This guide is designed to assist organisations in their approach to creating a worthwhile and compelling business case to invest in GRC software.
Every organisation is different, but the majority of points will be relevant to most – Remember the key to a successful business case is relevant, supportable facts which enable the stakeholders to reach an informed decision, so ensure you take the time to research and communicate these facts clearly and concisely.
Examine your current approach
It’s important within your business case to provide an outline summary of how your current GRC process works, what is involved and who is involved directly and indirectly (this may be a surprise to others within the senior or executive team). List the systems involved, the key deliverables required by the business/ regulatory regimes and why they are needed.
Outline the issues with current approach
Deliver an honest and detailed appraisal of your current approach listing the areas of deficiency, the risks these bring to the business and offer up clear examples of how and when things have gone wrong – Including where possible tangible impacts (time / cost / reputational damage etc.)
Detail the current costs
Many organisations find it difficult to easily identify and attribute the appropriate tangible and intangible costs associated with their current GRC process. This in part is down to the fact they have a silo approach for each of the key elements across the business and that these elements are managed with a disparate architecture (multiple systems or simply multiple spreadsheets). But there are other not so obvious elements that need to be factored in too.
Once you have refined that list of costs you should include them in a simple Return On Investment (ROI) calculator along with the cost of your proposed new GRC platform (An example Excel ROI calculator can be downloaded here. This will give you a firm foundation for making the argument to change.
The organisational costs to consider when creating your business case
Staff Costs
This includes the direct costs of those involved in supporting the existing processes, systems or technologies. How many people are required to inform and chase others to update and collate data from different sources; review and analyse information and produce outputs?
Where possible highlight the inefficiencies that exist within the current system, for example:
“It takes 5 days every month for the Risk Manager and his colleague to chase risk owners to update their registers / controls & actions. Only then can they commence the 2-day process of collating data from each spreadsheet to produce the quarterly risk committee report.”
This represents 14 working days which likely go beneath the radar. The risk committee and senior management are happy to get the report on time but are unlikely to ask how much resource it takes. To go deeper, the above highlights the 14 days spent by two members of the ‘direct’ GRC team. What about the 30 people they were chasing (the contributors)? how much of their time could be saved with a more streamlined update process and technology?
When attributing staff costs, ensure you are looking at the people ‘directly’ involved in GRC functions but also those ‘contributing’ across all functions to capture a true reflection of cost.
Consider these activities:
- Risk creation / update / review / analysis / report creation
- Control testing / review / creation / analysis / report creation
- Action update / review / creation / analysis / report creation
- Event / Incident Logging, triage, investigation, mitigation, root cause & remedy, report creation
- KPI / KRI creation / updating / analysis / report creation
- Audit planning, execution, distribution of recommendation actions and follow up to completion, reporting
- Compliance assessment, linking evidence, GAP analysis, corrective actions, reporting
- Pulling all of the elements together periodically to include in reporting
IT Costs
IT costs include the cost of subscriptions, software, hardware, implementation, maintenance and support (both from internal and external resources). Quantifying these costs again can be a challenge, so ensure you consider the hidden costs like:
- How much time do IT staff / contractors allocate to GRC systems or processes?
- Outsourced IT costs
- Consultants
As many organisations utilise a silo architecture, this means costs can multiply very quickly when looking at each of the silo components, platforms or approaches. Each one requires its own set up, purchase, upgrades and support.
It’s OK we use Excel for everything…
Do not be fooled into thinking that a disparate approach using MS Excel means that none of the above applies:
- How many spreadsheets are in operation across the business that have an impact on GRC? (Risk Registers, Controls, KRIs, Compliance Frameworks, Audit Schedules, Audit Recommendation actions, Events/Incidents etc.)
- Were they all created by the same person?
- Was that person sufficiently capable of creating a fit for purpose business tool that could have ramifications on the CEO/CFO if assurance failings are found?
- How often are they checked for errors?
- If the spreadsheet goes wrong, who fixes it? Who else knows how it works? (for complex spreadsheets)
- How confident are you that you can quickly and easily get the most up to date position on all GRC matters in one place?
We could go on and on, there ARE plenty of hidden costs in using such tools.
Inefficient Processes & Operational loss events
It is paramount that we look at all possible costs during the business case process – inefficiencies in the current approach and operational loss events are key to understanding the real cost of an existing method of working.
Look back over the last 12 months (or more)- has there been any loss events that have occurred which have critically impacted the business?
- Key Business / Communication system downtime
- Supplier or Partner liquidations
- Reputational damage (equating to market cap losses)
- Fraud
- Loss of key staff
- Regulatory fines
Looking back over 12 months (or more) has there been any ‘near misses’? These are just as valid as actual events to include in a business case. You could provide an estimate of potential impact (£s) based on the likelihood of those near miss events becoming future occurrences
Note: If you cannot identify and quantify these loss events / near misses, then this in itself shows a deficiency in your current process and could be costing many thousands of pounds by you not being able to learn from past events through root cause analysis.
Presenting your business case
All successful business cases share one thing in common- they are able to communicate and relate the key issues and potential impacts directly to the core benefits of a newly proposed solution. By doing so, the business case is demonstrating value, and it is that clearly defined value which enables key stakeholders to reach an informed decision in the best interests of their organisation.
By gathering all the relevant information together through the above steps, we can then look at presenting this information. For example:
- An overview of the current situation to provide context and understanding
- Summary detailing the issues and challenges of existing approach
- Cost breakdown of existing approach
- Overview of key benefits of the proposed new GRC solution
- Return on investment calculation
Duncan Graham
Duncan has worked as product lead for Pentana Risk for over a decade. He has helped hundreds of organisations achieve an integrated approach to Strategic Execution, Corporate Performance, Governance and Risk Assurance. He has gained significant insight through working with a diverse customer portfolio, and utilises this knowledge in his approach to solution design and discovery workshops to ensure successful customer outcomes.