Calculating the ROI of GRC software.

Transcription

1 Calculating the ROI of GRC software.

2 Table of Contents. Executive Summary. 2 The Importance of GRC. 3 ROI Analysis. 4 Implementation-Based ROI. 5 Procurement-Based ROI. 9 ROI Calculation. 12 Conclusion. 13 About Us. 14 Works Cited. 15 Appendix I. 16 1

3 Executive Summary. Governance, Risk and Compliance (GRC) software can provide significant value to your company. Unfortunately, because the benefits are difficult to quantify, so is making the case to implement GRC software. Having a quantifiable Return on Investment (ROI) makes it easier to build a case for upper management, who ultimately makes the final decision on implementing GRC software and which GRC platform to use. Methodology. This case bases all calculations for ROI on a sample client: a large global organization that implements a comprehensive GRC platform for their Regulatory Compliance, SOX/ICFR, Issue Tracking and Remediation, Risk Management and Audit programs. To best understand the ROI of GRC software, this case outlines two distinct types of ROI: 1. Implementation-Based ROI The benefits of a GRC software solution and the gains realized by the business as result of those benefits. 2. Procurement-Based ROI The efficiency gain resulting from using an Agile Procurement Process. All quantifiable data and statistical information related to the benefits of GRC software was found through primary and secondary research. Primary research includes our experiences with clients and the research we have done on the benefits specific to our GRC platform. Secondary research includes reports and studies from Harvard Business Review, Forrester, Michael Rasmussen, Ernst & Young and ASQ. For a complete list of sources, please see the Works Cited section at the end of this case Results. Our findings show that the total ROI, a combination of implementation-based and procurementbased benefits, is calculated at 637% of the total cost of licensing and implementing a GRC solution. Alone, implementation-based ROI is calculated at 389% of total cost, while procurement-based ROI is calculated at 346% of total costs. Conclusion. Although the benefits of GRC software are widely known, there is little quantifiable evidence of these benefits to procure and implement it. Calculating the ROI of a GRC platform for your organization may help your organization s decision-makers fully understand the extent to which a GRC program can benefit your company. Our analysis provides a foundation for creating your own business case for GRC software, as the scale of your organization and the extent of your implementation may result in a different ROI calculation than presented in our case. We suggest reviewing the sample monetary benefits and using our framework as a template to calculate your own ROI percentage. 2

4 Following the financial collapse in 2008, with product recalls, health and safety disasters, security breaches, and other disastrous risk events in the mix, we've reached an environment where organizations without formal compliance and risk management functions may fairly be considered irresponsible. The Importance of GRC. As business environments become more complex at an increasing rate, it s necessary for companies to be able to stay agile. Regulatory changes, globalization, disruptive technologies, cybersecurity, and personnel changes are just some of the challenges that companies must deal with on an ongoing basis in order to be successful. Using a GRC software solution can continually empower your organization to anticipate, respond and adapt to risk. The result is effective and efficient GRC, which as the next section explains, can be quantified to better understand the benefit to your organization. The compliance function has garnered even more attention, with colossal new regulations causing difficulties for companies in more industries around the world. In fact, when Forrester asked more than 1,800 business decision-makers from enterprises around the world to list their most important concern, a full 25% of respondents said increasing regulations is a critical issue. (Forrester 2012) 78% of companies are concerned with their ability to adapt to changing regulatory requirements and the flexibility of their current system to adapt to these changes. (Ernst & Young 2014) 3

5 ROI Analysis. GRC implementations vary considerably across industries and businesses, but there are agreed commonalities in the value achieved. We have chosen to base our analysis on a large global corporation. Outlined below are key size metrics, which provide a context to the savings figures outlined in the ROI analysis: Area of operation Global Number of employees 60,000 Annual revenue $35 billion Total assets $18 billion Business units 40 units (2-5 processes/business unit) Controls per process 8-10 Full Time Employee (FTE) Rate $120,000 salary* or $60/hour** (fully loaded cost includes benefits and other resources required for FTE employment). *Salaries can vary but the salary number used in this business case is conservative based on comparable ROI studies involving GRC solutions. **$120,000 annual salary converted to an hourly cost This business case provides a summary of all benefits realized using a comprehensive, integrated GRC platform. When you partner with Resolver, you get access to a comprehensive, integrated and readily expandable platform: GRC Cloud. Thus, we chose to base our analysis on the benefits of using a software like ours. Further, we have found that a more comprehensive GRC platform provides a higher ROI. It should be noted, however, that implementing one GRC area can provide similar benefits but at a smaller scale. In fact, many of our clients begin by implementing one area of GRC, such as Internal Control, and then expand to implement other programs as they realize the value of a GRC platform and as their business needs grow. In this case, our sample client s GRC platform supports the following programs: Compliance, Internal Control, Issue Management, Risk Management and Audit. 4

6 Implementation-Based ROI. Implementation-based ROI covers the benefits of a GRC software solution and the gains realized by the business as a result of those benefits. Implementation-based ROI is broken down into six areas. Each area explains the benefit and provides the full calculations of the quantifiable benefits. 1.1 Extended leverage beyond core users. A more efficient tool s benefits are not limited to the employees administering the organization s GRC initiatives, but extend to all employees that interact with the software. The following table breaks down the additional benefits of GRC software in the context of a global compliance employee training initiative: Number of employees required to attend training. Time saved by using an online repository with individual user login access instead of a manual process. The result being employees are able to complete training at any time by submitting their work online through a single click. Savings ($) as function of time saved (hours) and the cost ($) of a fully loaded plant employee at $30/hour* Time saved, at 20 hours per training initiative, across 300 managers. This benefit is a result of identifying and enforcing gaps (non-compliant employees) through reporting and notifications in the system. The savings to the company is calculated as a function of time saved (hours) and an hourly rate of a manager at $60/hour. Estimated at 15,000 employees. 0.5 hours saved per employee (per training initiative) Time Saved (hours) = 15,000 X 0.5 = 7,500 hours Savings ($) = 7,500 X $30 = $225,000 Time Saved (hours) = 20 hours x 300 managers = 6000 hours Savings ($) = 6,000hrs X $60/hour = $360K Total Employee Time Saved Total Efficiency Savings On Worker Compliance Program *Estimated hourly cost for a non-manager plant employee 7,500 plant employee hours 6,000 manager hours $225,000 + $ $360,000 = $585,000 5

7 1.2 Elimination of duplicate effort. By eliminating disconnected repositories that previously handled ICFR/SOX processes, the client is now able to make changes to an existing risk or control and instantly see the changes propagate throughout the system where desired. The savings resulting from the elimination of redundant/repetitive work is illustrated below: Number of processes within the company Risk/Control framework change occurs and the following three areas of manual documentation must be updated: Process Risk & Control Matrix (4hrs) Issue Log (4hrs) Testing Workpaper (4hrs) Time saved for each process is the summation of these three areas. Savings ($) = total time saved using a central repository x number of processes x FTE rate Typical number of changes to framework risks/controls during the year per process Total Employee Time Saved Total Savings Through Efficient ICFR Framework Management 100 processes Time Saved (hours) = = 12 hours Savings ($) = 12 hours x 100 processes x $60/hour = $72,000 5 changes Time Saved (hours) = 12 hours x 100 processes x 5 framework changes =6,000 hours Savings ($) = 6,000 hours x $60/hour = $360, Control rationalization. By organizing Risks and Controls centrally, it is possible to link controls that span multiple risks across different business functions. The result is a lean list of controls, which requires less time to document, maintain, execute and test. Number of controls within the company 2,000 controls Control testing overlap identification 30% Amount of time required to document, 8 hours per control maintain, execute and test Time saved on control assessments Time Saved (hours) = 600 controls x 8 hours testing = 4,800 hours Total Employee Time Saved 4,800 hours Control assessments efficiency gained 4,800 hours x $60 = $288,000 6

8 1.4 Reduction of external resource requirements. Auditing functions previously handled exclusively by external sources can now be completed by internal resources. Savings are also realized in regulatory compliance through the time saved in producing the required documentation. Access control review external audit hours 500 hours Configuration control review external audit hours 500 hours Standard external audit hourly cost $350/hour Scope of work handled by the external auditors prior to a 100% GRC solution Access control review audit time savings 67% Configuration control review audit time savings 65% Total savings as a result of reduced work required by the external auditors. As a function, total savings is made up of the costs saved from the above audit time savings. Total Savings ($) = 0.67x x500 = 117, ,750 = $231,000 Total billable hours saved = 660 hours Total savings on external audit cost $231, Efficient data aggregation, analysis and reporting. Data aggregation, analytics and reporting is where your company can realize the largest efficiency improvement. Without the use of a central database and reporting tools, producing reports for management and board level audiences is an extremely arduous and time consuming process. Using a central database and advanced analytics and reporting tools eliminates susceptibility to error and omission during manual data aggregation and enables you to generate accurate, insightful and actionable reports in seconds. 7

9 Number of reports generated per year Total reports (#) = 1 (annual) + 4 (quarterly) + 12 (monthly) + 25 (ad hoc reporting requests) = 42 reports Time to prepare a single report before GRC 40 hours solution Functions requiring reports Functions (#) = Compliance + ICFR/SOX + Issue Tracking + Audit + Risk = 5 functions Reporting generation efficiency achieved is calculated at 88% (as seen in our clients). Total Employee Time Saved Report generation cost savings per year $443,520 Time saved (hours) = number of reports x hours per report x number of functions x efficiency improvement (%) = 42 x 40 x 5 x 0.88 = 8400 hours x 0.88 = 7392 hours 7392 hours 1.6 Optimized issue tracking and resolution. Combined, an issue tracking environment and escalation workflow engine result in issues being resolved quicker. Further, a central repository prevents the duplication of work by addressing duplicate issues tracked in the system Busy Employee Clicks Link in Easily Inputs Data Done Cost of a Full Time Employee (FTE) responsible for issue tracking and issue remediation Issue remediation savings due to minimal duplication in issue tracking is calculated at 30%. Total Employee Time Saved Annual savings as a result of time savings $36,000 1 FTE at $120,000/year (fully loaded employee cost) Time Saved (hours) = 2000 hours per year (38.5 hours per week) x 0.3 = 600 hours 600 hours 8

10 Procurement-Based ROI. The Agile Software Selection Approach developed by Forrester allows clients to minimize costs from the moment the need is identified all the way through to the GRC solution being fully implemented. The following key concepts govern the Agile Procurement Approach: Cost-effectiveness: Procurement costs minimization by not issuing an RFP. Visibility across vendors: Innovative vendors are encouraged to showcase their groundbreaking solutions Configurability: Focus is shifted from rigid RFP requirements and replaced by an emphasis of the system possessing a robust configuration layer at the end user level Risk Mitigation: Mitigating risk of unsuitable vendor selection during the procurement process via: Proof of concept demonstrations Pilot programs and soft launches Adaptability: Ease of expansion to handle new functionality within the realm of GRC (non-modular framework) The Agile Procurement approach breaks down the process into stages. The concepts noted above are inherent in each of the stages and are the basis for the benefits derived. This section outlines the applicable costs and savings realized in each stage of a typical procurement process, however a more in-depth analysis and explanation of the financial numbers can be found in the Procurement Cost Analysis Diagram in Appendix I. 2.1 Cost-effective procurement. Resolver s support of the Agile Software Selection Approach, offers a more efficient software procurement approach when compared the onerous nature of a traditional RFP procurement process. Total time needed to complete the RFP procurement process (This excludes any time it takes to implement the solution) Total costs associated with a traditional RFP procurement methodology (This cost does not include and licensing/configuration costs for the selected solution) 12 to 36 months (The duration range is dictated by the size of the purchasing entity) $300,000 to $440,000 (The range depends on the size and complexity of the purchasing entity) Applicable range to our case study Our client is a multi-national corporation with over 100 thousand employees, therefore the complexity and size of the organization dictates the top level of the procurement cost range of $440,000. Total cost savings as a result of using the Agile Software Selection Approach $440,000 ***See Appendix I for a detailed breakdown of the costs 9

11 2.2 Ease of expansion into new GRC areas. Most GRC solutions are modular, meaning that expansion into new areas of GRC requires the purchase of additional modules. Choosing a non-modular solution, like GRC Cloud, provides the client with the necessary features to expand into any additional area of GRC without needing to purchase and implement additional software. The only costs of expansion are additional licenses for new users and cost of configuration. Initial implementation ICFR/SOX Strategic decision made to manage a new Client would like to configure the system to aspect of GRC handle Compliance in addition to SOX Extra software functionality purchased and $100,000 to $500,000 implemented through a new vendor Size of the enterprise dictates the maximum cost of $500,000 Cloud configuration cost and extra licenses $25,000 to $100,000 Size of the enterprise, again, dictates the maximum cost of $100,000 Savings from not purchasing additional Savings ($) = $500,000-$100,000 modules to handle new GRC area = $400,000 ***See Appendix I for a detailed breakdown of the costs 10

12 2.3 Vendor encouragement. The traditional RFP procurement process might discourage the right vendor from participating. This can result in the buyer picking from a list of inadequate software vendors. A traditional RFP procurement process can discourage vendors for the following reasons: A very high cost of sales and time commitment for the prospective vendors An internal policy where the VP of Sales does not accept RFP bids The bandwidth or resources are not available and the vendor declines participation The perception of low odds, despite having the qualifications and available resources to respond to an RFP The nature of the Agile Software Selection Approach removes the possibility of qualified vendors opting out of the procurement process. The largest reason for issuing an RFP is ensuring the solution meets the needs of the buyer. To mitigate the sunk costs of a solution not meeting the needs of the buyer after the vendor has been chosen, the client can use pilot programs or soft launches. By avoiding the costly traditional RFP procurement process and starting with pilot programs/soft launches the following sunk costs can be avoided should the solution not perform as expected. Cost of failed RFP procurement process $440,000 Licensing fees and FULL $100,000 to $500,000 implementation/configuration Cost of failed pilot program/soft launch $50,000 to $100,000 (Agile Software Selection Approach) Total sunk cost of abandoning implemented Total sunk cost ($) = $440,000 + $500,000 - solution $100,000 = $840,000 ***See Appendix I for a detailed breakdown of the costs 2.4 End-user configurability and flexibility. A solution that allows for robust end-user configuration mitigates any emerging requirements not accounted for in the procurement process. A traditional RFP process attempts to capture a complete list of current and anticipated future requirements, but in reality there are often factors that have not been documented or properly communicated. It is also very common for business needs to evolve by the time the lengthy procurement process has completed. The ability for an end user to configure system workflows and attributes related to the data objects are key factors why a GRC solution should be aligned with the business needs of the client. Leveraging a study conducted by Bombardier, we estimate the typical cost to re-work a very rigid software solution for our example organization.. GRC software total costs for a global enterprise $500,000 (licenses and implementation) Costs associated with scope changes during implementation Cost ($) = $500,000 x 0.1* = $50,000 Cost savings by the application administrator modifying the application at the configuration layer $50,000 ***See Appendix I for a detailed breakdown of the costs *See Bombardier case study 11

13 ROI Calculation. ROI Category # Benefit Savings Implementation Based ROI 1.1 Extended leverage beyond core users. $585,000 Implementation Based ROI 1.2 Elimination of duplicate effort. $360,000 Implementation Based ROI 1.3 Control rationalization. $288,000 Implementation Based ROI 1.4 Reduction of external resource $231,000 requirements Implementation Based ROI 1.5 Efficient data aggregation, analysis and $443,520 reporting. Implementation Based ROI 1.6 Optimized issue tracking and resolution. $36,000 Procurement Based ROI 2.1 Cost-effective procurement. $440,000 Procurement Based ROI 2.2 Ease of expansion into new GRC areas. $400,000 Procurement Based ROI 2.3 Vendor encouragement. $840,000 Procurement Based ROI 2.4 End-user configurability and flexibility. $50,000 Total Benefit $3,673,520 *All financial benefits are fully realized over a period of 3 years. **Cost savings are calculated using a conservative Full Time Employee (FTE) rate of $120,000 salary or $60.00 per hour ROI as a percent(%) of total costs. Total costs associated with GRC Solution $500,000 (licensing and implementation) Implementation Based Benefits $1,943,520 Procurement Based Benefits $1,730,000 Total Benefits $3,673,520 Return on Investment (ROI) 634 % Payback Period 1 to 2 years Time to Full ROI Realization 3 years 12

14 Conclusion. For a large global organization that implements a comprehensive GRC platform across their organization their Return on Investment (ROI), a combination of implementation-based benefits and procurement-based benefits, is calculated at 634% of their total cost of licensing and implementing a GRC solution. Implementation-based ROI refers to the benefits of a GRC software solution and the gains realized by this business as a result of those benefits. Implementation-based ROI was broken down into the following six sub-categories: extended leverage beyond core users, elimination of duplicate efforts, control rationalization, reduction of external resource requirements, efficient data aggregation, analysis and reporting, and optimized issue tracking and resolution. The total implementation-based ROI for our example client was $1,943,520, or 389% of total costs. Procurement-based ROI refers to the efficiencies gained from an Agile Procurement Process. Similar to implementation-based ROI, procurement-based ROI is broken down into the following four sub-categories: cost-effective procurement, ease of expansion into new GRC areas, vendor encouragement and end-user configurability. The total procurement-based ROI for our example client was $1,730,000, or 346% of total costs. While there are other resources available that describe the qualitative benefits of GRC software, this business case focused exclusively on formulating quantitative figures that outline a tangible monetary benefit to make the case for implementing GRC software in your organization. It is important to note that the scale of your organization and the extent of the implementation and adoption may result in different ROI results than what was outlined in our business case. These numbers are meant to serve as a baseline and the transparent benefit calculation can be leveraged to create your own calculations. For example, if your organization is smaller than the multi-national organization in our example, your benefit figures as well as your costs will also be smaller. Resolver often recommends starting out with a specific area, and once implemented moving to the next area. We often borrow the phrase: Every journey starts with a single step. Confucius Starting out and focusing on one area of GRC greatly helps the success of your program as a whole and increases adoptability with each implementation success. Resolver s innovative use of a non-modular and highly configurable architecture makes this process painless and very cost effective. 13

15 Who We Are. Resolver is a global leader in audit, risk and compliance software with more than 400 clients across 40 countries. Our clients include some of the world s most recognizable brands, government agencies and 9 of the top 10 global accounting firms. What We Believe. At Resolver, we believe that audit, risk and compliance drive performance. We believe that if done effectively, audit, risk and compliance help you operate legally and ethically, minimize fraud and promote efficiency. They align disparate organizational units and focus them on what matters most: your strategic objectives. They protect your company s assets, employees and stakeholders. Most importantly, they enable value creation today, while mitigating the problems of tomorrow. What We Do. For over a decade, Resolver has helped businesses drive performance through Intelligent Audit, Risk & Compliance software. Our platform helps you identify the biggest risks to success and coordinate assurance, compliance and risk activities. It provides oversight and transparency, and promotes accountability. It delivers a reliable, secure system of record, enabling you to know what s working and what s not, where your gaps are, and what you are doing about them. It has the right combination of simplicity and complexity to enable your business at any stage of maturity to grow, expand and reach your full potential. Contact Us. resolvergrc.com [email protected]

16 Works Cited. Claude Y. Laporte. (2012). Measuring the Cost of Software Quality of a Large Software Project at Bombardier Transportation: A Case Study. Retrieved on February, 2015, from Ernst & Young. (2014). Improve your business performance: Transform your governance, risk and compliance program. Retrieved February, 2015, from Forrester. (2014). Build the Business Case for GRC. Retrieved February, 2015, from RES56677?objectid=RES56677 Harvard Business School. (2013). HBR Guide to Building Your Business Case. Retrieved February, 2015, from Michael Rasmussen. (2011). The ROI on GRC. Retrieved February, 2015, from Paul D. Hamerman. (2014). Choose Your Business Applications Using An Agile Software Selection Approach. Retrieved February, 2015, from +Selection+Approach/fulltext/-/E-RES

17 solver GRC Cloud vantage Award of business (1-12 months) Final Demo (1 month) Vendor Demos (2 months) RFP (2-21 months) RFI (optional) (3 months) Research (6 months) Appendix I. Phase Vendo rs Workflow Cost Calculation Top 5 inherent risks: Needs 1) Evaluation of purchasing the solution vs. using internal resources identification to create a solution. 80 hours x $60 FTE = $5000 2) Market research performed and a long list of vendors Research developed. vendors 160 hours x $60 FTE = $9000 Long List of Vendors created $14,000 $20,000 *Cost variance based on size and complexity of the organization and software complexity 10 Internal Req. 1) The RFI is less retailed than the RFP and it outlines the various gathering high level goals to be accomplished by the enterprise software RFI Creation & solution. Distribution Evaluate responses & 50 hours x $60 FTE x 5 people = $15,000 Refine Vendor list $15,000 $20, ) High level demos attended by senior personnel within the Intro/high-level purchasing organization. demos 2 hours x $60 FTE x 8 people x 3-8 demos = $7000 2) Analysis of results from demos 8 hours x $60 FTE x 8 people = $4000 In-depth 3) Committee to create, draft and review the RFP document. (3-6 internal req. months). A formal process around the internal requirements gathering gathering precedes the creation of the RFP. (6 months) 200 hours x $60 FTE x 5 people = $60,000 4) A large accounting firm often used as a consultant to help with RFP preparation and/or review Consultant hired RFP Creation & Corp. Policies $35,000 - $110,000 (depending on the extent of the scope on the for RFP Review Distribution developed consulting agreement) 5) Corporate policy needs to be developed (if not already in place) Clarification of to ensure fair bid process. Vendor 80 hours x $60 FTE x 2 people (legal/hr) = $10,000 Questions 6) Designated point of contact required to answer questions in standardized/fair methodology and according to corporate policy. 80 hours x $60 FTE = $5000 Evaluation of RFP Responses $200,000 $260, ) In-depth demos require sample data to be provided to the Vendor short list vendors. Data must be exported and scrubbed to remove any created proprietary/sensitive information. 80 hours x $60 FTE x 2 people = $10,000 Prepare and Detailed (Full 2) Detailed demos attended by staff which will be directly involved share dummy Day) demos with the software implementation. (Directors, Managers, Senior data with validation of vendors responses Staff) 8 hours x $60 FTE x 8 people x 1-5 demos = $19,000 3) Analysis of results. Analysis of 16 hours x $60 FTE x 8 people = $8,000 results $35,000 $50, Final demos to 1) Final demos attended by executive sponsors once all the ground Exec Sponsors work has been done by the project committee. Final assessment of Analysis & the solution is performed and executive buy-in is established. Vendor chosen 8 hours x $60 FTE x 6 people x 1-3 demos = $6000 (Informal Award of Business $ $10,000 1 Price 1) Price negotiation and license counts Negotiations & License Counts Contract Terms (Legal) Statement of Work Developed IT Coordination months Time and cost before purchasing enterprise solution $300,000 - $440, hours x $60 FTE x 2-3 people (Director/IT/Finance/Procurement Dept.) = $7000 2) Contract legal terms negotiation 40 hours x $400/hour legal rate = $16,000 3) Statement of work (SOW) 16 hours x $60 FTE x 4 people (Director/Manager, Senior employees) = $4000 4) Technical IT requirements/questionnaire 20 hours x $60 FTE x 2 people (IT) = $2000 $30,000 $80,000 1) During the RFO preparation, software bloat can result in a lot of nice to have features that obscure core functionality. A typical budget for an enterprise software solution is an expensive, one-time expenditure which results in the client trying to address all possible future needs in the RFP requirements. This results in 80% of users using only 20% of the features within the application (80/20 rule). 2) High variability of cost and time based on: the complexity of the requirements, corporate procedures/policies and employee availability. All of these factors result in a much more expensive and longer procurement process than originally anticipated. 3) The probability of executive sponsor interest loss and/or funding loss increases as time and costs accumulate during the procurement process. Sunk costs and solution abandonment are inevitable when interest or funding are lost. 4) Scope creep is created by late entrant stakeholders (often coming from various functional areas) becoming involved in the procurement process. Scope creep aggravates risks 2&3 when these new entrants voice their needs for the software. 5) The core day-to-day job responsibilities of the personnel involved in the procurement project take precedence and as a result delay the benefits and ROI of the eventual software solution. This results in frustration of the business units in need of the solution and creates executive sponsor doubt. New Software: Software licensing, Implementation & Configuration cost Purchase new software or use GRC Cloud Continue using GRC Cloud: Extra licenses & internal configuration Choosing GRC Cloud vs. engaging in the procurement process provides: 1) Instant savings on the purchase cost of the software solution (GRC Cloud is not modular and all required functionality is already available to the client) 2) Greater ROI on the initial purchase of GRC Cloud and exponential benefit realization with each additional business functionality incorporated into GRC Cloud. [$100,000 + $300,000 - $25,000] to [$500,000 + $440,000 - $100,000] $375,000 $840,000 in total cost savings (The range relates to the degree of complexity and the cost of the new software implemented)