How to Measure GRC Effectiveness

People search for strange things online. One of the more surprising queries we've seen recently is: “Is GRC free?”

Published: 
March 4, 2025
Jacob Høedt Larsen
PR & PA

Jacob Høedt Larsen, PR & PA at Wired Relations, is the host of Sustainable Compliance podcast and an expert on GRC workflows, supported by software, setting up a GRC program, managing a GRC team and securing management buy-in.

Read more from the author

The short answer: “No, GRC, data protection and information security are not free.”

The slightly longer answer is that many organisations could use their resources for data protection and information security much more effectively. But doing so requires a mindset shift: Instead of focusing on the input within the GRC function, you need to focus on the output.

Too Much Focus on Input

Unfortunately, many organisations focus primarily on input – the resources invested in their GRC functions. That’s likely because both data protection and information security are still seen as cost centres.

So the focus is on cutting costs wherever possible:

  • Salaries
  • Training and upskilling
  • Systems and technologies that support the work
  • External consultants
  • Staff awareness and training

We often meet organisations where management says: “You’ll be fine with Excel. It’s worked well enough so far.”

In practice, they think they’re saving money on tech – but what they’re really doing is spending it on excessive admin time buried in clunky spreadsheets.

It’s like telling a carpenter they’ve done fine with a hammer so far, so there’s no need to invest in a nail gun.

Shift the Focus to Output

A carpenter knows that what really matters is how quickly they can get plasterboards on the walls and ceiling – so they can send the invoice and get paid. The goal is not to save £400 on a nail gun.

But that's not how leadership views the GRC function – and there's a very specific reason for that:

Most executives don’t actually know what the GRC equivalent of “plasterboard on the wall” looks like.

Your job is to show them. Make GRC business-relevant. Understand your company’s strategic goals, determine how you can support them – and communicate that clearly to leadership.

We’ve written about those three steps in more detail here:

Efficiency = Output / Input

If you can clearly articulate what your team delivers to the business (the output) – ideally with financial impact – it’s far easier to move the conversation towards a more helpful equation:

Efficiency = output / input

That way, leadership won’t just focus on reducing your department’s costs.

Instead, the conversation becomes: How do we deliver strategically important output in the most efficient way?

📰 Stay Ahead in GRC

Get stories like this straight to your inbox. From GDPR to cybersecurity – we’ll keep you informed on what’s shaping the digital future.

👉 Sign up for the newsletter

You might also like

What is a GRC System? A Simpler Path to Compliance

Should we make money from our data? Top summer stories

GDPR has brought significant economic gains