[CONTENT]
$
USD
Total Economic Impact
Cost Savings And Business Benefits Enabled By Protecht ERM
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY Protecht, NOVEMBER 2025
Total Economic Impact
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY Protecht, NOVEMBER 2025
The current volatile risk landscape is pushing decision-makers to rethink how they manage risk amid geopolitical uncertainties, supply chain disruptions, and rapidly evolving regulatory expectations. Many are struggling with manual and fragmented risk processes that hinder their organization’s ability to manage risk effectively. Today’s risks are becoming more interconnected, which impacts multiple risk domains. Governance, Risk, and Compliance (GRC) platforms address challenges faced by traditional risk management approaches by offering a unified, data-driven framework that empowers better decisions, enhances oversight, and builds resilience across the enterprise.
Protecht is a cloud-based GRC platform designed to unify and streamline risk, compliance, incidents, audit, and resilience processes across the enterprise. It offers configurable, no-code solutions that centralize risk information and automate key processes. Protecht Enterprise Risk Management (ERM) is Protecht’s core module that provides a centralized system for managing the full risk cycle. With integrated dashboards, risk visualization, and reports, Protecht ERM empowers organizations to make faster, more informed decisions to improve resilience, efficiently meet regulatory requirements, and proactively avoid risks that could lead to negative financial, operational, or reputational impact.
Protecht commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Protecht ERM.1 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Protecht ERM on their organizations.
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four decision-makers with experience using Protecht ERM. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization that is a financial services organization with 1,000 employees, and is headquartered in the US.
Interviewees said that prior to using Protecht ERM, their organizations relied heavily on manual spreadsheets or outdated GRC systems. Data entry was time-consuming, error-prone, and lacked the flexibility needed for dynamic risk reporting. As their organizations expanded, these manual processes became increasingly unsustainable, limiting their ability to scale risk management effectively and maintain oversight.
After the investment in Protecht, the interviewees were able to streamline their risk management processes significantly. They experienced notable time savings in managing risk registers, automating compliance attestation workflows, generating risk reports, and reducing manual effort in internal audit administration.
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
Accelerated risk management workflows, totaling $412,000. Protecht ERM significantly reduces the time and effort required to manage core risk processes. With Protecht ERM, the composite organization experiences a 60% reduction in time spent creating and maintaining risk registers, and a 75% decrease in time spent on attestation workflows.
Reduction in time spent on reporting by 80%. Protecht ERM eliminates the need for manual data entry in spreadsheets and the consolidation of disparate data from siloed systems. Customizable dashboards and report generation features streamline the creation of risk reports and allow the composite organization to save significant time, totaling $146,000.
Cost avoidance by eliminating third-party data management services, totaling $83,000. Protecht ERM provides a unified system that eliminates reliance on external vendors for managing and updating risk registers. It enables seamless, integrated updates across all registers, which improves efficiency and reduces operational overhead.
Cost savings from decommissioning the legacy GRC system, totaling $354,000. The composite organization adopts Protecht ERM and fully retires its legacy system, which eliminates its associated licensing costs.
Time reduction in audit administration by 75%. By automating and streamlining audit management tasks, Protecht ERM eliminates the need for manual email-based follow-ups, sign-offs, and data consolidation. The total time savings amount to $54,000.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
Improved risk culture and ownership. The adoption of Protecht ERM encourages a shift from compliance-driven behavior to proactive risk ownership.
Ability to create specific, custom registers. The solution enables teams to build tailored registers to meet unique, emerging needs.
Better visibility across risk and compliance. The consolidation of disparate systems into a single platform eliminates data silos and provides holistic oversight.
Scalable, intuitive UI, and flexibility in design. Protecht ERM’s design supports rapid onboarding and adaptability across teams via a clean user interface that is easy to learn and use.
Streamlined incident management. Automation reduces manual effort and lapsed time, accelerating time to resolve. It also mitigates risks related to data integrity and human error.
Enhanced vendor management. Improved monitoring capabilities allow organizations to reduce the volume of assessments conducted during vendor onboarding.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
Implementation and licensing costs of $175,000. There is a one-off implementation fee in addition to annual licensing costs. This vendor cost is based on the composite organization deploying Protecht’s ERM and vendor risk management (VRM) modules.
Internal deployment, training, and maintenance costs of $163,000. The composite organization allocates internal resources to support initial solution deployment, training, and ongoing maintenance. Typically, this includes assigning an existing team member as an administrator to manage configuration and periodic updates as part of their broader responsibilities, rather than as a full-time role.
The financial analysis that is based on the interviews found that a composite organization experiences benefits of $1.0 million over three years versus costs of $338,000, adding up to a net present value (NPV) of $711,000 and an ROI of 210%.
Savings from accelerated risk management workflows
Return on investment (ROI)
Benefits PV
Net present value (NPV)
Payback
| Role | Industry | Region | Employee Headcount |
|---|---|---|---|
|
• Director, compliance and risk • GRC officer |
Financial services | UK | 25 |
| GRC manager | Financial services | Australia | 75 |
| Chief risk officer | Financial services | Australia | 300 |
| Senior manager, enterprise risk support | Financial services | US | 1,700 |
Prior to implementing Protecht ERM, the composite organization’s approach to risk management involved primarily manual effort, supplemented by legacy GRC or third-party risk management solutions.
Interviewees noted how their organizations struggled with common challenges, including:
Fragmented and manual processes. Risk and control management relied heavily on ineffective legacy solutions, spreadsheets, and repositories, which created inefficiencies and significant room for human error. Updating risk registers and control documentation was time-consuming and inconsistent, which made it difficult for risk and control owners to maintain accurate, up-to-date information.
Limited visibility and siloed data. The lack of a centralized system resulted in poor visibility across risk and control activities. Data was dispersed across multiple legacy tools and repositories, which created blind spots and made it challenging for stakeholders to identify emerging risks or monitor compliance effectively.
Regulatory pressure and readiness gaps. The organization faced increasing regulatory scrutiny, including the need to demonstrate its compliance with regulatory obligations. Existing processes lacked the structure and formality required to demonstrate compliance efficiently, which increased the risk of non-compliance and associated penalties.
Scalability constraints. As the business grew, the risk function struggled to scale. Incumbent systems and processes could not keep pace with the organization’s expansion — this limited their ability to embed risk management into business operations and foster a strong risk culture.
The interviewees searched for a solution that could:
Streamline processes and de-silo data.
Provide greater visibility to remove blind spots across teams and prevent issues before they occur.
Improve overall risk culture and real-time decision-making.
Allow the risk function to scale with growth of the business.
Ensure regulatory readiness.
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
Description of composite. The composite is a financial services firm headquartered in the US that has 1,000 employees — out of which are 50 full users, 300 data entry users, and 25 vendor users who utilize the Protecht solution. Prior to adopting Protecht ERM, the composite combined a legacy GRC system with manual spreadsheets. The risk team had to navigate a complex and unintuitive setup with manual processes that hindered visibility, control, and efficiency.
Deployment characteristics. The composite completes deployment of the Protecht ERM solution, along with the VRM module, in just under six months.
1,000 employees
50 full users
300 data entry users
25 vendor users
| Ref. | Benefit | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|
| Atr | Accelerated risk management workflows | $165,578 | $165,578 | $165,578 | $496,733 | $411,767 |
| Btr | Time savings from improved reporting capabilities | $58,752 | $58,752 | $58,752 | $176,256 | $146,108 |
| Ctr | Elimination of GRC-related professional services fees | $32,000 | $33,600 | $35,280 | $100,880 | $83,366 |
| Dtr | Decommissioned legacy technology | $136,000 | $142,800 | $149,940 | $428,740 | $354,305 |
| Etr | Reduced effort in audit administration | $21,675 | $21,675 | $21,675 | $65,025 | $53,903 |
| Total benefits (risk-adjusted) | $414,005 | $422,405 | $431,225 | $1,267,634 | $1,049,449 |
Evidence and data. Organizations experienced accelerated risk management workflows, driven by a reduction in time spent on creating and managing risk registers, and a streamlined risk attestation process. Protecht replaced manual, spreadsheet-based processes, enabling risk teams to efficiently build and manage risk registers tailored to their specific needs. Automated workflows also eliminated the need for paper-based approvals and manual follow-ups in risk attestation processes.
The compliance and risk officer shared that it used to take 80% to 90% of his time just managing and building risk registers. Shifting from manual spreadsheets to Protecht ERM — a configurable, dynamic risk register system —has reduced that time by up to 60%.
Previously, it took the GRC manager at the Australian organization two months to complete the model risk attestation process. After adopting Protecht ERM, much of the process was automated, removing the need for manual follow-ups, which reduced the time spent on the attestation process to two weeks. They shared: “We’ve alleviated the need for someone to print out a piece of paper and get five or six signatures. It’s all electronic now.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Four GRC specialists are involved in managing and creating risk registers.
Each GRC specialist spends 32 hours a week managing risk registers. After deploying Protecht ERM, this duration is reduced by 60%.
Three GRC specialists and one risk analyst are involved in the model risk attestation process. They each spend two months (i.e., 320 hours) managing the process in their legacy environment.
After deploying Protecht ERM, there is a 75% reduction in time spent on risk attestation process.
The average fully burdened hourly salary for a GRC specialist and risk analyst is $75 and $65 respectively.
A productivity recapture rate of 50% is applied under the assumption that not all time saved is fully realized as additional productive time.
Risks. Organizations may realize results might differ from those presented in the financial model due to:
The time spent by GRC specialists and risk analysts on risk management workflows in their previous state.
The average fully burdened hourly salary rates for GRC specialists and risk analysts.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $412,000.
Decrease in time spent on risk register management
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| A1 | GRC specialists managing risk registers | Composite | 4 | 4 | 4 | |
| A2 | Time spent weekly on creating and managing risk registers per FTE before implementation (hours) | Interview | 32 | 32 | 32 | |
| A3 | Percentage reduction of time spent creating and managing risk registers with Protecht | Interview | 60% | 60% | 60% | |
| A4 | Subtotal: Time saved annually on creating and managing risk registers with Protecht (hours) | A1*A2*A3*52 | 3,994 | 3,994 | 3,994 | |
| A5 | GRC specialists managing the risk attestation process | Composite | 3 | 3 | 3 | |
| A6 | Risk analysts managing the risk attestation process | Composite | 1 | 1 | 1 | |
| A7 | Time spent on risk attestation per FTE before implementation (hours) | Interview | 320 | 320 | 320 | |
| A8 | Percentage reduction of time spent on risk attestation with Protecht | Interview | 75% | 75% | 75% | |
| A9 | Subtotal: Time saved annually by GRC specialists on risk attestation process with Protecht (hours) | A5*A7*A8 | 720 | 720 | 720 | |
| A10 | Subtotal: Time saved annually by risk analysts on risk attestation process with Protecht (hours) | A6*A7*A8 | 240 | 240 | 240 | |
| A11 | Average fully burdened hourly salary of a GRC specialist | Composite | $75 | $75 | $75 | |
| A12 | Average fully burdened hourly salary of a risk analyst | Composite | $60 | $60 | $60 | |
| A13 | Productivity recapture rate | TEI methodology | 50% | 50% | 50% | |
| At | Accelerated risk management workflows | [(A4+A9)*A11+(A10*A12)]*A13 | $183,975 | $183,975 | $183,975 | |
| Risk adjustment | ↓10% | |||||
| Atr | Accelerated risk management workflows (risk-adjusted) | $165,578 | $165,578 | $165,578 | ||
| Three-year total: $496,733 | Three-year present value: $411,767 | |||||
Evidence and data. Interviewees shared that their previous reporting processes were highly manual and inefficient. Risk owners struggled to update information, while risk managers had to extract, reformat, and compile data from spreadsheets for each reporting cycle — which often required multiple iterations. Protecht ERM addressed these challenges through customizable dashboards and reports. With intuitive dashboards and configurable reporting tools, teams could instantly access trend insights and generate consistent, accurate reports. This significantly enhanced operational efficiency, reduced manual effort, and minimized the risk of reporting errors.
On average, interviewees noted that their organizations spent 16 hours creating each report prior to deploying Protecht. The compliance and risk officer at an Australian financial services organization shared: “Our previous solution was very difficult for risk owners to update. The risk manager at the time would have taken data from a spreadsheet and then uploaded it manually, then redownloaded it to another spreadsheet and had to reformat it. So, it was a very, very clunky process, and it was essentially a loading exercise every quarter when we had to do the reporting.”
After deploying Protecht ERM, interviewees reported up to an 80% reduction in time spent on creating reports. This improvement was attributed to the platform’s powerful reporting capabilities and intuitive dashboards. As the chief risk officer at an Australian financial services organization noted: “Dashboards are live and easy to build. Reporting is no longer a chore.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
It creates 120 risk reports annually.
After deploying Protecht ERM, there is an 80% reduction in time spent creating reports.
The average fully burdened hourly salary for a risk manager is $85.
A productivity recapture rate of 50% is applied under the assumption that not all time saved is fully realized as additional productive time.
Risks. Organizations may realize results might differ from those presented in the financial model due to the:
Number of reports created annually.
Time spent creating reports in the previous environment.
Average fully burdened hourly salary of a risk manager.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $146,000.
Decrease in time spent creating reports
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| B1 | Risk reports created annually | Composite | 120 | 120 | 120 | |
| B2 | Time spent creating one report pre-implementation (hours) | Interview | 16 | 16 | 16 | |
| B3 | Percentage reduction of time spent creating risk reports with Protecht | Interview | 80% | 80% | 80% | |
| B4 | Average fully burdened hourly salary of a risk manager | Composite | $85 | $85 | $85 | |
| B5 | Productivity recapture rate | TEI methodology | 50% | 50% | 50% | |
| Bt | Time savings from improved reporting capabilities | B1*B2*B3*B4*B5 | $65,280 | $65,280 | $65,280 | |
| Risk adjustment | ↓10% | |||||
| Btr | Time savings from improved reporting capabilities (risk-adjusted) | $58,752 | $58,752 | $58,752 | ||
| Three-year total: $176,256 | Three-year present value: $146,108 | |||||
Evidence and data. Organizations previously incurred third-party data management costs due to the complexity and siloed nature of their legacy systems. The senior manager of enterprise risk support in the US financial service organization shared that they had to outsource the manual task of updating risk registers, as changes made in one register were not automatically reflected across all registers. Protecht eliminated these costs by providing an integrated, centralized platform where updates were automatically synchronized across related registers.
The senior manager of enterprise risk support in the US financial service organization explained that in their legacy environment, they had no central risk library, and every risk register had its own table. Updates in one register had to be manually replicated across all other registers, or there would be data inconsistency.
Their organization also had to outsource these updates to a third-party vendor due to the sheer volume of manual work required.
After adopting Protecht, there was no need for manual intervention, and they were able to eliminate these third-party costs.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Third-party data management costs amount to $40,000 in Year 1 and increase by 5% year-over-year.
Risks. Organizations may realize results might differ from those presented in the financial model due to:
The previous environment and process of managing and updating data.
The cost and service structure agreed with vendor.
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $83,000.
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| C1 | Elimination of GRC-related professional services fees | Interview | $40,000 | $42,000 | $44,100 | |
| Ct | Elimination of GRC-related professional services fees | C1 | $40,000 | $42,000 | $44,100 | |
| Risk adjustment | ↓20% | |||||
| Ctr | Elimination of GRC-related professional services fees (risk-adjusted) | $32,000 | $33,600 | $35,280 | ||
| Three-year total: $100,880 | Three-year present value: $83,366 | |||||
Evidence and data. Upon deployment, organizations that were previously using legacy GRC systems were able to decommission them completely, thus eliminating associated licensing costs.
The senior manager of enterprise risk support at the US financial services organization shared that their organization’s legacy system was built up over a decade by previous employees, and required a lot of manual workarounds. This made the system difficult to scale or adapt. Protecht replaced this dated system with a modern, configurable platform that enabled the team to manage risk more effectively.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite uses a legacy GRC system in the previous state and retires the solution upon adopting Protecht.
The cost of the legacy GRC solution is $170,000 in Year 1 and increases by 5% year-over-year.
Risks. Organizations may realize results might differ from those presented in the financial model due to:
The legacy environment of an organization (i.e., whether there is an incumbent GRC system).
The cost of the legacy solution, if applicable.
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $354,000.
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| D1 | Cost of legacy ERM solution | Interview | $170,000 | $178,500 | $187,425 | |
| Dt | Decommissioned legacy technology | D1 | $170,000 | $178,500 | $187,425 | |
| Risk adjustment | ↓20% | |||||
| Dtr | Decommissioned legacy technology (risk-adjusted) | $136,000 | $142,800 | $149,940 | ||
| Three-year total: $428,740 | Three-year present value: $354,305 | |||||
Evidence and data. The chief risk officer from the Australian financial services organization shared that it took their organization an average of 20 hours to complete admin and management tasks associated with closing each audit. Each finding involved multiple actions, owners, and due dates, which they had to follow up through emails, and manually track in spreadsheets. Significant effort had to be spent compiling the data for closure.
Since deploying Protecht, they were able to streamline and automate workflows, resulting in a 75% reduction in time spent on audit administration tasks.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
It conducts 40 audits annually.
In the prior state, the average time spent on admin tasks is 20 hours per audit.
The time spent on admin tasks associated with audit closures decreases by 75% after deploying Protecht.
The average fully burdened hourly salary of an audit manager is $85.
A productivity recapture rate of 50% is applied, under the assumption that not all time saved is fully realized as additional productive time.
Risks. Organizations may realize results might differ from those presented in the financial model due to the:
Number of audits conducted annually.
Previous process and time spent on administrative tasks associated with audit closure.
Average fully burdened hourly salary rate of an audit manager.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $54,000.
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| E1 | Audits conducted annually | Interview | 40 | 40 | 40 | |
| E2 | Time taken to conduct administration/closing audit activities per audit pre-implementation (hours) | Interview | 20 | 20 | 20 | |
| E3 | Reduction in time to conduct administration/general management activities per audit with Protecht | Interview | 75% | 75% | 75% | |
| E4 | Subtotal: Time saved annually on audit administration (hours) | E1*E2*E3 | 600 | 600 | 600 | |
| E5 | Average fully burdened hourly salary of an audit manager | Composite | $85 | $85 | $85 | |
| E6 | Productivity recapture rate | TEI methodology | 50% | 50% | 50% | |
| Et | Reduced effort in audit administration | E4*E5*E6 | $25,500 | $25,500 | $25,500 | |
| Risk adjustment | ↓15% | |||||
| Etr | Reduced effort in audit administration (risk-adjusted) | $21,675 | $21,675 | $21,675 | ||
| Three-year total: $65,025 | Three-year present value: $53,903 | |||||
Improved risk culture and ownership. Interviewees reported a marked shift from compliance-driven behavior to proactive risk ownership. This decreased the likelihood and impact of negative events such as penalties, audit findings, and control failures. Protecht ERM enabled risk to become a visible, accessible, and shared responsibility across the organization. The compliance and risk officer of the UK financial services organization noted that the solution brings the risk register to the top priority in risk owners’ desktops, transforming updates from a burdensome task into a routine part of leadership accountability.
Ability to create specific, custom registers. Protecht ERM’s flexibility allows organizations to build tailored registers to meet unique, emerging needs — often replacing manual, spreadsheet-based workarounds. Interviewees mentioned several use cases that previously had no formal tracking mechanism, including freedom of information (FOI) requests, death grants, physical security assessments, facilities lease renewals, and policy exception programs. The ability to customize registers internally — without relying on external consultants — is considered a major value driver.
Better visibility across risk and compliance. Protecht ERM consolidated disparate systems and manual processes into a single platform, which eliminated data silos and enabled holistic oversight to reduce reliance on fragmented spreadsheets and manual reconciliation. Interviewees described how the solution provides a clear overview across risk, compliance, audit, and incident management. Better visibility helped to prioritize resources and reduce blind spots that previously led to control failures. The ability to connect data across registers and roll it up to enterprise-level risks grants transparency for senior leadership and board reporting, enabled strategic alignment, and improved incident response capabilities. By improving visibility and control, Protecht helps organizations avoid risks that could otherwise lead to compliance breaches or operational disruptions. This was one of the principal considerations for interviewees to select Protecht over alternatives.
Scalable, intuitive UI and flexibility in design. Interviewees praised Protecht ERM for its clean, user-friendly interface and adaptable design, which supports rapid onboarding and cross-functional adoption. New users — even those unfamiliar with GRC — could learn the platform quickly, and the continuous page layout makes it easy for risk owners to view ratings, controls, obligations, and actions in one place. The solution’s intuitive design was often cited as a key factor in its widespread adoption across general users, many of whom only access the system occasionally.
Streamlined incident management. Protecht ERM significantly improved incident capture, triage, and resolution through automation and workflow integration. The chief risk officer from the Australian financial services organization said there was a 300% increase in incident reporting at their organization year-over-year, attributing the rise to better accessibility and awareness rather than an increase in actual incidents. The solution enabled faster triage and reduced both manual effort and lapsed time. Anonymous incident reporting via direct system links eliminated the need to transfer email-based breach reports into spreadsheets manually, ultimately reducing human error and improving data integrity.
Enhanced vendor management. Interviewees highlighted Protecht ERM’s ability to improve vendor oversight and streamline onboarding processes through enhanced monitoring and automation. The adoption of vendor risk management capabilities — including control effectiveness ratings, residual risk scoring, and third-party risk assessments — enabled more structured and proactive vendor oversight. One financial services organization also implemented a Vendor Evaluation Form (VEF), which reduces the number of touchpoints required during onboarding and allows business units to initiate vendor assessments directly. These improvements led to greater SLA adherence, while the ability to monitor and report on SLA performance held internal stakeholders accountable and reduced delays caused by interdepartmental handoffs. Protecht ERM’s centralized vendor library and assessment workflows also support risk-based prioritization, allowing teams to focus on high-criticality vendors and reduce unnecessary assessments for low-risk engagements.
The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement Protecht ERM and later realize additional uses and business opportunities.
The interviewees consistently emphasized the flexibility of the Protecht ERM platform as a key enabler of future scalability and strategic alignment. While not directly tied to quantified financial benefits, this flexibility supports long-term value realization and organizational agility via:
Deploying additional modules. Interviewees expressed strong interest in expanding their use of Protecht ERM through additional modules, particularly:
Protecht’s modular architecture and marketplace offerings were frequently noted as a differentiator during vendor selection. As the compliance and risk officer from the UK financial services organization noted, “It was a system that could give us what we wanted at that time, but it would also give us what we wanted in the next five years.”
Implementing AI functionalities. Interviewees were optimistic about the potential of Protecht’s upcoming AI capabilities, particularly in areas such as:
Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Total Economic Impact Approach).
| Ref. | Cost | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|---|
| Ftr | Implementation and licensing costs | $39,900 | $51,765 | $54,506 | $57,309 | $203,480 | $175,062 |
| Gtr | Internal deployment, training, and maintenance costs | $155,386 | $3,102 | $3,102 | $3,102 | $164,692 | $163,100 |
| Total costs (risk-adjusted) | $195,286 | $54,867 | $57,608 | $60,411 | $368,172 | $338,162 |
Evidence and data. Organizations paid for annual licensing fees and a one-off implementation service fee to Protecht.
For an organization the size of the composite or larger, it is typical for at least one third of employees to hold Protecht licenses. In comparison, smaller organizations had licenses for most, if not all of their employees.
There are two types of licenses available: The full user license, that allows complete control to view and edit all records, and the data entry user license, that limits access to an individual’s own records.
Most interviewees noted that their organization deployed the ERM and VRM modules at minimum.
Pricing may vary depending on requirements. Contact Protecht directly for additional details.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
It pays Protecht an upfront fee for initial deployment.
It has an employee headcount of 1,000 and chooses to license 50 full users, 300 data entry users, and 25 vendor users.
Licensing costs increase by a standard of 5% year-over-year.
Risks. Organizations may realize results might differ from those presented in the financial model due to the:
Number of employees who require a full user or data entry user license.
Complexity of initial deployment.
Additional modules and services purchased (e.g., service plan hours).
Applicable discounts (e.g., volume-based, multi-module).
Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $175,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| F1 | One-off implementation fee | Composite | $38,000 | |||
| F2 | License fees | Composite | $49,300 | $51,910 | $54,580 | |
| Ft | Implementation and licensing costs | F1+F2 | $38,000 | $49,300 | $51,910 | $54,580 |
| Risk adjustment | ↑5% | |||||
| Ftr | Implementation and licensing costs (risk-adjusted) | $39,900 | $51,765 | $54,506 | $57,309 | |
| Three-year total: $203,480 | Three-year present value: $175,062 | |||||
Evidence and data. Interviewees noted that it took their organizations a few months to completely deploy and set up initial modules, with the help of Protecht’s implementation team. Forrester quantified the costs of the entire onboarding process, integration efforts, and ongoing administrative labor.
The implementation was typically led by two to three FTEs from the risk function, including a risk manager and GRC specialists, as well as some input across other business units.
The core deployment team often undertook Protecht’s one-day super-user training before educating the rest of the business by conducting several training sessions.
The core deployment team is also responsible for ongoing system maintenance.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
It takes 24 weeks to deploy the Protecht solution, primarily led by a single risk manager who dedicates roughly 90% of their time (i.e., 36 hours assuming a standard 40-hour work week) over this period.
Deployment is supported by two GRC specialists, who dedicate 4 hours per week, and 12 general employees across the business who each dedicate 10 hours per week.
The risk manager and GRC specialists all receive Protecht’s super-user training. The risk manager then spends 15 hours preparing and conducting a series of 1-hour training sessions that are attended by the remaining 997 employees organization-wide.
The risk manager and GRC specialists each spend 1 hour a month on general system maintenance such as resolving issues, reaching out to support, or learning about new features and updates.
Risks. Organizations may realize results might differ from those presented in the financial model due to the:
Complexity of organizational requirements necessitating varied commitment of headcount and time allocation for integration and maintenance.
Variation in training commitment (i.e., time and headcount involved in superuser training and/or general rollout).
Variation in average salaries across roles.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $163,000.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| G1 | Deployment time (weeks) | Composite | 24 | |||
| G2 | Risk managers involved in deployment and maintenance | Composite | 1 | 1 | 1 | 1 |
| G3 | Time spent weekly on deployment by the risk manager (hours) | Interview | 36 | |||
| G4 | GRC specialists involved in deployment and maintenance | Composite | 2 | 2 | 2 | 2 |
| G5 | Time spent weekly on deployment by GRC specialists (hours) | Interview | 4 | |||
| G6 | General employees involved in deployment | Composite | 12 | |||
| G7 | Time spent on deployment per general employee (hours) | Interview | 10 | |||
| G8 | Time spent on Protecht super-user training per risk manager or GRC specialist (hours) | Interview | 8 | |||
| G9 | Time spent by risk manager on organizationwide training (hours) | Interview | 15 | |||
| G10 | Total time employees spent on training (hours) | Interview | 997 | |||
| G11 | Time each risk manager and GRC specialist require annually for ongoing system maintenance (annually) | Interview | 12 | 12 | 12 | |
| G12 | Average fully burdened hourly salary of a risk manager | Composite | $85 | $85 | $85 | $85 |
| G13 | Average fully burdened hourly salary of a GRC specialist | Composite | $75 | $75 | $75 | $75 |
| G14 | Average fully burdened hourly salary of a general employee | Composite | $45 | $45 | $45 | $45 |
| G15 | Subtotal: Deployment costs | G1(G2*G3*G12+G4*G5*G13)+(G6*G7*G14) | $93,240 | |||
| G16 | Subtotal: Training costs | (G2*(G8+G9)*G12)+(G4*G8*G13)+(G10*G14) | $48,020 | |||
| G17 | Subtotal: Ongoing system maintenance costs | (G2*G12+G4*G13)*G11 | $2,820 | $2,820 | $2,820 | |
| Gt | Internal deployment, training, and maintenance costs | G15+G16+G17 | $141,260 | $2,820 | $2,820 | $2,820 |
| Risk adjustment | ↑10% | |||||
| Gtr | Internal deployment, training, and maintenance costs (risk-adjusted) | $155,386 | $3,102 | $3,102 | $3,102 | |
| Three-year total: $164,692 | Three-year present value: $163,100 | |||||
| Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
|---|---|---|---|---|---|---|
| Total costs | ($195,286) | ($54,867) | ($57,608) | ($60,411) | ($368,172) | ($338,162) |
| Total benefits | $0 | $414,005 | $422,405 | $431,225 | $1,267,634 | $1,049,449 |
| Net benefits | ($195,286) | $359,138 | $364,797 | $370,814 | $899,462 | $711,287 |
| ROI | 210% | |||||
| Payback period (months) | 7 months |
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in Protecht ERM.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Protecht ERM can have on an organization.
Interviewed Protecht stakeholders and Forrester analysts to gather data relative to Protecht ERM.
Interviewed four decision-makers at organizations using Protecht ERM to obtain data about costs, benefits, and risks.
Designed a composite organization based on characteristics of the interviewees’ organizations.
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.
Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total NPV of cash flows.
The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
1 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
Readers should be aware of the following:
This study is commissioned by Protecht and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Protecht ERM.
Protecht reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Protecht provided the customer names for the interviews but did not participate in the interviews.
Jamie Macaulay
June 2025
ABOUT FORRESTER CONSULTING
Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.
https://mainstayadvisor.com/go/mainstay/gdpr/policy.html
PDF