In the previous blog we talked about how automation can help risk management. Once the business has been convinced of the benefits of automation the next logical step is to get approval of the budget. This blog explains how to calculate the ROI of the automation solution.
While each industry is subject to different regulations, and even organizations in the same industry may have their own approach to risk management, the information below will apply universally to all organizations.
First and foremost, every successful business case should be based on relevant information supported by facts and communicated in a clear concise manner to enable stakeholders to reach an informed decision.
- The starting point should be the outline of your current risk management processes, how they work and come together and which department, team and induvial is involved both directly and indirectly. This will help set the scene and form the foundation of formulating a cost benefit analysis. In addition to the people and processes be sure to include technologies and point solutions currently supporting the workload. Finally, include the regulatory and business drivers including the results of failures and their costs.
- The next step should provide a detailed, fair and balanced view of the current scenario – identifying gaps and deficiencies of the current environment together with the related risks posed. Where there is data available include examples of when things have gone wrong and their impact in terms of time/cost/reputation and so on.
- Thirdly, identify in detail the direct and indirect cost of all the people, processes and technologies supporting the current environment.
This may sound like a daunting challenge to begin with, especially, if risk management is currently performed in departmental, divisional or functional silos which is the case with many organizations early on in their risk maturity journey.
The direct costs will be self-evident; however, it is important to perform detailed research speaking with all current stakeholders to ensure the indirect and not so obvious elements are included too.
A few pointers –
- When considering staff costs, in addition to including people directly supporting the existing environment remember to include the resources required to chase, update, collate, review and analyze the information. Taking this approach will also help identify and demonstrate the current inefficiencies.
- Eg. The production of a quarterly risk committee report may only require 2 days each for a Risk Manager and his colleague but the fact that it took them 5 days each month chasing, collating, reviewing spread sheets to ensure the data sets were complete and that the underlying data was not corrupted or duplicated, needs to be included in the cost calculation. Similarly, include the opportunity cost of the time that could have been spent on value added work by the contributors
- Create a list of all the activities and apply the approach in the example above to help you arrive at the true cost of the current process for each activity.
- IT costs should include both internal and external resource expenditure. Aside from direct IT manpower, be sure to include cost of hardware, hosting, subscriptions, software, security, maintenance and support of the current systems. Often in siloed approaches this will mean many of these costs are being duplicated over and over across departments, divisions and functions leading to an exponential waste of valuable resources that could be redeployed elsewhere.
- Hidden costs of operational incidents over the last 2 years or more should also be considered if they were as a result of inefficiencies of the current process. Incidents and events that critically impacted the business such as regulatory fines, fraud, loss in market cap due to reputational damage, supplier incidents and so on.
Remember to include estimated costs for potential events. Even if you are unable to quantify near misses, they can be used to further support the case for automation by demonstrating the ineffectiveness of the current system due to the inability to learn through root cause analysis.
Once you have gone through the above steps you should be in a position to present a successful business case which communicates the key issues and their potential impact to the main benefits of the proposed solution.
A typical proposal should include:
- Overview of the current environment to help level set and frame the problems
- Issues and challenges posed by the current approach
- Quantitative and qualitative costs both actual and potential of the present environment
- Key benefits of the proposed IRM solution
- Calculations showing the return on investment
A business case that includes the above steps and recommendations will clearly demonstrate value and enable key stakeholders to reach an informed decision.
In the next blog we will help decipher the characteristics of a best in class integrated risk management solution.
To learn more, request a demo, discuss a free trial proof of value or simply start a conversation drop an email to firstname.lastname@example.org.
Share This Blog
What should a good GRC framework and architecture include?
The pandemic has shown how businesses are complex, interconnected and constantly evolving.
How to Build a Strong FCPA Compliant Compliance Function – 8 Core Components
All businesses irrespective of size face some degree of compliance and it has never been...