Creating A Business Case For A Governance, Risk, And Compliance Solution

Thomas Frénéhard

Part 9 in the “Controls and Risk Management” series

A few years ago, I published a blog that generated over 8,500 views and many offline comments: “Return On Investment For Your GRC Program, Anyone?

Even if most of it is still applicable, it is time to revisit this topic and make it more relevant in today’s context.

I’m not going to revisit the definition of ROI, as this part hasn’t changed. I would still define it very simply as outcome of an investment – hopefully positive, of course.

As the saying goes, “You have to spend money to make money.” And in case you wonder: yes, it’s possible to make money (or at the very least, save some) by leveraging a governance, risk, and compliance software solution. But if you are reading this blog, you probably already expected that.

The million-dollar question (figuratively for some organizations, but also very literally for others) is how and where?

As for any project, there are two types of benefits that a company can expect:

  • Quantitative: These will be easy to track and to include in an ROI-type assessment.
  • Qualitative: Here, it’s really a question of perception as to what is important to the organization. Qualitative aspects are typically taken into account in a business case, but rarely in an ROI calculation since they are subjective by nature.

First things first: building a business case

Regardless of our business area and function, it seems that we are constantly asked to create business cases. This should no longer be an “art,” so to speak, but rather a well-oiled process, right?

Maybe not so much. Since I continue to receive requests for suggestions on the steps to follow, I thought I’d summarize them here:

  1. Describe the challenges and identify the options: Why do you need a GRC tool, for instance, and what type of tool are you looking for (just a spreadsheet replacement or something more automated)?
  1. Perform cost and benefit analysis: Here you would define the assumptions and work with the stakeholders to estimate the total costs of running the processes currently and what you think you could optimize.
  1. Identify risks and mitigation: These are the risk factors affecting the investment, including operational, financial, and technology risks, of course.
  1. Collect external benchmark information: Below, I have provided links to value calculators that may be able to help since they include benchmarks from peer organizations.
  1. Develop and make recommendations: In short, this is the result of all the above. Based on the assumptions, analysis, and benchmarks, does it make sense to opt for a software solution, and if so, what functional areas should it cover?
  1. Measure expected and actual ROI: Per se, this comes after the business case, once a solution has been selected and implemented. The intent here is to ensure that the value expected is being delivered.

Now, let’s add some meat on the bone. Allow me to share some of the benefits that I have come across and that you may choose to include in your analysis.

Focus on risk management

 Quantitative business benefits

  • Reduction in redundant and manual processes (including reduction in risk mitigation activities)
  • Improved insurance coverage
  • Reduction in risk-reporting effort

Qualitative business benefits

  • Reduction in “operational surprises”
  • Increased visibility on overall risk exposure
  • Alignment of risk with business objectives
  • Increased confidence from executives in managing the organization

Focus on internal control

Quantitative business benefits

  • Savings in preventing incorrect payments and/or business losses due to incorrect decision making
  • Improved days inventory outstanding (DIO) and reduced excessive and obsolete stock
  • Reduction of audit fees
  • Reduction in fraud events
  • Efficiency savings

 Qualitative business benefits

  • Increased data and transaction integrity
  • Improved process performance and trigger process improvement
  • Shift from reactive to proactive decision-making

Focus on internal audit

Quantitative business benefits

  • Reduction in audit planning effort
  • Increased testing scope (from sample to full scope)
  • Reduction in follow-up activities effort

Qualitative business benefits

  • Better resource allocation based on knowledge, expertise, and availability
  • Increased focus on business-relevant risks
  • Increased value added to the business (auditors become trusted advisers)
  • No loss of information from one audit to another
  • Increased collaboration between auditors and auditees

Focus on fraud detection and prevention

Quantitative business benefits

  • Reduction in revenue loss due to fraudulent transactions executed
  • Reduction in time spent reviewing false positives
  • Increased scope monitored (from partial to full) combined with reduction manual effort

Qualitative business benefits

  • Improved accuracy of detection rate of anomalies
  • Improved timely screening and detection from detective to real time
  • Rapid adaptation of detection model to changing patterns
  • Avoid blocking legitimate transactions longer than needed

Don’t forget associated costs

Before I leave you for this week’s blog, I want to remind you that software doesn’t exist in isolation. As for any IT project, there are many more aspects to take into account.

I have summarized below the cost areas that should be included in any business case:

What about you: Are there other areas that you include in your business cases? Should you want to discuss this further, please get in touch on Twitter @TFrenehard

Learn more about SAP software for enterprise risk management. This article originally appeared on SAP Community and is republished by permission.

Follow SAP Finance online: @SAPFinance (Twitter)LinkedIn | FacebookYouTube

Thomas Frénéhard

About Thomas Frénéhard

Thomas is part of the Global Centre of Excellence for Finance and Risk solutions where he has a focus on Governance, Risk, and Compliance topics. Prior to that, he was a Senior Director in the Governance, Risk, and Compliance Solution Management team. His particular responsibility was with Risk Management but other functional areas of focus were in Internal Control & Compliance Management and Audit Management. He is also a regular contributor on social media and presenter at various SAP and non-SAP conferences on GRC matters.