But ROI is not easy.
In online polls conducted during a recent Privacy Collective Q&A session, 50 percent of participants said they have to provide ROI or cost justification for their budgets, but 72 percent said that calculating ROI is nearly impossible, and 21 percent called the process “hit and miss.”. (The remaining seven percent chose the response “What’s an ROI?”, we assume with tongue firmly in cheek.)
So how can you show decision-makers that the privacy program is a business asset they can’t live without? To find out, we talked to an expert, Tammy Klein, senior partner at Hobson and Company, a 20-year-old consulting firm that specializes in building business case tools, from startup companies to the Fortune 500. Here’s what she taught us about the methodology and science of generating accurate, actionable ROI to protect our privacy budgets and investments.
Can you build an ROI for a privacy program?
“Absolutely yes, you can. And here’s what I tell my clients: if you can articulate in words what the value of the program is, you can almost always create an ROI for it. And that’s exactly my approach, because it takes the problem out of the finance space and puts it back into the language that you and I speak every day. Once you’ve been able to define the value in words, the numbers tend to just fall in place.”
What are the most important metrics to consider in justifying your privacy program?
“To prove ROI, you have to align with your organization’s strategic goals. Therefore, the important metrics will vary with every organization. You have to look for the metrics that are most applicable to your company’s pain points and high-level goals.
Too often, we think, ‘If I’m not a revenue generating center, do I really line up with the corporate strategies?’ In my experience, most companies have cost cutting as one of their key strategies. So, while you may not line up with the revenue vector, you’re certainly going to line up with the cost-cutting vector and, especially in today’s world, that becomes a key justification.
Once you understand where you fit with your organization’s high-level goals, then you can say what your value is. The next question becomes, how do I put numbers behind that?
Let’s take incident response management as an example. If I want to cost-justify investment in an incident response management tool, I need metrics around incidents per month or per year. I need metrics for the time spent on incident intake and assessment, time spent on reporting and analytics, the number of incidents that need to be reviewed by internal or outside counsel, time spent keeping up to date with regulations.
Even things like potential fines or revenue loss due to privacy breaches. There’s a huge array of metrics to choose from, and that’s why we have to start by understanding which are most important to us.”
Is there a difference between “soft ROI” and “hard ROI”?
“I like to think of them as hard metrics and soft metrics, as opposed to hard and soft ROI. For me, ROI is the overall value story that I’m going to tell, and that will include a mix of hard and soft cost benefits. Typically, when people talk about hard costs, they mean things that will come off the bottom line. Today I’m spending this much in annual subscriptions or this much annually on outside legal counsel. If I can find a way to reduce that cost, that comes right off the bottom line.
Then there are benefits such as time savings that free up some percentage of FTEs. A lot of people would call that “soft ROI.” I think of it more as hard ROI: if I have three people doing this today and tomorrow I need only one person doing it, that’s a benefit I can see immediately. Some people will say it’s not a real saving because you’re not getting rid of that person. But it is an organizational capacity gain: I can now grow and scale without needing to bring on more staff. It can be quantified, and it does generate value.
Then there are the softer, what I call the “squishier” costs: things like risk mitigation or reputational damage that could happen, but we can’t predict them today.”
How can we quantify the benefit of risk mitigation or avoiding reputational damage?
“As always, we start with the words. What’s the story I’m trying to tell? Do we all agree that risk mitigation is a key priority? Of course. Do we agree it’s worth paying for? Yes. There’s a story there, so what kind of metric could support it? Then we try to be very conservative.
Let’s say you could avoid even one regulatory fine in the next five years, because you’re doing a better job at risk mitigation. Or you could protect even 0.1% of revenue, because you’re less at risk of having some kind of an incident that will damage your reputation. Then you can remind your decision-makers of the key value that you’re investing in, while being conservative enough that your claims are credible.”
Can you give us an example of how to generate an ROI?
Klein describes a 6-step process, and it starts with words.
- First, describe today’s key pain points. Words only, no numbers.
- Next, describe the “after,” how things will be with the solution in place.
- Third, decide what metrics are needed to support the “before and after” story.
- Fourth, gather today’s metrics, to give a baseline.
- Fifth, project the “after” metrics.
- Finally, calculate the difference between the “before” and “after” metrics to determine whether the costs are justified.
“So, let’s say our pain point is that incident response takes too much time. Dig deeper. Let’s say it’s incident assessment that takes too much time. If my solution is software or training or whatever, what does the process look like after that? That’s the story.
At this point, ask yourself, ‘Is it compelling? Is it focused on the right points and issues? If someone told me this story, would I feel like this is the program that could make a difference and is worth investigating?’ If your answers are “yes,” go ahead and choose your metrics, gather your data, and start your math story. Projecting future metrics is the hardest part because it’s a little bit art and a little bit science. But there is probably a lot of data out there. If you’re looking at buying a product, ask the potential vendor if they have case studies or benchmarks you could use.”
How do you present privacy program ROI to executives?
“When we generate an ROI, we may have 5–10 benefits. But we try to boil those down and group them under three high-level strategic objectives. In the chart here, you can see the benefits are grouped under 1) saving time and costs, 2) reducing risk, and 3) building trust. If I’m an executive, my days are packed and I have 30 minutes for this meeting, but you’ve already got my attention because you’re speaking my language. (Of course, there’s the CFO who still wants to know all the ROI detail.)”