Does GRC pay off? – Building the business case

Introduction

Companies originally developed isolated GRC programs as a reaction to strict government regulations and operational risks. As these programs became the norm, GRC became a term associated with narrow silos of the business such as IT, Legal and Finance. This silo approach often leads to fundamental challenges of missing connections between Management objectives and risk, hence creating no value for the organization. Especially the ability to align risk appetite across when growing the organically business or growth through acquisitions.

Experience shows that organizations that are able to manage GRC as an integrated program are more successful as it helps accelerate organization readiness and improve business performance. This includes effectively addressing core elements of strategy, design and implementation.

Before building a GRC program that is capable of meeting stakeholder needs, the necessary budget and leadership support must to be obtained. The following focuses on key benefits and considerations when building a business case detailing essential elements of costs, benefits, risks and return on investment. An essential element is to dispel the myth of GRC being a necessary evil. Instead, it should be seen as an opportunity to frame risks in such a manner that strategic decisions are improved and business performance is increased.. In other words, by using risks as opportunities, Management decision-making will improve and hence increase the return.

Three categories of Business Values

Due to the nature of the transformation, the GRC business case should ideally aim at the highest level of the organization. Management objectives such as improved oversight, greater business performance, greater control efficiency and value creation should be in focus.

The benefits of the associated operational objectives can be classified in the following three categories:

• Efficiency improvements. This is considered the most recognized and tangible benefit. In addition, elements of this benefit are automated control performance and risk management. Reduction of control and risk management efforts has proven to be in a scale which will self-finance an implementation project within the first year. This includes hours saved on risk and control work, payroll savings from avoidance of staff increase and reduction of external audit fees. Future efficiency gains associated with growth is also contained in this objective (e.g. efficient framework rollout, and marginal cost reductions compared to none GRC integrated approaches).
• Risk reduction and corporate ownership. Ability to reduce likelihood and impact of risk events (residual risk) and improved compliance. This should be a critical element in any GRC program. Benefits to consider in a business case should include improved compliance (fewer audit findings, regulatory enforcements and lawsuits), more tolerable risk treatment (prioritized and faster remediation) and more effective risk posture (lower cost of capital, insurance premiums and external audit fees). Improved cultural ownership of risks and controls is obtained when insights are shared and the vision is clear.
• Better strategic decision-making and performance. With a transparent real-time overview of violations and risk events that interrupts business processes; a GRC platform can facilitate continuous process improvements. Root cause analysis can identify risk indicators and improve process flows and efficiencies, directly improving top line. This includes greater oversight and a more informed basis for decision-making. Information will be timely and more relevant to empower managers to align decision with corporate strategy.

Changing common perceptions of GRC as a reactive non-value-adding function is not an easy task. For most GRC programs, getting executive and board support requires goals to be tangible and metrics to be defined, furthermore, the leverage of new technologies must be demonstrated. Risk Management may be a frequent topic among senior leadership, but they will still not allocate resources unless the business case is clear and clearly articulated. We argue, that the operational side is equally important; studies show that human acceptance (to change) is closely linked to convenience and understanding of purpose.

Using the right technology can drive better business outcomes

The level and type of benefits the GRC program demonstrates are dependent on the right technology solution and how it integrates with processes in combination with the overall maturity of the GRC framework. For instance, if risks are managed in spreadsheets, it is nearly impossible to track risks consistently across the organization and get to a point where data can be leveraged for strategic insights.

Technology can help mature the overall framework, processes and increase operational acceptance by leveraging convenience and insights to the end users. Once the GRC program matures, more advanced GRC capabilities can be enabled and better performance and value achieved.

Focus on the integrated GRC vision is key

GRC programs and outlined vision cannot be archived without full support and participation across the organization and the agility to adapt changing requirements and market environments. As much as possible, there needs to be a relentless focus on the strategic benefits that will get the long-term interest and support needed.

An appropriate GRC business case needs to address and include the following:

• Emphasize GRC and business flexibility. An important consideration of any investment is the flexibility and scalability of the chosen solution and program. This includes the ability to take full advantage of future opportunities. The business case should include a road map for how the scope could be extended into related risk functions such as GDPR, third-party risk management, cyber risk etc. The strategic benefits of integration between risk areas should consider how GRC Technology can improve outcome of business initiatives e.g. how an integrated GRC solution can support and enable a more smooth and effective integration of business partners and newly acquired entities.
• Quantify and track maturity gains to justify capital investments. The ability to demonstrate that the GRC investments are paying off according to plan and benefits are realized effectively, a framework needs to be in place. Being able to track maturity gains using maturity scores will help translate improvements into measurable metrics for stakeholders.
• Drive GRC program support and participation. Key indicator of an effectively integrated GRC program is the ability to create an active, agile and risk-aware workforce. Improved cultural ownership of risk and controls is obtained when insights are shared and the vision is clear. This requires buy-in and participation from key stakeholders and employees across the organization. The business case should be based on a road map; all both short- and long-term key stakeholders should be mapped out. By doing so, use cases and benefits can be tailored in order to get the necessary buy-in and awareness that can promote the business case.
• Use efficiency gains for scope expansions. Previous experience has shown that the Return on Investments (ROI) for implementing GRC technology is definitely there, and it is usually achieved within the first year. However, the exclusive focus on cost reductions could risk placing the GRC initiatives as a back-end cost center. In order to reach the setout vision, focus should be on how organizations can do more for the same.

Conclusion

GRC is no longer only for risk management. GRC must connect management objectives and risks by supporting decision-making throughout the organization. GRC is about delivering insights for managers to take better decisions by exploiting risks.

This vision for GRC though is not easily convincible at first sight; A business case with tangible measures is fundamental to a successful transformation. Not only addressing the traditionally increased compliance assurance gained, but also addressing efficiency (cost of controls) and improved decision-making by managers and across the lines of defense (governance).

Our experience shows that efficiency measures are usually met within the first year following the implementation of GRC. We also find that utilizing technology in the implementation highly increases the corporate ownership of risks and controls, by delivering insights in a convenient and aligned way – reaching a converging understanding of risks and its possibilities.

The ROI is clear, but emphasize needs to be put on the right strategic benefits that will secure the necessary flexibility and participation on the journey. Using the right technology will help accelerate the maturity journey. This helps create the risk-awareness culture and it helps organizations reach the point where risk data can be used for strategic insight – creating a competitive advantage.