Over the years, SAP solutions for governance, risk, and compliance (SAP solutions for GRC) have evolved to become more comprehensive and flexible. They can be used to address risks by aligning and optimizing strategic, financial, and operational objectives and initiatives with GRC requirements. This can help lower costs by eliminating duplicate and fragmented risk activities, automating risk processes, and enhancing the ability to prevent, identify, and respond to risks.
When it comes time to present the business case for your next GRC project, what points will best communicate the benefits to your stakeholders? Developing a thorough, convincing business case for investment in SAP solutions for GRC is a critical step to achieving the full value of these projects. This can help you overcome organization alignment issues and adequately prioritize your project against other company initiatives.
Establish a Foundation
In establishing a solid foundation for implementing SAP solutions for GRC, it is important to remember that GRC challenges are seldom the sole result of technology shortcomings. The business case should address the following elements:
Governance is comprised of organizational and strategic initiative alignment; development of a long-term strategy and roadmap; and definition of ownership, accountability, and performance indicators. SAP solutions for GRC can help enable an enterprise-wide central risk and control framework, which can lead to improved risk coverage and visibility, the removal of costs associated with maintenance, and the execution and performance of similar controls. Establishing a steering committee to clearly define the organization’s compliance and regulatory requirements is a critical success factor. Incorporating multiple organizations and initiatives into the business case can increase the overall value proposition and make an investment in SAP solutions for GRC more attractive; however, this also requires agreement and buy-off on organizational alignment. This is an example of a long-term approach that could be executed across multiple phases or years, but be rolled up into one business case.
includes a cross-functional and multi-regulation end-to-end perspective. It also considers integration between top-down and bottom-up activities, as well as differentiation between routine and one-time activities. SAP solutions for GRC can help integrate enterprise risk management (ERM) with controls associated with multiple regulations and owned by multiple functions. This can increase the overall value proposition in the business case by improving visibility into inherent versus residual risk, but it also requires changes to process design and involvement of multiple functions.
In establishing a solid foundation for implementing SAP solutions for GRC, it is important to remember that GRC challenges are seldom the sole result of technology shortcomings.
People includes talent management and takes into account effectively balancing resources and their associated costs across geographies, processes, and initiatives. SAP solutions for GRC can help centralize multiple compliance frameworks and automate routine compliance activities so they can be executed in a lower cost location. This can allow you to incorporate labor arbitrage savings into the business case.
Technology includes effective and efficient enablement of governance, process, and people, using automation, optimization, and standardization. SAP solutions for GRC can be used to replace other technologies currently in place that support activities in the previous examples, and the cost of maintaining these technologies can be incorporated into savings in the business case. They can also improve existing processes with continuous monitoring capabilities, resulting in additional efficiencies and cost savings.
Identify Compelling Drivers for Change
The business case should clearly identify compelling drivers for change across risk, value, and cost objectives. The identified drivers should also help support the timing for the business case — that is, why it is critical right now. Drivers typically fall into these categories:
Recent significant changes, such as regulatory updates, acquisitions, divestitures, entry to new markets, and new direction set forth by the board. The need to integrate a recently acquired company, for example, may require updates to existing risk management approaches and practices, which can be supported by SAP solutions for GRC.
Strategic objectives and transformational initiatives, such as process standardization or cost reduction initiatives. Process standardization efforts, for example, can help demonstrate the need to optimize existing risk and control processes. SAP solutions for GRC can help remove compliance costs by standardizing and optimizing risk and control activities across the organization — thus aligning the business case to existing strategy.
Business models and challenges, such as a decentralized operational model or existing control issues. Existing control issues, for example, can help establish the need for centralized reporting and proactive risk identification, which can be enabled by SAP solutions for GRC — further supporting the timing for the business case.
Develop Goals and a Clear Roadmap
Developing goals and a roadmap with clearly defined milestones is a critical component of a successful business case. The goals define your final state, and the roadmap visually communicates how long it will take to reach that state, as well as the general approach for getting there. Milestones are critical to establishing “quick wins” along the way, enabling faster benefit realization. The following actions are typically taken into account:
Understanding of the current state, which assesses the relevant governance, process, people, and technology elements. This might include multiple risk processes that are not fully integrated and are supported manually or by different technologies.
Defining the final state, which envisions the desired goal, such as one central and cross-functional risk process automated through SAP solutions for GRC.
Developing a roadmap to move to the final state (see Figure 1).
Size the Opportunity
Perhaps one of the most challenging components of the business case is sizing the opportunity. Some dollar amounts required for analysis are fairly easy to obtain — for example, external audit cost. Others, like the cost of control execution by the business, require estimations and assumptions. It is important to document the formulas and assumptions used, and also to define the approximate period of payback aligned to the milestones in the roadmap. Using a formal benefits management methodology throughout the process can help track changes and impacts. Consider the following elements:
Current cost, which includes all relevant costs associated with governance, process, people, and technology, such as internal audit cost, external audit cost, cost of remediation, cost of control design, cost of control execution, and cost of software support.
Projected annual savings, which identifies one-time as well as continuous savings and should leverage the same categories as current cost.
Investment cost, which identifies the amount required to fund the business case.
In addition, incorporating existing business cases from peers, especially those who have begun to see payback, can help further validate the business case.
Position Your Company for Long-Term Success
Once your company decides to move forward with your SAP solutions for GRC project, it is essential that you position yourself for long-term success. EY can help by assisting companies in finding the right executive sponsor to support strategic alignment of the project, defining strategic objectives and scope, developing an implementation roadmap, and more. Every engagement is supported by industry-specific content and unique enablers, as well as a dedicated team with practical experience in process, risk, and technology disciplines. To learn more, visit www.ey.com/us/grc or contact firstname.lastname@example.org or email@example.com.