Many organisations are held back from pursuing the benefits of an automated GRC vision due to concerns of the cost and concern how this can recognised as saving money in the longer term. Perhaps the benefit and return on investment is unclear or perhaps there is internal resistance to the associated time and cost of an enterprise-wide GRC solution. Additionally, the competing priorities of key stakeholders may delay the implementation of integrated risk and compliance solution.
If you are a supporter of GRC transformation, then this post is designed to help you demonstrate to the rest of your organisation what return you can expect from investing in GRC. Take the following three meaningful steps to build your business case for investment:
- Estimate Current State Costs:
- Identify the priority risk and compliance activities that are performed daily, weekly, monthly, annually that will be enabled by the GRC program and supporting technology. e.g. prepare and facilitate risk assessments, performs deep dives, analyse events, test controls and compliance procedures, document and aggregate results, prepare executive dashboards/reporting etc.
- Identify participants for each activity and the associated level of effort in hours to accomplish each activity.
- Establish a reasonable metric for internal costs associated with each participant. N.B. This same variable must be used to estimate future-state labour costs.
- Calculate the total level of effort and current spend across all current-state activities.
- Identify supporting technologies associated with the execution and the use cases and all associated technology costs including vendor licenses, infrastructure and supporting costs.
- Estimate Future State Costs and Benefits:
- Identify the implementation costs of a GRC program initiative, including licensing, implementation partner and internal project costs.
- For each GRC-enabled use case, document the future activities to be performed
- Identify all anticipated participants for each future- state activity and the new associated levels of effort. The expectation is that both the number of overall activities (e.g. reconciling data sources) as well as the level of effort associated with future-state activities will be lower going forward.
- Leveraging the same internal cost metric as the current state analysis, calculate the total level of effort and corresponding spend across all future-state activities.
- Identify the ongoing annual maintenance costs, including annual vendor spend, infrastructure and support costs.
- Calculate the ROI and Measure Actual Results:
- Leveraging the data from the current and future-state analysis, calculate the expected differential in both fixed (e.g. software licenses) and variable costs (e.g. control testing efforts).
- Using the expected differential estimates, establish metrics for key risk and compliance activates enabled in the GRC platform and consistently measure the actual future-state results to determine whether the anticipated value is being realised.
The Metrics Could Include the Following:
– People : Reduced manually intensive resource requirements allowing workforce to focus on forward-looking initiatives.
– Process : Risk reduction leading to reduced penalties incurred due to non-compliance. Reduction of redundant control activities.
– Technology : Reduced costs by eliminating multiple siloed tools; Eliminate licensing costs. infrastructure costs and process administration costs.
– Percentage reduction in audit findings across different compliance programs due to risk reduction.
– Percentage reduction in incidents due to early identification of risks.
– Percentage reduction in time to manage various governance, risk and compliance functions.
Determining ROI on GRC transformation is a challenging but achievable task. Leadership will want to know whether investment will enhance functionality and deliver business value. The steps above can assist you to demonstrate financial returns and advocate the cost savings that will outweigh initial investment in GRC.
Our team at 1RS can assist you with assessment of current state programs and costs and help evaluate future-state capabilities and solutions. As a one-size-fits-all approach doesn’t always apply our team’s expertise can tailor a bespoke risk and compliance solution for your organisation’s specific needs- helping you to develop a realistic business case for GRC.