Many organisations are held back from pursuing the benefits of an automated GRC vision due to concerns of the cost and concern how this can recognised as saving money in the longer term. Perhaps the benefit and return on investment is unclear or perhaps there is internal resistance to the associated time and cost of an enterprise-wide GRC solution. Additionally, the competing priorities of key stakeholders may delay the implementation of integrated risk and compliance solution.
If you are a supporter of GRC transformation, then this post is designed to help you demonstrate to the rest of your organisation what return you can expect from investing in GRC. Take the following three meaningful steps to build your business case for investment:
- Estimate Current State Costs:
- Identify the priority risk and compliance activities that are performed daily, weekly, monthly, annually that will be enabled by the GRC program and supporting technology. e.g. prepare and facilitate risk assessments, performs deep dives, analyse events, test controls and compliance procedures, document and aggregate results, prepare executive dashboards/reporting etc.
- Identify participants for each activity and the associated level of effort in hours to accomplish each activity.
- Establish a reasonable metric for internal costs associated with each participant. N.B. This same variable must be used to estimate future-state labour costs.
- Calculate the total level of effort and current spend across all current-state activities.
- Identify supporting technologies associated with the execution and the use cases and all associated technology costs including vendor licenses, infrastructure and supporting costs.
- Estimate Future State Costs and Benefits:
- Identify the implementation costs of a GRC program initiative, including licensing, implementation partner and internal project costs.
- For each GRC-enabled use case, document the future activities to be performed
- Identify all anticipated participants for each future- state activity and the new associated levels of effort. The expectation is that both the number of overall activities (e.g. reconciling data sources) as well as the level of effort associated with future-state activities will be lower going forward.
- Leveraging the same internal cost metric as the current state analysis, calculate the total level of effort and corresponding spend across all future-state activities.
- Identify the ongoing annual maintenance costs, including annual vendor spend, infrastructure and support costs.
- Calculate the ROI and Measure Actual Results:
- Leveraging the data from the current and future-state analysis, calculate the expected differential in both fixed (e.g. software licenses) and variable costs (e.g. control testing efforts).
- Using the expected differential estimates, establish metrics for key risk and compliance activates enabled in the GRC platform and consistently measure the actual future-state results to determine whether the anticipated value is being realised.
The Metrics Could Include the Following:
Financial metrics:
– People : Reduced manually intensive resource requirements allowing workforce to focus on forward-looking initiatives.
– Process : Risk reduction leading to reduced penalties incurred due to non-compliance. Reduction of redundant control activities.
– Technology : Reduced costs by eliminating multiple siloed tools; Eliminate licensing costs. infrastructure costs and process administration costs.
Operational metrics:
– Percentage reduction in audit findings across different compliance programs due to risk reduction.
– Percentage reduction in incidents due to early identification of risks.
– Percentage reduction in time to manage various governance, risk and compliance functions.
Determining ROI on GRC transformation is a challenging but achievable task. Leadership will want to know whether investment will enhance functionality and deliver business value. The steps above can assist you to demonstrate financial returns and advocate the cost savings that will outweigh initial investment in GRC.
Our team at 1RS can assist you with assessment of current state programs and costs and help evaluate future-state capabilities and solutions. As a one-size-fits-all approach doesn’t always apply our team’s expertise can tailor a bespoke risk and compliance solution for your organisation’s specific needs- helping you to develop a realistic business case for GRC.
Blog
5 Ways Technology Can Help with SMCR Compliance
One of the biggest changes to FCA regulation in recent years was the need to…
How To Embrace Technology but Keep Your Humanity – Implementing A RegTech Solution
Today, the majority of our business and personal lives are dominated by our…
What are the Cost Benefits of Investing in a GRC System?
More and more organisations are currently seeking out technology-enabled GRC…
Are you ready for Consumer Duty?
With eyes firmly on the calendar for the new Consumer Duty Regulations coming…
What is CASS and who does it apply to?
If a financial services provider holds or controls client money or assets, then…
Has the Motor Finance Industry had its head in the sand?
Ever since the FCA launched a review into Motor Finance and published their…
5 Steps to Improve Your Customer Due Diligence
Last month we looked at third party due diligence and how technology can…
Guide to Operational Resilience
It’s the Monday morning you don’t want. Social media is buzzing because a…
5 Steps To Improve Your Third-Party Due Diligence
All companies use third parties as an essential component in the running of…
Regulation of Buy-Now Pay-Later is Coming
Alice wants a new laptop computer, but it will take her a few months to save…
We won! Fintech Awards 2023- 1RS voted Best Risk Management & Compliance Software Solutions
We are thrilled to announce that Wealth & Finance International have…