Governance, Risk and Compliance

Guide to Creating a Business Case for Risk Management Software

Many teams have experienced the struggle of trying to secure budget for the Risk Management software needed to protect their business. There is a belief in organizations that risk initiatives are cost centers with a primary objective to reduce the direct cost of risk management. This makes proposals for improved risk management less attractive than budget requests that are focused on increasing revenue and profitability.

As leaders in the risk, compliance, audit, and IT security space, we know that the roadblocks to investment can include:

  • “You’re not running a P&L.”
  • “You don’t generate revenue for the ”
  • “Your function is a cost ”
  • “We need to meet regulatory requirements, but we want to do so at minimum ”
  • “Your program is simply not a priority that we can invest in right ”
  • “You are dealing in probabilities, not real ”

Getting the necessary level of investment for your initiatives involves communicating the “Why” and arguably more important, “Why Now.” A few examples of this include:

  • Why are risk, compliance, audit, and IT security initiatives critical to the company’s brand and overall success?
  • Why should senior decision makers view your work as an integral, value-add component of the overall business strategy?
  • Why should they invest purposefully in the risk management budget – now and in the future?
  • How will we get all of this done?

Building a compelling business case that quantifies the importance of risk-related work is a critical component for bringing this all together. With this view of your business impact, you can make an effective argument about why the company needs to invest, and why they need to do it now.

Though the approach outlined in this guide is more specific to building a business case for software, the approach and tools provided can also be used to make a case for most risk- related investments beyond software.

Ask the Tough Questions

First, you have to be able to answer these simple questions:

  • What is the cost of the most common risks to your business?
    • How much do tangible, frequently occurring risk events impact your business? How often does a workplace hazard occur? What is the average cost? Be sure to consider the cost of work missed, benefits and legal fees.
  • What is the potential cost of the highest impact risks to your business?
    • How much would infrequent, disruptive events impact your business? How much would a “100-year flood” on a major business center cost your business?
  • How much, in “hard and soft” dollars, would improving risk management add to your business?
    • The purpose of your risk investment should either be to reduce the frequency of risk events or reduce the impact of each event – or ideally, both. Quantify the business value by showing the hard dollars saved by minimizing events already occurring, as well as soft dollar potential of reducing high impact

These questions will provide you with the basis for your business case. When it comes to Risk Management software, it’s helpful if you’re able to provide a full picture of what the organization is doing, which most of the time is highlighting the areas that it is missing. If you’re currently unable to capture all of the events that take place, highlight that. Take a look at the external loss events or risks to help you quantify the potential impact. What have similar organizations like yours experienced? What would that do to your organization?

Resolver’s Risk Universe is a great place to start to get a picture of the types of risks that impact teams and specific loss events that they’ve experienced. It gives you a good benchmark to measure your organization’s current state.

Paint the Picture

Make sure to clearly identify the risk involved in any knowledge gaps. For example, we have seen companies double the number of risk events and near-misses that get reported when moving from Excel or manual reporting to a professional solution. That doesn’t mean that they didn’t exist before, their team just wasn’t capturing them effectively. How can you be proactive in reducing the frequency and severity of risks if they aren’t visible and aren’t being properly captured?

Here at Resolver, we help our customers reduce the frequency and severity of negative events that are impacting organizational success.

Build Your Case

Imagine for a second a world where business owners were enabled to identify and manage their own risks. Where risk managers are able to quickly view, assess and treat risks without inundating business owners. Where reports are automatically produced and include business metrics that are easily understood by your executives and board.

That is your new world with Resolver.

Not sure where to start? We’ve created a template to help you prepare your business case. Below, you’ll find a step-by-step breakdown of what your business case should consist of, as well as sample information, especially as it relates to Resolver’s Incident and Investigations Management software.

Executive Summary

This section should provide general information on the issues surrounding the business problem and the proposed project or initiative created to address it. Usually, this section is completed after all of the other sections of the business case have been written. This is because the executive summary is exactly that, a summary of the details that are provided in the following sections of the document.

Business Need

This section should briefly describe the business problem that the proposed project will address. This section should not describe how the problem will be addressed, only the problem itself.

For example, use this section to complete an internal needs analysis. “We aren’t accurately capturing all risk. By not doing this, we could miss something and open ourselves up to potential risk. We are struggling to see the full picture. This software will help us solve these challenges.” Finish it off with this sentence: “We’ll be able to do this {your goal} and see this result {your goal}.”

In the “business need section” it is a good idea to quantify the losses or potential losses being suffered by the organization today.

Anticipated Outcomes

Describe the anticipated outcome if your organization were to move forward with software. It should also include how you expect the software to reduce the net impact to risk – quantify the losses or potential losses.


Summarize the approach for how software will address the business problem. This section should also describe how desirable results will be achieved by moving forward with the project.

  • 3 reasons why you need this software
  • How you’ll see an improvement
  • Companies like ours {add in company name here} use this software

Organizational Impact

How will this solution modify or affect organizational processes? For example, what does communication look like with the end-user of this software? The key here is to document the pain that your end-user is experiencing and communicate openly and clearly with them about how they’ll benefit from adopting this solution.


Clearly explain why software should be implemented and why it was selected over other alternatives. Where applicable, quantitative support should be provided and the impact of not implementing software should also be stated.

Cost/Benefit Analysis

Many people consider this to be one of the most important parts of a business case. It not only outlines the investment that you’re asking your organization to make, but the tangible, financial benefits of doing so. Whether the return is $1.1 million or $1.9 million, the real cost/benefit to highlight is the quantified savings to the business of reducing the frequency of loss events and reducing the impact when those events occur. This section crystalizes why risk investments make good business sense. The savings to the business will far outweigh the cost of investing in a solution.


Your leadership team will appreciate you clearly outlining any associated risks with investing in software. Though risk varies from company to company, here are a few that many people are concerned with, especially when it comes to adopting new technology:

  • Will there be a learning curve?
  • What does the training program look like? How long will it take?
  • How do we ensure that users adopt and use the software?
  • How can we ensure that we get a return on this investment?

When building your case for software, be clear, be specific and highlight the potential impacts to revenue. Whether that’s in events avoided, programs put in place or fines mitigated, your leadership can’t refuse facts that will not only protect their business, but their bottom line.

Quantifying risk is hard, and unfortunately, there isn’t an exact science to it. One way to approach this conversation is to start with the statement “what would you have to believe to make this a worthwhile investment?” If a 1% reduction in loss events results in a number greatly above your investment, do you need much more information to make this decision?