ROI Calculator for Organizations
Assessment Firm Savings with TCT Portal
Y1
Y2+
Percentage Time Saved with TCT Portal:
65%
78%
Personnel Hours Saved with TCT Portal:
900.2
1086.2
Personnel Cost Saved with TCT Portal:
$54,012
$65,172
Revenue That Could Be Realized With Saved Time:
$162,036
$195,516
Please use the values below as a starting point for your Organization. The intent of the below grid is that you can enter in values that are reflective of the reality of the annual compliance experience of your Organization. In the event that any of the line items of detailed time spent on your engagement are not applicable to your organization, simply zero those line items out by placing a zero in the # of People, # of Weeks and # of Hours / Week / Task. Once you have customized the detailed line items with accurate values for your Organization, or zeroing out tasks that are Not Applicable - simply hit the Calculate button to refresh the interface.
If your Organization has multiple rounds of compliance with approximately the same level of complexity each year, you can complete the initial grid based on one of those engagements, and use the Rounds of Annual Compliance factor at the bottom of the page to easily calculate based on the number of rounds.
In the event your Organization has to undergo several rounds of compliance annually of varying complexity (whether for multiple subsidiaries, or compliance engagements across multiple Assessors), an alternative option would be to use the calculator for each round of annual compliance, by complexity level - then you can use the collective results to sum up to calculate realistic savings for your Firm, based on your circumstances.
Organization Task
# of People
# of Weeks
# of Hours/ Week/ Task
Today
TCT Portal Hours Year 1
TCT Portal Hours Year 2+
(Per Assessment)
Annual Compliance Setup / Maintenance
Creating annual storage system / Maintaining
Creation of your certification storage repository, and annual maintenance required to perform upkeep. Often, the amount of time for annual maintenance is less than the time spent initially generating the storage system.
24
0
0
Annual data collection instances are now configured easily in the TCT Portal, and no longer need to be manually configured by your staff, so this time is now saved.
Developing/Maintaining process: collect evidence, tracking compliance
Initially developing, then maintaining your evidence collection system, tracking of your compliance, and the processes that all of the personnel that need to provide evidence would follow. Often, the amount of time for annual modifications is less than the time spent initially generating the process, but includes incorporation of lessons learned from the prior cycle.
16
0
0
Annual process development is now configured easily in the TCT Portal, and no longer need to be manually maintained by your staff, so this time is now saved.
Retooling costs when compliance standard versions change
Retooling your process as your existing compliance standard versions change. For example, PCI moving from 3.2.1, to version 4. This would involve mapping your existing requirements to the new requirements and performing analysis of any iterative changes in the requirement statements. For the sake of the starting numbers, we're estimating about 90 hours of investment when the certification changes, and we're assuming it happens about once every 3 years, hence we placed a 30 hour load each year to allocate to this function.
30
0
0
Since your team is leveraging the TCT Portal, and the TCT team will both load up new versions of standards, and generate mappings from the prior standard to the new standard - this no longer needs to be manually maintained by your staff, so this time is now saved.
Mapping evidence to secondary certifications
For organizations that are subject to more than one standard or certification, mapping evidence received against the main standard against secondary standards. Sometimes, this involves coordination with more than one Consultant and/or Assessor.
16
0
0
Since your team is leveraging the TCT Portal, which has mappings between many of the standards on our platform - this no longer needs to be manually maintained by your staff, so this time is now saved.
Cleanup of mess left from last year
Typically, as an annual engagement concludes, various personnel are pulled away to focus on other business objectives that are likely perceived as being behind schedule due to the compliance engagement. When the organization starts their next annual cycle, they often will spend time cleaning up the state of the engagement from the prior annual cycle.
32
0
0
Leveraging the TCT Portal means that all of your evidence is organized against the requirements as you go, so this time is now saved.Leveraging the TCT Portal means that all of your evidence is organized against the requirements as you go, so this time is now saved.
Compliance Startup Tasks
Initial task assignment determinations
Making assignments to your Control Owners and critical vendors for responsibility surrounding provisioning of evidence, to support the requirement statements of any applicable certifications.
48
24
2.4
Your first year on the TCT Portal assignments can be made in bulk across your various requirements, and proceeds more efficiently even in your first year of adoption. However, once you get to Year 2+, you can simply mirror the assignments from the prior track and quickly make personnel modifications in bulk, saving a lot of time.
Initial task assignment notifications
Communicating the initial task assignments to the Control Owners on your team and critical vendors. This would typically involve breaking out communication to each individual which have responsibilities for provision and evidence for your certifications. These are often communicated via email, phone, text and in meetings.
16
0
0
Notifying team members of their assignments used to take time to put all of the notifications together and get those sent to each individual. Using the TCT Portal, the system automatically sends the assignment notifications to each member of the team, so this time is now saved.
Compliance Cycle – Internal Tasks
Control owners generating evidence
Each person with assignments for provisioning evidence need to first determine what is needed to be provided, possibly asking questions of the compliance team, gathering that evidence, and submitting it to the compliance team members. Often, this evidence is coming to the compliance team through email, text, phone updates, in person updates, and many other modes of communication. The evidence is often not placed in the designated location, but is communicated to the compliance team as to where the person provisioning the evidence decided to place it.
288
259.2
172.8
Through your team leveraging the TCT Portal, in Year 1, all of the industry standard guidance along with customized guidance from your Consultant or Assessor is all located in one convenient location that's readily accessible for your personnel - saving your team some time.
Once the team gets to Year 2+ with the TCT Portal, each control owner has all of the guidance available, but also has direct access to precisely what was submitted the prior year. Keep in mind that if the control owner has not changed, they have access to what they supplied last year; but more importantly if the control owner has shifted since last year, the new control owner has direct access to what the prior control owner submitted for that item. These new capabilities in Year 2+ result in more substantial time savings for your team.
Once the team gets to Year 2+ with the TCT Portal, each control owner has all of the guidance available, but also has direct access to precisely what was submitted the prior year. Keep in mind that if the control owner has not changed, they have access to what they supplied last year; but more importantly if the control owner has shifted since last year, the new control owner has direct access to what the prior control owner submitted for that item. These new capabilities in Year 2+ result in more substantial time savings for your team.
Collecting evidence from multiple Control Owner "dump zones"
Even though there is typically a stated appropriate location for Control Owners to provision their evidence, reality is that they will not follow that guidance every time (or at all). Evidence is often provided to the compliance team verbally, in meetings, placed in various locations on the network, filesharing sites, emails, text messages, voicemails, and even printed paper that lands on the compliance personnel desk.
96
0
0
Since the control owner submissions via TCT Portal are now consolidated (provided your team is enforcing the strict use of the TCT Portal for control evidence submissions), the time that used to be spent collecting control owner evidence from a variety of locations internally is now saved.
Organizing and storing evidence
The compliance team spending their time organizing, and storing the information from the Control Owners and the various input locations. This may include having to copy evidence from one requirement in the storage repository to another manually, renaming evidence to a standard naming convention, and more.
192
0
0
Since the control owner submissions via TCT Portal are now consolidated (provided your team is enforcing the strict use of the TCT Portal for control evidence submissions), the time that used to be spent organizing and storing control owner evidence from a variety of locations internally is now saved.
Maintain compliance tracking sheet
The compliance team needs to spend their time updating the central tracking sheet with various inputs. Evidence received, was this sent to Internal Compliance Team, did the evidence need to be rejected, was it sent to the Consultant and/or Assessor, was anything rejected from the Consultant and/or Assessor, etc. This process typically involves tracking the dates that things occurred, so that the compliance team knows what new activity has happened since their previous pertinent meeting.
48
0
0
Since the TCT Portal is now automatically tracking all types of status, and automatically updating the dashboards live as events are occurring, your staff no longer needs to maintain their compliance status tracking sheet, so that time is now saved.
Prep for internal meetings
The compliance team needs to get organized and prepared for internal meetings, which will typically happen once a week, and possibly more often as the compliance deadline looms. This process will involve active reviews of inputs from Control Owners, Internal Compliance Team members, Consultants, and or Assessors. The compliance team needs to understand what elements and items remain for the internal team that are open.
36
1.8
1.8
Much of the time your staff used to spend preparing for internal status meetings will be eliminated. Your staff used to spend hours in advance of internal meetings determining submission status, whether they met the requirements, processing rejections from Consultants / Assessors, and so on. Since the TCT Portal is a live dashboard of status, your team can spend minutes getting up to speed in advance of the internal meetings and the vast majority of the prior wasted time is now saved.
Hold internal meetings
During the recurring internal meetings, this is a session for determining status of items, answering questions during the session, advising and discussing any rejections that are coming back to the Control Owner.
96
48
24
In Year 1, much of the time your staff used to spend during internal status meetings will be reduced. Your staff used to spend most of the time attempting to get on the same page regarding current status. Since the TCT Portal is a live dashboard of status, your team can eliminate that wasted time and achieve significant savings.
Once your team gets to Year 2, they are getting used to the system, and accelerating the time savings as they have prior Year submissions at their fingertips and the time savings will accelerate.
Once your team gets to Year 2, they are getting used to the system, and accelerating the time savings as they have prior Year submissions at their fingertips and the time savings will accelerate.
Recurring assignment reminders
The compliance team is constantly sending reminders to various team members. Sometimes these are proactive reminders immediately following the weekly meeting, but often the compliance team is receiving requests from the Control Owners to remind them what items they still have left for them to conclude.
48
0
0
Since your team is leveraging the TCT Portal, every weekday morning, reminders on assigned items are automatically sent to any members of your team that have assigned items that are not completed. When your team runs your engagement in Operational Mode (where deliverables are spread throughout the compliance cycle), reminders are sent to your team that are in their hands, but are within 2 weeks of the due date of that item (so they are receiving pertinent reminders on open items coming due). Since all of this is automated through the use of the TCT Portal, this time is now saved.
Reviewing evidence
The compliance team needs to spend a fair amount of time reviewing each element of evidence they are provided, validating that it is being provided for the appropriate scope, that the evidence will meet the needs of both the requirements themselves and/or of the Consultant / Assessor.
192
144
96
Since all of the evidence Attachments and Explanations are stored directly against the requirements, without the need to search multiple locations for where the control owners stored their responses, in Year 1 a portion of the evidence review time is now saved.
Starting with Year 2+, the time savings is accelerated since the control owners have access to all Guidance for the item and prior Year evidence is readily accessible, even more time is saved on evidence reviews since the consistency level of submissions is progressively higher over prior Years.
Starting with Year 2+, the time savings is accelerated since the control owners have access to all Guidance for the item and prior Year evidence is readily accessible, even more time is saved on evidence reviews since the consistency level of submissions is progressively higher over prior Years.
Reject evidence back to Control Owners
Whenever an item needs to be rejected back to the Control Owner, communication must be put in place to explain what the issue was with the evidence provided and guidance surrounding what adjustments need to be made to the evidence such that it will fulfill the objective. This communication is often being performed via email, text, phone calls, and in meetings.
48
2.4
2.4
Since the TCT Portal allows commentary on the evidence rejection to be handled through the system, allows the individual performing the rejection to also nudge the control owner and the control owner will automatically receive weekday morning emails with open items - this consolidation saves a huge portion of the time that used to be spent performing this function.
Compliance Consultant / Assessor Interaction (see notes)
Upload evidence to Consultant and/or Assessor
If your organization leverages a Compliance Consultant or Assessment Firm, these items will be applicable. If not, just zero this item out. The compliance team needs to spend time moving evidence from the internal storage repository over to the designated loading locations of the Consultant and/or Assessor.
96
0
0
Provided the organization subject to compliance has integrated their Consultant and/or Assessor into the workflow of the TCT Portal, the organization no longer needs to extract evidence from their systems and load it separately into the system of the Consultant and/or Assessor - so this time is now saved.
TCT strongly recommends to organizations that are subject to compliance to have their vendors (Consultants and/or Assessors) to leverage the single point of truth of the organization itself (the TCT Portal). For the Consultant and/or Assessor they should be able to perform all workflow functions from within the TCT Portal, and if they either need to or wish to do so - they have the capability to export all of the information to store into their systems once the review processes have been completed.
TCT strongly recommends to organizations that are subject to compliance to have their vendors (Consultants and/or Assessors) to leverage the single point of truth of the organization itself (the TCT Portal). For the Consultant and/or Assessor they should be able to perform all workflow functions from within the TCT Portal, and if they either need to or wish to do so - they have the capability to export all of the information to store into their systems once the review processes have been completed.
Prep for Consultant and/or Assessor meetings
If your organization leverages a Compliance Consultant or Assessment Firm, these items will be applicable. If not, just zero this item out. Reviewing inputs and outputs from your Consultant and/or Assessor in advance of the recurring meetings to be prepared for the conversation. This often involves reviewing emails, meeting minutes from the past meeting, text messages, reviewing a separate status sheet from those organizations, and updating recent events and requirements where evidence was pushed up to your Consultant and/or Assessor.
48
2.4
2.4
Much of the time your staff used to spend preparing for Consultant and/or Assessor meetings will be eliminated. Your staff used to spend hours in advance of these meetings determining submission status, whether they processed rejections from Consultants / Assessors, and so on. Since the TCT Portal is a live dashboard of status, your team can spend minutes getting up to speed in advance of the Consultant and/or Assessor meetings and the vast majority of the prior wasted time is now saved.
Hold Consultant and/or Assessor meetings
If your organization leverages a Compliance Consultant or Assessment Firm, these items will be applicable. If not, just zero this item out. This is a time where all parties are reviewing evidence submissions, talking through the status of various items, and simultaneously updating multiple tracking sheets (for each company).
24
12
6
In Year 1, much of the time your staff used to spend during Consultant and/or Assessor meetings will be reduced. Your staff used to spend most of the time attempting to get on the same page with your Consultant and/or Assessor regarding current status. Since the TCT Portal is a live dashboard of status, your team can eliminate that wasted time and achieve significant savings.
Once your team gets to Year 2, they are getting used to the system, and accelerating the time savings as they have prior Year submissions at their fingertips, consistency is higher, participants are seeing open item notifications in their daily status emails and the time savings will accelerate.
Once your team gets to Year 2, they are getting used to the system, and accelerating the time savings as they have prior Year submissions at their fingertips, consistency is higher, participants are seeing open item notifications in their daily status emails and the time savings will accelerate.
Total Hours:
1394
493.8
307.8
Assessment Firm Parameters
Average Hourly Personnel Cost:
Across the various personnel and Control Owners that are involved in your compliance engagement, estimate what their average hourly personnel cost would be. Keep in mind that an average annual salary individual will have just over 2000 working hours in a year, so a person that is $150,000 a year would translate to approximately $75 / hr. Take the average across all of your personnel, keeping in mind that the majority of the personnel involved will be higher priced technical resources, with some being lower priced non-technical resources.
$
Average Hourly Personnel Revenue:
Determine an approximate hourly revenue per person at the organization. In some cases, one can acquire the numbers by looking at total revenue, divided by the number of personnel involved, and the number of working hours in a year. In other cases, depending on the business in question, the business model is one where personnel are billed out at an hourly rate. A good rule of thumb is that most organizations will seek to monetize their personnel at a rate which is three times the hourly cost of that personnel.
$
Rounds of annual compliance
For many organizations subject to compliance, they only have one round of compliance each year, hence why we started the example with a factor of 1. That said, there are locations that have to perform the compliance function across multiple locations, or have multiple Assessors so perform their SOC review separately from their PCI Assessment. The intent is that the detailed numbers are entered for a single engagement, and you can use this value to easily apply a multiple, based on the circumstances of your organization.