GRC Tuesdays: How To Calculate the ROI of an Integrated Risk and Control Platform to Justify Investment
It has been over two years now since I released the first blog of the GRC Tuesdays series – Creating a Business Case for a Governance, Risk, and Compliance Solution and I have since received many requests for a more in depth post, with more illustrations and actionable advice.
I have therefore decided to release this new blog, building on a great presentation that was delivered by my colleagues Michael Heckner and Vincent Doux from the GRC Centre of Excellence in EMEA-North some time ago.
Calculating the Return on Investment (ROI) of an initiative is of course a key component of any business case, but I also wanted to provide a more holistic view of the process and touch on some aspects that are often afterthoughts but are key success factors.
Phased approach to building the business case for an integrated risk and control solution
Presentation of a fact often has as much weight as the fact itself. All things being equal it shouldn’t be that way, but that’s the reality. As a result, I wouldn’t suggest simply going to Management with an Excel spreadsheet of what it costs to run a process today and how much gain could be achieved with a solution. This is of course a logical approach, but it might need to be packaged in a pretty wrapping paper. Especially if Management don’t have a full picture of the process.
I would rather suggest progressing in a phased approach as per below:
Phase 1 – Describe challenges & identify options
This first step really focuses on the introduction of the investment request. Why are we even discussing this today?
In my experience, there are 2 ways about it when it comes to risk & control topics – and they are not exclusive:
- Reducing the cost of running the mandatory process (documenting and performing internal control over financial reporting, identifying and responding to material risks, etc.)
- Getting to a higher degree of maturity level, and maybe even set the best practice in the industry (automating the control testing, notifying the risk owners in case of a negative trend, etc.)
The control, compliance and risk process is iterative in nature in the sense that there is no defined finish line. Indeed, the business landscape evolves continuously, and so does the regulatory context of course. As a result, the picture below is a perpetual cycle from documentation to reporting and back to documentation:
Following this process, below are some of the common direct costs that are most often raised in relations to risk & control activities:
Ø Maintenance of risks and controls
Ø Update of the audit universe
Ø Maintenance of task recipients
Ø Scheduling of the assessments
Ø Planning of the audits
Ø Sending of reminders and escalations
Ø Assessment of risks and controls
Ø Mitigation of issues
Ø Performing of audits
Ø Investigations of alerts and anomalies
Ø Management of incidents
Ø Follow-up on recommendations
Ø Review of action plan updates
Ø Review of notifications and alerts
Ø Consolidation and harmonization of information
Ø Report preparation and sharing
Maybe (hopefully!) not all will apply to your organization, but this list could help you get started with some ideas.
Of course, there are also indirect costs that can be taken into account such as slowing down or even blocking business operations for instance and these could also be factored into the business case.
Phase 2 – Perform cost & benefit analysis
Now that the decision makers have been presented with the costs of running the process, it’s time to work on the Return on Investment of automating the process via a software solution.
Let’s start with identifying the cost of the solution:
- Cost analysis for an integrated risk and control platform
|Software||Perpetual license for Acquisition or 3-year subscription|
|Maintenance (if Acquisition)||3-year maintenance fee|
|Hardware (if On Premise)||€x|
|External resources (implementation)||€x (if fixed contract)|
|Internal resources||# hours * hourly rate|
|Strategic consulting (methodology)||# hours * hourly rate|
|Training||# hours * hourly rate|
|Ongoing support & help desk||# hours * hourly rate|
|Total TCO cost €x|
As an analogy, this would be on the right hand side of the P&L but a software solution will also be able to bring benefits for both cost reduction and process improvements. Hence both of the aspects of the challenges listed in phase 1:
- Cost reduction benefits
|Harmonized master data||# of central risk and controls * # updates * hourly cost to maintain them|
Scheduling of tasks (control and risk
|# of tasks being automated * frequency * hourly cost to send them to recipients|
|Automated reminders and escalations||# of tasks being automated * average # reminders sent * hourly cost to send them|
|Automated task recipients mapping||# recipients (control or risk owners) * hourly cost to maintain them|
|Duplicate controls||# controls removed * effort in hour * hourly cost to perform them|
|Duplicate action plans||Cost of implementation of risk response * # of duplicate risk responses|
Automation of preventative responses
|# manual controls automated * effort in hour * hourly cost|
|Audit fees||# hours previously spent on audit preparation phases – new effort in hours|
|Non-compliance events||# of non-compliances identified by Audit * average cost to remediate them|
|Real-time anomaly detection||# of anomalies identified after the fact * cost of associated loss|
|Insurance coverage||Current cost of insurance coverage based on outdated estimates – Updated risk exposure level (inclusive of mitigations)|
|Standardized reporting||(# of hours to collect information + # hours to harmonize it + # hours to consolidate it) * frequency of reporting|
|Total benefit for cost reduction €x|
- Process efficiency benefits
|Contributors’ administration||# hours transferring tasks to new stakeholders due to role changes|
|Support||# hours responding to identical questions on process|
|Time savings for assessments/ratings||(Previous evaluation timeline – New evaluation timeline) * # risk and control assessment cycles|
|Time savings for incident documentation and follow-up||(Previous incident documentation effort – New effort) * # incidents reported|
|Action follow-up||Effort to list actions pending * Time spent finding owners * Time spent sending reminders|
|Response automation||# hours spent updating risk responses * # controls OR policies assigned|
|Exception monitoring||# hours spent monitoring risks and controls that haven’t evolved|
|Single source of truth for audit||# of hours spent extracting risk & control information for internal/external audit * # requests|
|Increased audit productivity||Investigation effort in hours * # of data points manually analysed|
|Time to market of new policies||# hours spent disseminating policies * # new/updated policies|
|Visibility on policy acceptance||# hours spent gathering policy acceptance * # new/updated policies|
|Classification of false positive||# hours investigating false positive * # occurrences|
|Realtime calibration||# hours spent documenting and running business rule simulations|
|Real time risk and control information||# of requests to provide risk and control information * # standardized reporting|
|Alignment of risks with business objectives||Effort to tie back enterprise risks to business strategies and objectives|
|Total benefit for process efficiency €x|
- Qualitative benefits
Not all benefits can be easily quantifiable, but some qualitative benefits may appeal even more to executives than the quantitative ones mentioned just above. Especially if they address the “Company Governance” aspect.
I would therefore suggest also mentioning the ones that are most relevant to your organizational context such as:
|Reduced earnings volatility||Higher share price multiple|
|Increased transparency||Improved governance ratings|
|Increased investor confidence||Increased access to capital|
|Improved control design||Reduced elapsed time to decisions|
|Consumer confidence||Increased market share|
|Increased employee participation||Higher employee collaboration and morale|
|Predictive insight into risk drivers||Increased innovation and opportunity|
|Increased insurance coverage||Insurers offer more coverage for a given risk|
Phase 3 – Identity risks and mitigation
As for any project, there are of course inherent risks.
Here, they would most likely relate to the fact that the software wouldn’t deliver on its ROI promise and a root cause would simply be that users do not adopt the tool and that it is therefore not being used as intended.
The other main reason could be that the data in the tool is inaccurate and this could be due to import of old legacy – and no longer relevant – data.
For the first risk, I would suggest involving key users – such as the “Risk and Compliance Champions” for instance so that they can be an integral part of the selection process for the right software for your company. They will also carry the word out, and will most likely defend the project since they were stakeholders.
For the second risk, I have already addressed it during a previous blog so I would simply suggest having a look there: Governance, Risk, and Compliance and the Data Debt – a Conundrum That Can Be Solved
Phase 4 – Collect external benchmark information
“What have others achieved before?”. This is a typical question in any business case analysis, and understandably so.
Since this is by no means a simple task, we at SAP have decided to make dedicated tools available for customers (but also partners or any other interested party since they are publicly available) to be able to benchmark potential outcomes.
Depending on your area of interest for building the case, I would suggest having a look at the following blogs that directly refer to the value calculators and explain how to leverage them:
- Building The Case For Your Internal Control and Compliance Solution
- Building The Case For Your Enterprise Risk Management Solution
- Building The Case For Your Internal Audit Solution
In addition to these tools, I would also suggest having a look at customer case studies where other organizations provide their insights on what worked well, but also lessons learned on what maybe didn’t. And this often includes creating a business case.
There are of course many GRC conferences around, but I have a strong personal bias and would therefore personally recommend the 2 that I get most involved in:
- International Conference on Internal Controls, Compliance and Risk Management presented by SAP and TAC Events
- SAPinsider Governance, Risk & Compliance
Phase 5 – Develop and make recommendations
You should now have all the information needed to build the business case and calculate the Return on Investment.
The last milestone is nevertheless one of the most important ones: the “wrapper” I mentioned in introduction. In the words of design consultant Ralph Caplan “Thinking about design is hard, but not thinking about it can be disastrous”. The same can be said of a business case.
You may have the perfect business case, and the most sensible message, but recommendations have to be short and comprehensible.
If the figures don’t support, then so be it – at least for now. Forcing a business case will easily be spotted and impact credibility of the initiative.
Phase 6 – Measure expected and actual ROI
We’re now on the last phase: the project has been approved, implemented and has actively been used. It’s time to monitor the outcomes.
I would suggest a very simple approach: reuse the very same KPIs and recalculate all the benefits, but this time with observed data – not external benchmarks. Does this still match your ROI calculation?
If not, what area is still lagging and what could be the root cause?
All problems have solutions, but ignoring it won’t make it go away!
Is there anything else you think I should have included in this blog? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard