Governance, Risk and Compliance
Many teams have experienced the struggle of trying to secure budget for the Risk Management software needed to protect their business. There is a belief in organizations that risk initiatives are cost centers with a primary objective to reduce the direct cost of risk management. This makes proposals for improved risk management less attractive than budget requests that are focused on increasing revenue and profitability.
As leaders in the risk, compliance, audit, and IT security space, we know that the roadblocks to investment can include:
Getting the necessary level of investment for your initiatives involves communicating the “Why” and arguably more important, “Why Now.” A few examples of this include:
Building a compelling business case that quantifies the importance of risk-related work is a critical component for bringing this all together. With this view of your business impact, you can make an effective argument about why the company needs to invest, and why they need to do it now.
Though the approach outlined in this guide is more specific to building a business case for software, the approach and tools provided can also be used to make a case for most risk- related investments beyond software.
First, you have to be able to answer these simple questions:
These questions will provide you with the basis for your business case. When it comes to Risk Management software, it’s helpful if you’re able to provide a full picture of what the organization is doing, which most of the time is highlighting the areas that it is missing. If you’re currently unable to capture all of the events that take place, highlight that. Take a look at the external loss events or risks to help you quantify the potential impact. What have similar organizations like yours experienced? What would that do to your organization?
Resolver’s Risk Universe is a great place to start to get a picture of the types of risks that impact teams and specific loss events that they’ve experienced. It gives you a good benchmark to measure your organization’s current state.
Make sure to clearly identify the risk involved in any knowledge gaps. For example, we have seen companies double the number of risk events and near-misses that get reported when moving from Excel or manual reporting to a professional solution. That doesn’t mean that they didn’t exist before, their team just wasn’t capturing them effectively. How can you be proactive in reducing the frequency and severity of risks if they aren’t visible and aren’t being properly captured?
Here at Resolver, we help our customers reduce the frequency and severity of negative events that are impacting organizational success.
Imagine for a second a world where business owners were enabled to identify and manage their own risks. Where risk managers are able to quickly view, assess and treat risks without inundating business owners. Where reports are automatically produced and include business metrics that are easily understood by your executives and board.
That is your new world with Resolver.
Not sure where to start? We’ve created a template to help you prepare your business case. Below, you’ll find a step-by-step breakdown of what your business case should consist of, as well as sample information, especially as it relates to Resolver’s Incident and Investigations Management software.
This section should provide general information on the issues surrounding the business problem and the proposed project or initiative created to address it. Usually, this section is completed after all of the other sections of the business case have been written. This is because the executive summary is exactly that, a summary of the details that are provided in the following sections of the document.
This section should briefly describe the business problem that the proposed project will address. This section should not describe how the problem will be addressed, only the problem itself.
For example, use this section to complete an internal needs analysis. “We aren’t accurately capturing all risk. By not doing this, we could miss something and open ourselves up to potential risk. We are struggling to see the full picture. This software will help us solve these challenges.” Finish it off with this sentence: “We’ll be able to do this {your goal} and see this result {your goal}.”
In the “business need section” it is a good idea to quantify the losses or potential losses being suffered by the organization today.
Describe the anticipated outcome if your organization were to move forward with software. It should also include how you expect the software to reduce the net impact to risk – quantify the losses or potential losses.
Summarize the approach for how software will address the business problem. This section should also describe how desirable results will be achieved by moving forward with the project.
How will this solution modify or affect organizational processes? For example, what does communication look like with the end-user of this software? The key here is to document the pain that your end-user is experiencing and communicate openly and clearly with them about how they’ll benefit from adopting this solution.
Clearly explain why software should be implemented and why it was selected over other alternatives. Where applicable, quantitative support should be provided and the impact of not implementing software should also be stated.
Many people consider this to be one of the most important parts of a business case. It not only outlines the investment that you’re asking your organization to make, but the tangible, financial benefits of doing so. Whether the return is $1.1 million or $1.9 million, the real cost/benefit to highlight is the quantified savings to the business of reducing the frequency of loss events and reducing the impact when those events occur. This section crystalizes why risk investments make good business sense. The savings to the business will far outweigh the cost of investing in a solution.
Your leadership team will appreciate you clearly outlining any associated risks with investing in software. Though risk varies from company to company, here are a few that many people are concerned with, especially when it comes to adopting new technology:
When building your case for software, be clear, be specific and highlight the potential impacts to revenue. Whether that’s in events avoided, programs put in place or fines mitigated, your leadership can’t refuse facts that will not only protect their business, but their bottom line.
Quantifying risk is hard, and unfortunately, there isn’t an exact science to it. One way to approach this conversation is to start with the statement “what would you have to believe to make this a worthwhile investment?” If a 1% reduction in loss events results in a number greatly above your investment, do you need much more information to make this decision?