Skip to Content
Author's profile photo Lilliana Grbic

Show Me the Value: Actionable Advice for Justifying Your GRC Investment

In many organizations, the CFO is turning into a top technology investment decision maker, according to a recent Gartner research survey[1]. And despite slow economic growth, CFOs expect conservative, steady IT spending in the years to come.

What does this mean? That with more financial oversight and control of the IT function, investments in the latest technology advancements – including in-memory computing, cloud, mobile, and social – will require a more structured financial analysis for approval. An investment in the latest governance, risk, and compliance (GRC) technology is no different.

Companies approach the evaluation of an IT investment in different ways. The use of benchmarks or a return on investment (ROI) approach tries to apply an objective structure to determining the value, but intangible benefits are always hard to quantify. How do you assess the value of risk management in preserving your brand reputation? How does operational safety or continuation equate to financial benefits?

An effective GRC program that balances risk and opportunity helps reduce the costs and effort needed to proactively prevent risk events and compliance violations while allowing your organization to maximize opportunities. These same benefits – saving time, cutting costs, and reducing risks – will serve as inputs for calculating an ROI, creating a business case, and using benchmarking that will all help you justify the investment.

Where To Find GRC Value

You want to evaluate your GRC project based on costs and expected savings. Look for ways to identify how the project can contribute to your strategic and tactical business goals and then focus on what the GRC investment returns to the enterprise – mitigation of risks, reduced compliance costs, and more.

In the case of GRC, you can look for value in a number of areas, including:

  • Strategic – brand value, long-term effects, sustainability
  • Risk – what happens to your ability to operate or compete if you don’t do it
  • IT – ease of use, training needs, ability to support
  • Organizational – streamlined, centralized, ownership, accountability
  • Financial – bottom line, profitability, penalties
  • Operational – downtime, safety, continuation, efficiencies, training

If your GRC project focuses on process control, will it reduce your testing effort and costs? Provide real-time visibility of control effectiveness? Improve executive confidence with enterprise-wide control? For access control, will it streamline user access administration? Improve segregation of duties? Lower your audit costs? And for a risk management project, will it preserve your brand reputation? Increase product quality, integrity, or safety? Improve visibility into issues and remediation status?

The goal is to find the value and create a calculation that can be used against other investment benchmarks, such as net present value (NPV), internal rate of return (IRR), or a payback period.

Develop a Business Case

A business case helps executives further understand the scope, deliverables, commitments, and expected benefits of the investment. A full business case includes a high-level assessment of the strategic, financial, and operational value of the investment. For an investment in GRC, the business case can cover fraud losses, audit costs, IT costs (including hardware, licenses, and implementation), and ongoing maintenance, management, and support costs.

SAP Business Consulting has refined how it develops business cases to  five distinct steps:



The most successful organizations also use benchmarking to guide GRC investments. Fortunately, SAP makes it easy to get benchmarking data. For example, SAP Value Engineering, launched in 2004 with America’s SAP Users’ Group (ASUG), serves as a forum to exchange metrics and best practices. It is now one of the largest benchmarking programs in the industry, covering 26 processes, with 3,500+ participants from more than 1,500 companies. You can use benchmarking data to identify your top key performance indicators (KPIs) and compare your performance against industry peers.

Next Steps

Analytics Services from SAP can help you develop a full business case for your governance, risk, and compliance improvements. For more information on how Analytics Services from SAP can help unlock the value of your GRC investment while lowering risk and exposure, visit us online.

Where do you see the biggest cost savings from enhanced GRC?

[1] “Top 10 Findings From Gartner’s Financial Executives International CFO Technology Study,” May 2012, John Van Decker, Research VP, Gartner.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.