A few years ago, I published a blog on this platform:
GRC Tuesdays: Return on Investment for Your GRC Program Anyone? that generated over 8,500 views and many offline comments.
Even if most of it is still applicable, I felt it was time to revisit this topic and make it more relevant in today’s context.
As a matter of fact, since this is a recurring question that we get, my colleague
Michael Heckner from GRC Centre of Excellence for EMEA North, and I will be focusing on this matter during one of the pre-conference workshops of the
SAP Conference on Internal Controls, Compliance and Risk Management that will take place in a few weeks, on the 3
rd and 4
th of March in Copenhagen.
I’m not going to revisit the definition of Return on Investment (ROI) as this part hasn’t changed and I would still define it very simply as outcome of an investment – hopefully positive of course.
As the saying goes “
You have to spend money to make money”. And in case you wonder: yes, it’s possible to make money (or at the very least save some) by leveraging a Governance, Risk and Compliance software solution. But if you are reading this blog, you probably already expected that!
The million-dollar question (figuratively for some organizations but also very literally for others) is how and where?
As for any project, there are 2 types of benefits that a company can expect:
*
Quantitative => and these will be easy to track and to include in an ROI type assessment
*
Qualitative => here, it’s really a question of perception as to what is important to the organization. Qualitative aspects are typically taken into account in a business case, but rarely in an ROI calculation since they are subjective by nature.
First things first: building a business case
Regardless of the business area and function we are in, it seems that we are constantly asked to create business cases so this should no longer be an “art” so to speak but rather a well-oiled process, right?
Maybe not so much… Since I continue to receive requests for suggestions on the steps to follow, I thought I’d summarize them here:
- Describe the challenges and identify the options => why do you need a GRC tool for instance and what type of tool are you looking for (just a spreadsheet replacement for instance or something more automated?)
- Perform cost and benefit analysis => here you would define the assumptions and work with the stakeholders to estimate the total costs of running the processes currently and what you think you could optimize
- Identify risks and mitigation => these are the risk factors affecting the investment. Including operational, financial and technology risks of course
- Collect external benchmark information => here, the team is working on updated Value Calculators that may be able to help since they will include benchmarks from peer organizations
- Develop and make recommendations => in short, this is the result of all the above. Based on the assumptions, analysis and the benchmarks, does it make sense to opt for a software solution and if so, what functional areas should it cover?
- Measure expected and actual ROI => per se, this comes after the business case, once a solution has been selected and implemented. The intent here is to ensure that the value expected is being delivered.
Now, let’s add some meat on the bone here and allow me to share some of the benefits that I have come across and that you may choose to include in your analysis.
Focus on Risk Management
Quantitative business benefits
- Reduction in redundant and manual processes (including reduction in risk mitigation activities)
- Improved insurance coverage
- Reduction in risk reporting effort
Qualitative business benefits
- Reduction in “operational surprises”
- Increased visibility on overall risk exposure
- Alignment of risk with business objectives
- Increased confidence from executives in managing the organization
Focus on Internal Control
Quantitative business benefits
- Savings in preventing incorrect payments and/or business losses due to incorrect decision making
- Improved Days Inventory Outstanding (DIO) and reduced excessive and obsolete stock
- Reduction of audit fees
- Reduction in fraud events
- Efficiency savings
Qualitative business benefits
- Increased data and transaction integrity
- Improved process performance and trigger process improvement
- Shift from reactive to proactive decision making
Focus on Internal Audit
Quantitative business benefits
- Reduction in audit planning effort
- Increased testing scope (from sample to full scope)
- Reduction in follow-up activities effort
Qualitative business benefits
- Better resource allocation based on knowledge, expertise and availability
- Increased focus on business relevant risks
- Increased value added to the business (auditors becomes trusted advisors)
- No loss of information from one audit to another
- Increased collaboration between auditors and auditees
Focus on Fraud Detection and Prevention
Quantitative business benefits
- Reduction in revenue loss due to fraudulent transactions executed
- Reduction in time spent reviewing false positives
- Increased scope monitored (from partial to full) combined with reduction manual effort
Qualitative business benefits
- Improved accuracy of detection rate of anomalies
- Improved timely screening and detection from detective to real time
- Rapid adaptation of detection model to changing patterns
- Avoid blocking legitimate transaction longer than needed
Don’t forget associated costs!
Before I leave you for this week’s blog, I also wanted to remind you that software doesn’t exist in isolation. As for any IT projects, there are many more aspects to take into account.
I have summarized below a list – not exhaustive, of cost areas that should be included in any business case:
What about you, are there other areas that you include in your business cases?
Should you want to discuss this further, please do come and meet with Michael and I at the conference or get in touch either on this blog or on Twitter
@TFrenehard