I have therefore decided to release this new blog, building on a great presentation that was delivered by my colleagues Michael Heckner and Vincent Doux from the GRC Centre of Excellence in EMEA-North some time ago.
Calculating the Return on Investment (ROI) of an initiative is of course a key component of any business case, but I also wanted to provide a more holistic view of the process and touch on some aspects that are often afterthoughts but are key success factors.
Phased approach to building the business case for an integrated risk and control solution
Presentation of a fact often has as much weight as the fact itself. All things being equal it shouldn’t be that way, but that’s the reality. As a result, I wouldn’t suggest simply going to Management with an Excel spreadsheet of what it costs to run a process today and how much gain could be achieved with a solution. This is of course a logical approach, but it might need to be packaged in a pretty wrapping paper. Especially if Management don’t have a full picture of the process.
I would rather suggest progressing in a phased approach as per below:
Gaining more from your GRC investment, Deloitte
Phase 1 – Describe challenges & identify options
This first step really focuses on the introduction of the investment request. Why are we even discussing this today?
In my experience, there are 2 ways about it when it comes to risk & control topics – and they are not exclusive:
Reducing the cost of running the mandatory process (documenting and performing internal control over financial reporting, identifying and responding to material risks, etc.)
Getting to a higher degree of maturity level, and maybe even set the best practice in the industry (automating the control testing, notifying the risk owners in case of a negative trend, etc.)
The control, compliance and risk process is iterative in nature in the sense that there is no defined finish line. Indeed, the business landscape evolves continuously, and so does the regulatory context of course. As a result, the picture below is a perpetual cycle from documentation to reporting and back to documentation:
Enterprise Risk and Compliance process
Following this process, below are some of the common direct costs that are most often raised in relations to risk & control activities:
Ø Maintenance of risks and controls
Ø Update of the audit universe
Ø Maintenance of task recipients
Ø Scheduling of the assessments
Ø Planning of the audits
Ø Sending of reminders and escalations
Ø Assessment of risks and controls
Ø Mitigation of issues
Ø Performing of audits
Ø Investigations of alerts and anomalies
Ø Management of incidents
Ø Follow-up on recommendations
Ø Review of action plan updates
Ø Review of notifications and alerts
Ø Consolidation and harmonization of information
Ø Report preparation and sharing
Maybe (hopefully!) not all will apply to your organization, but this list could help you get started with some ideas.
Of course, there are also indirect costs that can be taken into account such as slowing down or even blocking business operations for instance and these could also be factored into the business case.
Phase 2 – Perform cost & benefit analysis
Now that the decision makers have been presented with the costs of running the process, it’s time to work on the Return on Investment of automating the process via a software solution.
Let’s start with identifying the cost of the solution:
Cost analysis for an integrated risk and control platform
Perpetual license for Acquisition or 3-year subscription
Maintenance (if Acquisition)
3-year maintenance fee
Hardware (if On Premise)
External resources (implementation)
€x (if fixed contract)
# hours * hourly rate
Strategic consulting (methodology)
# hours * hourly rate
# hours * hourly rate
Ongoing support & help desk
# hours * hourly rate
Total TCO cost €x
As an analogy, this would be on the right hand side of the P&L but a software solution will also be able to bring benefits for both cost reduction and process improvements. Hence both of the aspects of the challenges listed in phase 1:
Cost reduction benefits
Harmonized master data
# of central risk and controls * # updates * hourly cost to maintain them
Scheduling of tasks (control and risk
# of tasks being automated * frequency * hourly cost to send them to recipients
Automated reminders and escalations
# of tasks being automated * average # reminders sent * hourly cost to send them
Automated task recipients mapping
# recipients (control or risk owners) * hourly cost to maintain them
# controls removed * effort in hour * hourly cost to perform them
Duplicate action plans
Cost of implementation of risk response * # of duplicate risk responses
# hours spent documenting and running business rule simulations
Real time risk and control information
# of requests to provide risk and control information * # standardized reporting
Alignment of risks with business objectives
Effort to tie back enterprise risks to business strategies and objectives
Total benefit for process efficiency €x
Not all benefits can be easily quantifiable, but some qualitative benefits may appeal even more to executives than the quantitative ones mentioned just above. Especially if they address the “Company Governance” aspect.
I would therefore suggest also mentioning the ones that are most relevant to your organizational context such as:
Reduced earnings volatility
Higher share price multiple
Improved governance ratings
Increased investor confidence
Increased access to capital
Improved control design
Reduced elapsed time to decisions
Increased market share
Increased employee participation
Higher employee collaboration and morale
Predictive insight into risk drivers
Increased innovation and opportunity
Increased insurance coverage
Insurers offer more coverage for a given risk
Phase 3 – Identity risks and mitigation
As for any project, there are of course inherent risks.
Here, they would most likely relate to the fact that the software wouldn’t deliver on its ROI promise and a root cause would simply be that users do not adopt the tool and that it is therefore not being used as intended.
The other main reason could be that the data in the tool is inaccurate and this could be due to import of old legacy – and no longer relevant – data.
For the first risk, I would suggest involving key users – such as the “Risk and Compliance Champions” for instance so that they can be an integral part of the selection process for the right software for your company. They will also carry the word out, and will most likely defend the project since they were stakeholders.
“What have others achieved before?”. This is a typical question in any business case analysis, and understandably so.
Since this is by no means a simple task, we at SAP have decided to make dedicated tools available for customers (but also partners or any other interested party since they are publicly available) to be able to benchmark potential outcomes.
Depending on your area of interest for building the case, I would suggest having a look at the following blogs that directly refer to the value calculators and explain how to leverage them:
In addition to these tools, I would also suggest having a look at customer case studies where other organizations provide their insights on what worked well, but also lessons learned on what maybe didn’t. And this often includes creating a business case.
There are of course many GRC conferences around, but I have a strong personal bias and would therefore personally recommend the 2 that I get most involved in:
International Conference on Internal Controls, Compliance and Risk Management presented by SAP and TAC Events
SAPinsider Governance, Risk & Compliance
Phase 5 – Develop and make recommendations
You should now have all the information needed to build the business case and calculate the Return on Investment.
The last milestone is nevertheless one of the most important ones: the “wrapper” I mentioned in introduction. In the words of design consultant Ralph Caplan “Thinking about design is hard, but not thinking about it can be disastrous”. The same can be said of a business case.
You may have the perfect business case, and the most sensible message, but recommendations have to be short and comprehensible.
If the figures don’t support, then so be it – at least for now. Forcing a business case will easily be spotted and impact credibility of the initiative.
Phase 6 – Measure expected and actual ROI
We’re now on the last phase: the project has been approved, implemented and has actively been used. It’s time to monitor the outcomes.
I would suggest a very simple approach: reuse the very same KPIs and recalculate all the benefits, but this time with observed data – not external benchmarks. Does this still match your ROI calculation?
If not, what area is still lagging and what could be the root cause?
All problems have solutions, but ignoring it won’t make it go away!
Is there anything else you think I should have included in this blog? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard