Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

It has been over two years now since I released the first blog of the GRC Tuesdays series – Creating a Business Case for a Governance, Risk, and Compliance Solution and I have since received many requests for a more in depth post, with more illustrations and actionable advice.

I have therefore decided to release this new blog, building on a great presentation that was delivered by my colleagues Michael Heckner and Vincent Doux from the GRC Centre of Excellence in EMEA-North some time ago.

Calculating the Return on Investment (ROI) of an initiative is of course a key component of any business case, but I also wanted to provide a more holistic view of the process and touch on some aspects that are often afterthoughts but are key success factors.


Phased approach to building the business case for an integrated risk and control solution


Presentation of a fact often has as much weight as the fact itself. All things being equal it shouldn’t be that way, but that’s the reality. As a result, I wouldn’t suggest simply going to Management with an Excel spreadsheet of what it costs to run a process today and how much gain could be achieved with a solution. This is of course a logical approach, but it might need to be packaged in a pretty wrapping paper. Especially if Management don’t have a full picture of the process.

I would rather suggest progressing in a phased approach as per below:

Gaining more from your GRC investment, Deloitte


Phase 1 – Describe challenges & identify options


This first step really focuses on the introduction of the investment request. Why are we even discussing this today?

In my experience, there are 2 ways about it when it comes to risk & control topics – and they are not exclusive:

  • Reducing the cost of running the mandatory process (documenting and performing internal control over financial reporting, identifying and responding to material risks, etc.)

  • Getting to a higher degree of maturity level, and maybe even set the best practice in the industry (automating the control testing, notifying the risk owners in case of a negative trend, etc.)

The control, compliance and risk process is iterative in nature in the sense that there is no defined finish line. Indeed, the business landscape evolves continuously, and so does the regulatory context of course. As a result, the picture below is a perpetual cycle from documentation to reporting and back to documentation:

Enterprise Risk and Compliance process

Following this process, below are some of the common direct costs that are most often raised in relations to risk & control activities:


Ø Maintenance of risks and controls

Ø Update of the audit universe

Ø Maintenance of task recipients


Ø Scheduling of the assessments

Ø Planning of the audits

Ø Sending of reminders and escalations


Ø Assessment of risks and controls

Ø Mitigation of issues

Ø Performing of audits

Ø Investigations of alerts and anomalies


Ø Management of incidents

Ø Follow-up on recommendations

Ø Review of action plan updates

Ø Review of notifications and alerts


Ø Consolidation and harmonization of information

Ø Report preparation and sharing


Maybe (hopefully!) not all will apply to your organization, but this list could help you get started with some ideas.

Of course, there are also indirect costs that can be taken into account such as slowing down or even blocking business operations for instance and these could also be factored into the business case.


Phase 2 – Perform cost & benefit analysis


Now that the decision makers have been presented with the costs of running the process, it’s time to work on the Return on Investment of automating the process via a software solution.

Let’s start with identifying the cost of the solution: 

  • Cost analysis for an integrated risk and control platform

  Area Cost
Software Perpetual license for Acquisition or 3-year subscription
Maintenance (if Acquisition) 3-year maintenance fee
Hardware (if On Premise) €x
External resources (implementation) €x (if fixed contract)
Internal resources # hours * hourly rate
Strategic consulting (methodology) # hours * hourly rate
Training # hours * hourly rate
Ongoing support & help desk # hours * hourly rate
Other €x
  Total TCO cost €x


As an analogy, this would be on the right hand side of the P&L but a software solution will also be able to bring benefits for both cost reduction and process improvements. Hence both of the aspects of the challenges listed in phase 1: 

  • Cost reduction benefits

Cost Quantification
Harmonized master data # of central risk and controls * # updates * hourly cost to maintain them

Scheduling of tasks (control and risk

# of tasks being automated * frequency * hourly cost to send them to recipients
Automated reminders and escalations # of tasks being automated * average # reminders sent * hourly cost to send them
Automated task recipients mapping # recipients (control or risk owners) * hourly cost to maintain them
Duplicate controls # controls removed * effort in hour * hourly cost to perform them
Duplicate action plans Cost of implementation of risk response * # of duplicate risk responses

Automation of preventative responses

# manual controls automated * effort in hour * hourly cost
Audit fees # hours previously spent on audit preparation phases - new effort in hours
Non-compliance events # of non-compliances identified by Audit * average cost to remediate them
Real-time anomaly detection # of anomalies identified after the fact * cost of associated loss
Insurance coverage Current cost of insurance coverage based on outdated estimates - Updated risk exposure level (inclusive of mitigations)
Standardized reporting (# of hours to collect information + # hours to harmonize it + # hours to consolidate it) * frequency of reporting
Total benefit for cost reduction €x

  • Process efficiency benefits

Cost Quantification
Contributors' administration # hours transferring tasks to new stakeholders due to role changes
Support # hours responding to identical questions on process
Time savings for assessments/ratings (Previous evaluation timeline - New evaluation timeline) * # risk and control assessment cycles
Time savings for incident documentation and follow-up (Previous incident documentation effort - New effort) * # incidents reported
Action follow-up Effort to list actions pending * Time spent finding owners * Time spent sending reminders
Response automation # hours spent updating risk responses * # controls OR policies assigned
Exception monitoring # hours spent monitoring risks and controls that haven't evolved
Single source of truth for audit # of hours spent extracting risk & control information for internal/external audit * # requests
Increased audit productivity Investigation effort in hours * # of data points manually analysed
Time to market of new policies # hours spent disseminating policies * # new/updated policies
Visibility on policy acceptance # hours spent gathering policy acceptance * # new/updated policies
Classification of false positive # hours investigating false positive * # occurrences
Realtime calibration # hours spent documenting and running business rule simulations
Real time risk and control information # of requests to provide risk and control information * # standardized reporting
Alignment of risks with business objectives Effort to tie back enterprise risks to business strategies and objectives
Total benefit for process efficiency €x

  • Qualitative benefits

Not all benefits can be easily quantifiable, but some qualitative benefits may appeal even more to executives than the quantitative ones mentioned just above. Especially if they address the “Company Governance” aspect.

I would therefore suggest also mentioning the ones that are most relevant to your organizational context such as:

Area Associated benefit
Reduced earnings volatility Higher share price multiple
Increased transparency Improved governance ratings
Increased investor confidence Increased access to capital
Improved control design Reduced elapsed time to decisions
Consumer confidence Increased market share
Increased employee participation Higher employee collaboration and morale
Predictive insight into risk drivers Increased innovation and opportunity
Increased insurance coverage Insurers offer more coverage for a given risk


 Phase 3 – Identity risks and mitigation


As for any project, there are of course inherent risks.

Here, they would most likely relate to the fact that the software wouldn’t deliver on its ROI promise and a root cause would simply be that users do not adopt the tool and that it is therefore not being used as intended.

The other main reason could be that the data in the tool is inaccurate and this could be due to import of old legacy – and no longer relevant – data.

For the first risk, I would suggest involving key users – such as the “Risk and Compliance Champions” for instance so that they can be an integral part of the selection process for the right software for your company. They will also carry the word out, and will most likely defend the project since they were stakeholders.

For the second risk, I have already addressed it during a previous blog so I would simply suggest having a look there: Governance, Risk, and Compliance and the Data Debt – a Conundrum That Can Be Solved


Phase 4 – Collect external benchmark information


“What have others achieved before?”. This is a typical question in any business case analysis, and understandably so.

Since this is by no means a simple task, we at SAP have decided to make dedicated tools available for customers (but also partners or any other interested party since they are publicly available) to be able to benchmark potential outcomes.

Depending on your area of interest for building the case, I would suggest having a look at the following blogs that directly refer to the value calculators and explain how to leverage them:

In addition to these tools, I would also suggest having a look at customer case studies where other organizations provide their insights on what worked well, but also lessons learned on what maybe didn’t. And this often includes creating a business case.

There are of course many GRC conferences around, but I have a strong personal bias and would therefore personally recommend the 2 that I get most involved in:

  • International Conference on Internal Controls, Compliance and Risk Management presented by SAP and TAC Events

  • SAPinsider Governance, Risk & Compliance


Phase 5 – Develop and make recommendations


You should now have all the information needed to build the business case and calculate the Return on Investment.

The last milestone is nevertheless one of the most important ones: the “wrapper” I mentioned in introduction. In the words of design consultant Ralph Caplan “Thinking about design is hard, but not thinking about it can be disastrous”. The same can be said of a business case.

You may have the perfect business case, and the most sensible message, but recommendations have to be short and comprehensible.

If the figures don’t support, then so be it – at least for now. Forcing a business case will easily be spotted and impact credibility of the initiative.


Phase 6 – Measure expected and actual ROI


We’re now on the last phase: the project has been approved, implemented and has actively been used. It’s time to monitor the outcomes.

I would suggest a very simple approach: reuse the very same KPIs and recalculate all the benefits, but this time with observed data – not external benchmarks. Does this still match your ROI calculation?

If not, what area is still lagging and what could be the root cause?

All problems have solutions, but ignoring it won’t make it go away!

Is there anything else you think I should have included in this blog? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard