It has been over two years now since I released the first blog of the GRC Tuesdays series – Creating a Business Case for a Governance, Risk, and Compliance Solution and I have since received many requests for a more in depth post, with more illustrations and actionable advice.

I have therefore decided to release this new blog, building on a great presentation that was delivered by my colleagues Michael Heckner and Vincent Doux from the GRC Centre of Excellence in EMEA-North some time ago.

Calculating the Return on Investment (ROI) of an initiative is of course a key component of any business case, but I also wanted to provide a more holistic view of the process and touch on some aspects that are often afterthoughts but are key success factors.

 

Phased approach to building the business case for an integrated risk and control solution

 

Presentation of a fact often has as much weight as the fact itself. All things being equal it shouldn’t be that way, but that’s the reality. As a result, I wouldn’t suggest simply going to Management with an Excel spreadsheet of what it costs to run a process today and how much gain could be achieved with a solution. This is of course a logical approach, but it might need to be packaged in a pretty wrapping paper. Especially if Management don’t have a full picture of the process.

I would rather suggest progressing in a phased approach as per below:

Gaining more from your GRC investment, Deloitte

 

Phase 1 – Describe challenges & identify options

 

This first step really focuses on the introduction of the investment request. Why are we even discussing this today?

In my experience, there are 2 ways about it when it comes to risk & control topics – and they are not exclusive:

• Reducing the cost of running the mandatory process (documenting and performing internal control over financial reporting, identifying and responding to material risks, etc.)


• Getting to a higher degree of maturity level, and maybe even set the best practice in the industry (automating the control testing, notifying the risk owners in case of a negative trend, etc.)

The control, compliance and risk process is iterative in nature in the sense that there is no defined finish line. Indeed, the business landscape evolves continuously, and so does the regulatory context of course. As a result, the picture below is a perpetual cycle from documentation to reporting and back to documentation:

Enterprise Risk and Compliance process

Following this process, below are some of the common direct costs that are most often raised in relations to risk & control activities:

Documenting	Ø Maintenance of risks and controls Ø Update of the audit universe Ø Maintenance of task recipients
Planning	Ø Scheduling of the assessments Ø Planning of the audits Ø Sending of reminders and escalations
Evaluating	Ø Assessment of risks and controls Ø Mitigation of issues Ø Performing of audits Ø Investigations of alerts and anomalies
Monitoring	Ø Management of incidents Ø Follow-up on recommendations Ø Review of action plan updates Ø Review of notifications and alerts
Reporting	Ø Consolidation and harmonization of information Ø Report preparation and sharing

 

Maybe (hopefully!) not all will apply to your organization, but this list could help you get started with some ideas.

Of course, there are also indirect costs that can be taken into account such as slowing down or even blocking business operations for instance and these could also be factored into the business case.

 

Phase 2 – Perform cost & benefit analysis

 

Now that the decision makers have been presented with the costs of running the process, it’s time to work on the Return on Investment of automating the process via a software solution.

Let’s start with identifying the cost of the solution: 

• Cost analysis for an integrated risk and control platform

	Area	Cost
	Software	Perpetual license for Acquisition or 3-year subscription
	Maintenance (if Acquisition)	3-year maintenance fee
	Hardware (if On Premise)	€x
	External resources (implementation)	€x (if fixed contract)
	Internal resources	# hours * hourly rate
	Strategic consulting (methodology)	# hours * hourly rate
	Training	# hours * hourly rate
	Ongoing support & help desk	# hours * hourly rate
	Other	€x
		Total TCO cost €x

 

As an analogy, this would be on the right hand side of the P&L but a software solution will also be able to bring benefits for both cost reduction and process improvements. Hence both of the aspects of the challenges listed in phase 1: 

• Cost reduction benefits

Cost	Quantification
Harmonized master data	# of central risk and controls * # updates * hourly cost to maintain them
Scheduling of tasks (control and risk assessments)	# of tasks being automated * frequency * hourly cost to send them to recipients
Automated reminders and escalations	# of tasks being automated * average # reminders sent * hourly cost to send them
Automated task recipients mapping	# recipients (control or risk owners) * hourly cost to maintain them
Duplicate controls	# controls removed * effort in hour * hourly cost to perform them
Duplicate action plans	Cost of implementation of risk response * # of duplicate risk responses
Automation of preventative responses (controls)	# manual controls automated * effort in hour * hourly cost
Audit fees	# hours previously spent on audit preparation phases - new effort in hours
Non-compliance events	# of non-compliances identified by Audit * average cost to remediate them
Real-time anomaly detection	# of anomalies identified after the fact * cost of associated loss
Insurance coverage	Current cost of insurance coverage based on outdated estimates - Updated risk exposure level (inclusive of mitigations)
Standardized reporting	(# of hours to collect information + # hours to harmonize it + # hours to consolidate it) * frequency of reporting
	Total benefit for cost reduction €x

• Process efficiency benefits

Cost	Quantification
Contributors' administration	# hours transferring tasks to new stakeholders due to role changes
Support	# hours responding to identical questions on process
Time savings for assessments/ratings	(Previous evaluation timeline - New evaluation timeline) * # risk and control assessment cycles
Time savings for incident documentation and follow-up	(Previous incident documentation effort - New effort) * # incidents reported
Action follow-up	Effort to list actions pending * Time spent finding owners * Time spent sending reminders
Response automation	# hours spent updating risk responses * # controls OR policies assigned
Exception monitoring	# hours spent monitoring risks and controls that haven't evolved
Single source of truth for audit	# of hours spent extracting risk & control information for internal/external audit * # requests
Increased audit productivity	Investigation effort in hours * # of data points manually analysed
Time to market of new policies	# hours spent disseminating policies * # new/updated policies
Visibility on policy acceptance	# hours spent gathering policy acceptance * # new/updated policies
Classification of false positive	# hours investigating false positive * # occurrences
Realtime calibration	# hours spent documenting and running business rule simulations
Real time risk and control information	# of requests to provide risk and control information * # standardized reporting
Alignment of risks with business objectives	Effort to tie back enterprise risks to business strategies and objectives
	Total benefit for process efficiency €x

• Qualitative benefits

Not all benefits can be easily quantifiable, but some qualitative benefits may appeal even more to executives than the quantitative ones mentioned just above. Especially if they address the “Company Governance” aspect.

I would therefore suggest also mentioning the ones that are most relevant to your organizational context such as:

Area	Associated benefit
Reduced earnings volatility	Higher share price multiple
Increased transparency	Improved governance ratings
Increased investor confidence	Increased access to capital
Improved control design	Reduced elapsed time to decisions
Consumer confidence	Increased market share
Increased employee participation	Higher employee collaboration and morale
Predictive insight into risk drivers	Increased innovation and opportunity
Increased insurance coverage	Insurers offer more coverage for a given risk
Etc.

 

 Phase 3 – Identity risks and mitigation

 

As for any project, there are of course inherent risks.

Here, they would most likely relate to the fact that the software wouldn’t deliver on its ROI promise and a root cause would simply be that users do not adopt the tool and that it is therefore not being used as intended.

The other main reason could be that the data in the tool is inaccurate and this could be due to import of old legacy – and no longer relevant – data.

For the first risk, I would suggest involving key users – such as the “Risk and Compliance Champions” for instance so that they can be an integral part of the selection process for the right software for your company. They will also carry the word out, and will most likely defend the project since they were stakeholders.

For the second risk, I have already addressed it during a previous blog so I would simply suggest having a look there: Governance, Risk, and Compliance and the Data Debt – a Conundrum That Can Be Solved

 

Phase 4 – Collect external benchmark information

 

“What have others achieved before?”. This is a typical question in any business case analysis, and understandably so.

Since this is by no means a simple task, we at SAP have decided to make dedicated tools available for customers (but also partners or any other interested party since they are publicly available) to be able to benchmark potential outcomes.

Depending on your area of interest for building the case, I would suggest having a look at the following blogs that directly refer to the value calculators and explain how to leverage them:

• Building The Case For Your Internal Control and Compliance Solution


• Building The Case For Your Enterprise Risk Management Solution


• Building The Case For Your Internal Audit Solution

In addition to these tools, I would also suggest having a look at customer case studies where other organizations provide their insights on what worked well, but also lessons learned on what maybe didn’t. And this often includes creating a business case.

There are of course many GRC conferences around, but I have a strong personal bias and would therefore personally recommend the 2 that I get most involved in:

• International Conference on Internal Controls, Compliance and Risk Management presented by SAP and TAC Events


• SAPinsider Governance, Risk & Compliance

 

Phase 5 – Develop and make recommendations

 

You should now have all the information needed to build the business case and calculate the Return on Investment.

The last milestone is nevertheless one of the most important ones: the “wrapper” I mentioned in introduction. In the words of design consultant Ralph Caplan “Thinking about design is hard, but not thinking about it can be disastrous”. The same can be said of a business case.

You may have the perfect business case, and the most sensible message, but recommendations have to be short and comprehensible.

If the figures don’t support, then so be it – at least for now. Forcing a business case will easily be spotted and impact credibility of the initiative.

 

Phase 6 – Measure expected and actual ROI

 

We’re now on the last phase: the project has been approved, implemented and has actively been used. It’s time to monitor the outcomes.

I would suggest a very simple approach: reuse the very same KPIs and recalculate all the benefits, but this time with observed data – not external benchmarks. Does this still match your ROI calculation?

If not, what area is still lagging and what could be the root cause?

All problems have solutions, but ignoring it won’t make it go away!

Is there anything else you think I should have included in this blog? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard