the metrics-assessment process
• Establishing the annual compliance financial statement
• Calculating the IT-compliance IRR

Once phase 1 is complete, the methods it develops can be used to test and validate specific IT-compliance tools. Completing phase 2 can provide an assessment of the ROI for a specific IT-compliance tool within a specific organizational unit or, ultimately, can generate the IRR for an entire IT-compliance program. To assess a specific IT-compliance tool, phase 2 uses a series of pilot tests within organizational units to generate an ROI for a specific tool. Phase 2 consists of the following four elements:

• Selecting the compliance tool to validate
• Selecting the subunit for the test
• Implementing and assessing the compliance tool
• Calculating the subunit IRR for the compliance tool

Phase 1: Establishing the Annual IT Compliance IRR
Assessing the IRR for a specific IT-compliance tool or program requires the developing and implementation of metrics. Use of the metrics provides management with two types of feedback:

• What is the level of IT compliance in a particular subunit?
• What is the impact of the level of IT compliance on specific outcome measures?

This feedback enables the enterprise to determine the following for a specific IT-compliance tool:

• How has the tool affected the level of IT compliance?
• How has the tool affected critical IT-compliance outcomes?

Metrics: The Cornerstone of Assessing IT Compliance
The systems approach to generating an IRR for IT- compliance programs and tools requires effectively developing, implementing and utilizing metrics. Developing the metrics involves four critical steps:

• Developing compliance metrics
• Assigning value to the metrics
• Achieving C-suite buy-in
• Basing value assignments on best-available knowledge and/or a panel of experts

Developing IT-compliance metrics involves selecting those measures that relate to the overall enterprise-performance objectives and the specific performance objectives. These metrics must achieve critical stakeholder and, in particular, C-suite buy-in to generate data that is credible and usable by enterprise management. In short, metrics must measure performance that is important to and meaningful to the key decision makers in the enterprise. Without this foundation of support, no analysis based on these metrics can have utility for the enterprise decision-making process. Examples of categories of metrics include:

• Information-asset loss
• Compliance activities
• Down time
• Annual compliance penalties incurred
• Annual compliance penalties avoided
• Recovery activities
• Stock-value changes

Once the IT-compliance metrics have been selected by the enterprise decision makers, the enterprise must assign values to the metrics. When a metric changes, the enterprise must have the capability for determining the value of the observed change. In some cases, the enterprise might use an expert panel credible to enterprise decision makers for establishing the initial value assignment for the metrics. The following illustrates methods for establishing the value assignments for a set of IT-compliance metrics selected:

• Information-asset value
• Activity costing
• Penalty costs
• Stock value

Phase 1: Establishing the Monitoring System for IT-Compliance Metrics
The next step in phase 1 involves installing a system for monitoring the IT-compliance metrics selected by the enterprise. The metrics drive the design of the monitoring system, and the monitoring system collects data on the metrics at least annually. The monitoring system produces the data needed for generating the value impacts of the IT-compliance tools and program, and, ultimately, the annual ROI needed to assess their overall impact. Developing and testing the monitoring system involves the following four stages:

• Developing the metrics and monitoring system
• Testing the system
• Installing the system on the enterprise level and subunits
• Assessing the system on the enterprise level and subunits

Phase 1: The Annual Compliance Financial Statement
The final step in phase 1 involves establishing and producing the annual IT-compliance financial statement. The statement uses the data produced by the metrics to generate an assessment of the benefits and costs produced annually. The enterprise, in turn, uses this assessment to calculate the IRR.
Examples of IT-compliance benefits that are monitored by the financial statement include:

• Penalties avoided
• Year-to-year change in penalties
• Losses prevented as a result of compliance
• Based on errors prevented/caught
• Information-asset value losses prevented
• Data-recovery costs prevented
• Down time avoided
• Stock-value losses prevented

Examples of IT-compliance costs monitored by the financial statement include:

• Compliance operating expenses
• Compliance investment expenses

Penalties incurred The benefits and expenses generated by the metrics and monitoring systems implemented by the enterprise produce the statement. This statement describes a net annual compliance benefit as follows:

1. Annual compliance value generated
2. Annual compliance expenses
3. Annual compliance investment/amortization
4. Annual net compliance value generated = number 1 minus number 2 minus number 3

IT-Compliance IRR Projection
The management of the enterprise can then project an IRR for the IT-compliance program or tool assessed by utilizing the financial statement. The statement enables the enterprise to project a five-year forecast of the IT-compliance benefits and expenses. Using this forecast, the enterprise can calculate a projected IRR for a specific IT-compliance tool or program. Management then can compare the projected IRR with the standard IRR utilized by the enterprise to assess and prioritize investment alternatives.

In addition, enterprise management can use the financial statement annually to assess and fine tune the IRR projections of prior years. Because the statement generates actual IT-compliance net benefits, enterprise management can compare this annual data against previous projections. This comparison can serve as the basis for validating and improving the IT-compliance metrics and monitoring system.

Conclusion
The systems approach for monitoring and assessing IT-compliance impacts can produce an annual IT-compliance financial statement. The statement serves as the basis for both generating an IRR projection for IT-compliance investments and assessing and improving the IT-compliance metrics and monitoring system. The next article in this series will focus on phase 2: validating and utilizing the metrics and monitoring system as a tool for selecting and assessing IT-compliance tools.

Dr. Victor Berlin is the founding president of the University of Fairfax, which is the only U.S. institution that specializes in offering information assurance/INFOSEC graduate programs to information-assurance professionals via an online delivery system. Its students conduct leading research on a wide variety of IT-compliance issues. Berlin has a doctorate in industrial engineering and management science from Northwestern University and a bachelor's from Cornell University.