Now that you’ve enumerated what it will take to develop, launch and operate each option, take a look at the costs, benefits and risk associated with each one.
Cost-Benefit Analysis Is Your Ally
An accurate Cost and Benefits Analysis (CBA) that answers the following questions:
- How much will this option cost?
- What materials, personnel, or other project requirements are we paying for?
- What are the tangible and intangible benefits to the organization?
- Is the final calculation positive (benefit-oriented) or negative (cost-oriented)?
- What risks must be addressed along the way?
Typically a business unit manager can tally up the costs of whatever resource he or she wants, and then crunch the numbers for how much money that resource should be able to generate or save.
Alas, that task isn’t so straightforward for risk management projects. Quantifying penalties never assessed or harm never suffered is elusive, if not impossible — but asking the board or CFO to fund a project “because we need it” doesn’t go far either.
That said, risk leaders can construct a cost-benefit analysis to help make your case, even with so many intangible factors at play.
First, clearly articulate what you want to do. For example, “build a program to manage third-party risk” is nowhere near as specific as “implement a contract management system that analyzes payments to third parties, coupled with a due diligence program to automate background checks of third parties’ beneficial owners.”
Then dig into what that goal means in dollar terms. Consider the lifetime of the project and “total cost of ownership.” That is: will this resource (whatever it is) become obsolete in several years? Will it require ongoing maintenance? Or better yet, what other costs will the resource require to accomplish your goals? What else must the company have or do, for this proposal to work?
For example, if you install a new contract management system, it will require people to use it. That means people will need training on how to use it. If you want to analyze the data, you may need a data extraction tool. A cloud-based service might require more Internet access; installed software might need upgrades.
Anticipate the questions you will get, and be honest. Don’t oversell the benefits of what you’re seeking or promise something the project (or you) ultimately won’t be able to deliver.
Costs are a mixture of the obvious and the hidden. For example, the cost of additional employees is fairly clear — but remember to consider recruiting costs, or disruption to another function from internal transfers.
Technology is another matter. First is the upfront cost of the software itself. Is this a one-time license, an annual fee, or some automatic renewal in the future?
Second are all those TCO costs we mentioned earlier. How many employees will require training on the new system? Who will do that training, at what cost? Will the training disrupt people’s regular duties? Will installation disrupt them?
If the technology won’t be able to adapt as the company’s needs evolve, but you believe it’s still worth the investment, say so. The good news is that cloud-based IT often can evolve with changing risk and regulatory environments. Still, not all technology that claims to be future-proof actually is. That doesn’t mean it’s not worth doing, however.
Calculating the Benefits
Some benefits of strong risk management and compliance will always be intangible. Others are measurable, if you dig deeply enough.
Talk to the stakeholders involved, especially those in the operating units that will use whatever system you’re proposing. The managers will know how much time is necessary under current systems to do the tasks in question (say, perform due diligence on a third party). Then take the employees’ salary (which HR will know) and calculate how much payroll cost goes to that task. If a GRC project will shave hours off the task and let the employee move on to higher-value work, you can begin to estimate the costs and benefits more precisely.
All that said, naming the intangible benefits helps, too: avoiding fines or other regulatory enforcement action (which can reduce the cash pigeonholed in the company’s contingency accounts); protecting reputation and market value; making the organization more attractive to potential business partners.
In some instances, compliance spending can help to reduce your legal liability — and not spending money on compliance or risk management can increase the company’s liability. (Imagine spending no time or money on due diligence, and the conversations that would follow in a regulatory investigation.)
Dive into the details
The CBA is a balancing tool that compares cost and benefits in a single report. When setting out to build one, there's no need to start with numbers. In fact, you won’t need to calculate totals until a bit later in the process. Begin by reviewing your project plan and talking to project team members about all of the project components that you will need to assess, from planning through implementation.
Step 1: Research similar projects implemented at your company in the past.
A good resource for your CBA could well be previous CBA’s completed for projects that seem similar to your proposal. Although every program will be unique, you can use existing CBA calculations as a historical reference or benchmark for your program. With this information in hand, you will have a better sense of the validity of your own cost estimations.
Step 2: Talk to project team members.
To identify every step in the project, from beginning to end, you will need to talk to project team members, find out what they do, and how long each step takes. Think of the project as a vast collection of tactics, materials, human resources, and other business requirements—multiple moving parts working in concert toward a shared purpose. The more detailed and comprehensive your understanding, the more accurate and reliable your cost-benefit analysis will be.
Step 3: Development Costs.
You may choose to divide the project lifecycle into five general categories that represent sequential phases of the project each year (or month, if short-term).
Step 4: Operational Costs.
Estimate the installation, operation, and maintenance costs, including personnel, equipment, and training for the project lifecycle.
Step 5. Identify Recurring and Non-Recurring Costs.
When identifying a cost, is it a one-time event or a recurring expenditure? For example, a small project may require a single training session or a stand-alone online training module. A larger project may need instructor-facilitated classroom training repeated monthly or quarterly. In another example, an initial security system may be purchased at a single point of sale, but a security monitoring service will require a monthly, recurring cost.
Examples of non-recurring costs:
- Initial capital investment
- Equipment purchase
- Systems Development
- Security and privacy equipment
- Software and licenses
- Paid media/advertising
- Involuntary retirement, severance, or relocation costs
- Potential disruption to existing business operations
Examples of recurring costs:
- Equipment leases, rentals and maintenance
- Facilities rental
- Overhead & Administrative costs
- Security services
- Software lease
- Supplies & Utilities
- Contractual Services
Step 6: List the Benefits.
There are two types of benefits: tangible and intangible. While tangible benefits may be assigned a monetary value, describing the intangible benefits is one of the most subjective parts of your entire CBA, but no less important.
Tangible benefits, such as time saved, can be assigned a monetary cost and may include:
- Improved productivity in hours
- Reduced # of work hours required
- Fewer # of personnel needed (salary/benefits saved)
- Expense savings through less supply/inventory
- Cost of payment processing lowered through automation
- Reduced # of hours responding to regulatory requests
- Lower travel costs
Intangible benefits may be more challenging to measure in monetary terms. You don’t have to. Instead, you can list them and note their importance, assigning a cost value if at all possible. These may include:
- Earned media (positive mention in press)
- Better organizational decision making
- Reduced regulatory risk
- More data transparency
- Better data security for customers and employees
- Improved relationships with third parties
- Increased levels of customer satisfaction
- More efficient use of resources
- Uniform reporting across the enterprise
- Enhanced external image in market
Step 7: Estimate.
After you’ve developed the lists, it’s time to put monetary values next to each line item, except for the intangible benefits. This is referred to as “bottom up” costing, evaluating the most detailed components of the project. For processes or activities, think of each as a parcel of time, such as hours, that can be valued in terms of labor cost.
Step 8: Calculate.
After estimating, you can now calculate the total cost and total benefit, then perform a final calculation for the bottom-line financial result.
Addressing Risk and Uncertainty
Risk is your field of expertise or you wouldn’t be reading this resource. But that doesn’t make addressing it in your business case any less critical. While you may feel confident you’ve got the knowledge you need to excel in this regard, we couldn’t risk it. So following are some considerations as you address risks involved in your initiative.
Performing a thorough risk analysis will help quantify and, to a large extent, dispel the uncertainty introduced by implementing your initiative. By systematically assessing the variables that could potentially impact the project, you can help senior leaders feel more informed and confident about making a business decision that they can justify later if needed.
When thinking about risk, the key questions are: Will the project be successful? How risky is it? What are the biggest risks that we face? How will you manage them?
Addressing risk through probability
To present a compelling view of potential risk, more than one number is needed when estimating cost, profit, or other key metrics. For example, a project manager may assume an average number as a reference point, such as the “average profit in Year One will be $2.5 million” or “the average cost of a contractor’s labor is estimated at $60,000 per year.” That’s not very convincing, because there is no point of comparison. A more engaging perspective is to present a full range of numbers that represents the scope of possible outcomes, such as: “There is a 90% chance that average profit in Year One will be between $1.7 million at the lowest and $3.2 million at the highest.”
The key word here is “possible.” Of course, one can never be certain about when risk can occur, but there are techniques to change the discussion about risk from something uncontrollable to something more manageable, from vague uncertainty to degrees of probability. By shifting the thinking in this way, we create a more positive conversation about specific project outcomes and lend more certainty to the business case.
The Monte Carlo simulation
Invented by scientists at Los Alamos National Laboratories during the advent of nuclear weapons, the Monte Carlo simulation is widely used today in many disciplines to assess risk probabilities. Ironically, the term has nothing to do with gambling. The Monte Carlo, known also as predictive modeling, is an automated computer mathematical simulation that can be run with an Excel spreadsheet to forecast probable outcomes.
In just a few seconds, a Monte Carlo software program can run 100,000 simulations based on initial data inputs, such as estimates of cost, profit, labor, time, etc. The result is a visual displays of graph that shows the resulting “confidence interval” on a chart.
A confidence interval may show, for example, that there is “90% chance that the average profit in Year One will be between the range of $1.7 million and $3.2 million.”
This is the type of data that you need to include in your business case, with the explanation: “We’ve run the simulation through 100,000 possible scenarios, and the resulting confidence interval is 90% that profit will be between $1.7 million and $3.2 million.” With this mathematical calculation, bolstered by the visual charts, senior leaders can feel more comfortable approving such a project and justifying that decision as a good one.
The key is to make sure that the data estimates used in the model are as accurate as possible, based on current and historical knowledge. The more accurate the assumptions, the more accurate the predictions.
Sensitivity charts are a useful part of the Monte Carlo simulation, because they show which variables will have the greatest impact on your projects. With the results from a sensitivity analysis, a project manager can focus on what’s driving a particular outcome. For example, after running 100,000 simulations, the program may identify that “production time” is the variable that affects profit the most. Knowing this, a risk mitigation plan can be developed for improving production time. Being able to articulate this level of detailed understanding is powerful evidence that you are fully aware of the comprehensive risk dimensions of your project.
There are many external variables that can affect the outcomes that you simulate today, such as: future prices, resource requirements, competitor actions, market growth, business volume, government actions, regulatory changes, inflation, force majeure, and currency exchange rates, to name a few. While we can’t predict the future, the idea is to quantify risk as much as possible today, to shift uncertainty into more certainty, and develop mitigation plans to manage the rest.
A Comprehensive View of Risk
We have focused thus far on answering holistically: “How risky is this project?” While the Monte Carlo simulation and sensitivity analysis will provide decision support for senior leaders, the business case also should outline the routine daily management approach for handling specific risks that arise within project implementation.
This is your framework for identifying, mitigating, and monitoring risks on an ongoing basis. Your solutions for this could include creating a risk framework that includes a risk management plan and common maintenance tools such as a risk register, risk checklist, and risk repository.
Attempting to simply minimize risk in your business case is a flawed approach because it could make your audiences feel like you’re avoiding important realities. A better goal is to demonstrate that you have thought at multiple levels about both project risk and daily implementation risk – from large to small – and have successfully reduced uncertainty to a low practical limit. Rather minimizing risk, you can address it with quantifiable data that fosters your audience’s confidence that they are making the best decision for the company.
For risk management projects specifically — with so much complexity, so many variables, many of them qualitative rather than quantitative — accommodating a degree of uncertainty is unavoidable.
Uncertainty is not the same as risk. Risks can be calculated; uncertainty can’t. For example the risk that your next coin-flip will be heads is 50-50. On the other hand, what are the odds that regulators will overhaul their treatment of your industry in the next 20 years? Instinct might suggest an overhaul will probably happen, but you can’t model the chances of specific outcomes over that long a period. It’s uncertain.
Managers can address uncertainty in two principal ways. First, you can narrow the knowledge gap that requires you to make assumptions.
For the regulatory change example, consider the country’s history of regulatory evolution. Review the stated plans of regulators, agencies, politicians, and parties currently in power. See what experts say about the chances of these actors leaving power in the next decade or two. Added knowledge narrows the gap and reduces uncertainty, perhaps to the level of a calculable risk.
Recovery strategies are another way to deal with uncertainty — that is, assume the worst outcome, and calculate the costs of recuperating from it.
Insurance policies (for weather damage, lawsuits, business interruption, and so forth) are one form of recovery strategy. So are slack timetables that allow for unforeseeable delays; financial reserves to cover extra costs; backup systems, extra capacity, and improved processes. Any of those measures can help you deal with the effect of an uncertain negative event.
The longer your time horizon, the more challenging uncertainty is. Guessing what will happen farther into the future becomes ever more difficult, as uncertainties multiply and modify each other.
Modeling high-impact, low-probability uncertain events is another challenge. The oft-cited example: extraterrestrials landing on Earth. That event would be profound and hard to ignore, but what are the odds it will actually happen? Nobody knows.
Managers can try to address low-risk, high-impact uncertainties by ranking them in order of predictability and impact; and then developing recovery strategies for the highest rankings. Alien invasion, for example, is probably a de minimis risk that you can omit from analysis. Risk of regulatory change, on the other hand, can be ranked higher and may need to be addressed.
Developing skill at financial modeling is critical to making an effective business case for a risk management project; you could even say it’s one of the best strategies to reduce the uncertainty of winning approval for your idea. Speak to the board or executive management committee in the profit-minded language they use, and that will go a long way toward helping them — and you — make the best decision.
That said, you should always present the option and cost of doing nothing.
What does the “do nothing scenario” mean for lost opportunity — for example, lost opportunity to be leaner, gain a better reputation, reduce litigation risk, or expand into new markets?
The board or executive committee will always want to know the consequences if the organization doesn’t take action. Try to find benchmarking information about peers: either what they are doing, or what is happening to them if they are doing nothing.
And even though you shouldn’t present options for partial action, knowing what those options are, and having them in your “back pocket” will prepare you should senior management ask what you could accomplish with less than what you’re seeking.
Showing that you have considered those possibilities demonstrates your request comes with careful analysis of all options.
Watch out for Black Swans
In Nassim Nicholas Taleb’s book, “The Black Swan: The Impact of the Highly Improbable,” he defines a Black Swan as an unpredictable and extreme event outside normal parameters that has catastrophic consequences.
The Black Swan is a good reminder that cost/benefit, risk, and Monte Carlo simulations are performed within a model of quantitative value that is the accepted practice for the day. However, these tried and true results that many project managers rely on to prove their business case may be dramatically affected by a singular, unusual event outside the range of the forecast scenarios.
As Taleb writes:
“Indeed, the normal is often irrelevant. Almost everything in social life is produced by rare but consequential shocks and jumps; all the while almost everything studied about social life focuses on the 'normal,' particularly with 'bell curve' methods of inference that tell you close to nothing. Why? Because the bell curve ignores large deviations, cannot handle them, yet makes us confident that we have tamed uncertainty.”
Since the Black Swan event is usually not anticipated and only fully understood with hindsight, it can cause a massive shock-wave effect in the economy or society as a whole. This calls for the project manager or business case owner to remain adaptable and knowledgeable of the market, economy, social, environmental, competitors, and political events.