Gregory Zoughbi, CISM, CGEIT, PMP, TOGAF9, ITIL Expert, COBIT 4.1 (F)
Many organizations choose to acquire an enterprise resource planning (ERP) system to serve as a common system for their wide range of daily operations.
Various business benefits can be realized from ERP investments due to operational performance improvements. For instance, ERP systems embed industry best practice processes, which enterprises can leverage to achieve a discontinuous improvement in performance.
However, many ERP investments fail to deliver on their promised benefits due to deficient ERP investment appraisals caused by inflated expected benefits and underestimated cost and risk. Therefore, improved governance of enterprise IT (GEIT) in general, and governance of ERP system acquisitions in particular, are crucial for success. One of GEIT’s key practices is the development, maintenance and utilization of a proper business case throughout an investment’s economic life cycle.1
What are the key elements of an ERP investment business case, and which GEIT best practices are relevant? Furthermore, do such practices resonate with management and finance best practices, which are expected by executive business leaders who control access to funds?
The business case is a core concept in successful GEIT practices. It is intended as a tool for decision making on investment matters, both prior to and after initiating an investment. It is often captured as a document or presentation, and it is heavily promoted in Val IT ,2 COBIT 53 and the Certified in the Governance of Enterprise IT (CGEIT)4 certification.
For example, Val IT’s Investment Management domain and processes require an enterprise to develop and evaluate the initial program concept business case (practice IM1) and to update the business case (practice IM8).5, 6 Furthermore, COBIT 5 continues to promote business cases to ensure benefits delivery (process EDM02), to manage enterprise architecture (process APO03) and to manage portfolio of investments (process APO05).7 Finally, domain three of CGEIT confirms that business cases are part of the GEIT practice.8
What is important to include in a business case? One answer is offered in ISACA’s eight-step approach for business case development (figure 1).9 In particular, steps three, four and five require the analysis of an investment’s expected benefits, resource and cost requirements, and associated risk. While nonfinancial benefits might be difficult to quantify, better developed business cases include well-quantified benefits, costs and risk, hence enabling superior ERP investment appraisals.
Therefore, the key elements of a business case are the benefits, costs and risk. Once established, the investment can be appraised (figure 2).
Various benefits can be expected from a successful investment in an ERP system. Ultimately, however, it is the investing organization that must determine which business benefits it can realize from such investments based on its own strategy and objectives. The following is a summary of common benefits.
Many organizations that do not have a proper ERP system are structured functionally, which leads to the proliferation of functional and silo IT systems. Others follow an organizational design10 that focuses on end-to-end business processes spanning across functions. In the latter, ERP systems can improve information exchange across functional systems. They are designed with an end-to-end perspective to significantly increase efficiency over silo-functional applications, thus removing manual coordination requirements for exchanging information across functional systems. The promised business benefit is optimized enterprise performance.
Consequently, an ERP system’s database integrates and unifies information from various functional capabilities. For example, a master list of vendor names would be created, as opposed to duplicate lists in purchasing, logistics and finance. This integration and unification of information allows an organization to have a single source of truth, which is the foundation for business intelligence (BI) and analytics. A McKinsey Global Institute report pronounced analytics as “the next frontier for innovation, competition and productivity,”11 and Thomas H. Davenport,12 a BI and analytics pioneer, emphasized that applying analytics on business processes, such as those provided by an ERP system, is one of the last remaining ways for organizations to achieve differentiation and competitive advantage.
Another common business benefit of ERP systems is the enforcement of standard processes across the organization and its geographically dispersed sites. Process standardization is a prerequisite for continuously improving process performance and organizational efficiency, on both IT and the business sides, as advocated by Shewhart’s Plan-Do-Check-Act cycle13 and frameworks such as COBIT 5,14 IT Infrastructure Library (ITIL)15 and Capability Maturity Model Integration (CMMI).16 Furthermore, the standardized processes can be provided by the ERP system out of the box; these standardized processes are designed based on best practices obtained from many successful organizations. The organization acquiring an ERP system should adopt such best practices through business process reengineering (BPR) for all of its processes, except those that provide it with a competitive advantage.
Despite the many potential benefits that ERP systems promise, they come at a significant acquisition cost. ERP system licenses are generally more expensive relative to other systems, the corresponding ERP acquisition project includes many diverse activities, and ERP system deployment by itself is costly due to the large user base and likely resistance to change.
A consequence of adopting best practice processes in ERP systems is that ERP investments almost always require existing business processes to be reengineered. This can disrupt operations and, therefore, requires effective organizational change management. Conversely, customizing the ERP system, instead of performing organizational BPR, is also a costly activity due to the system complexity and impact on future software upgrades.
Migration from multiple functional systems also comes at a cost. It is likely that information duplication will exist due to the proliferation of silo-functional systems. As the inconsistency of data models across these systems increases, more effort will be required to cleanse the data and then migrate it to the new ERP system. The paradox here is that the larger the organization, the more likely it is to acquire an ERP system. However, larger and more complex organizations are also more likely to have a larger number of ERP systems and higher data fragmentation across them due to decentralization and localization needs and to maintain specific competitive advantages by seeking a best-of-breed approach.17 Therefore, the cost of ERP system acquisition increases at a nonlinear rate.
Additionally, ERP deployments may require newer and/or more capable IT assets, such as new servers and software. Such supporting hardware and software infrastructure can be expensive, and it increases architecture work and acquisition cost.
Activities such as BPR, customization and data migration can be complex and risky. For example, BPR can result in resistance to change, as discussed previously. Resistance to change continues to introduce risk areas for ERP acquisitions.
Risk must be appropriately identified and managed, and a business case should not be completed until there is a proper understanding of the investment’s risk. There is risk associated with different IT service and system life cycle stages (e.g., planning, implementation, project closure, transition to operations, operations, retirement). Risk associated with all of these life cycle stages is relevant and should be considered when preparing the business case and determining the risk-adjusted required return.18 In essence, as finance theory19 advocates, investors must demand higher investment returns for increased investment risk.
Risk must always be defined from a business perspective.20, 21 Thus, an organization looking to acquire an ERP system should define the specific risk relevant to it. Furthermore, Risk IT’s Risk Evaluation (RE) process activity 1.4 requires the identification of risk contributing factors, which are drivers of the frequency and magnitude of risk events.22 These are important for root-cause analysis of risk, which is also emphasized by other frameworks and models such as the Committee of Sponsoring Organizations (COSO) Enterprise Risk Management—Integrated Framework23 and CMMI’s24 Causal Analysis and Resolution (CAR) process area. Furthermore, not only does understanding risk factors help better mitigate risk due to improved root-cause analysis, but it also helps quantify any necessary contingency funds required for residual risk, and to quantify the required return or discount rate for projected cash flows.
Fortunately, risk factors are common across ERP system acquisitions, as determined by examining successful and failed ERP acquisition cases.25 These risk factors were identified by examining actual ERP acquisition cases, for example, as reported in quantitative case studies,26 qualitative case studies27 and expert opinions.28 Figure 3 provides a summary of the top 10 risk factors for ERP investments.
Figure 4 illustrates the relative importance of these risk factors.
Understanding these risk factors should significantly aid the governance of ERP system acquisitions and the development of relevant business cases, including the allocation of contingencies for residual risk.
Once benefits, costs and risk are quantified and analyzed, an ERP investment can then be appraised. The net present value (NPV) is considered by many as the most appropriate investment appraisal method. It is advocated by corporate finance gurus29 and is illustrated in step three of the business case development approach from ISACA.30 ING, for instance, has used NPV in appraising IT-enabled investments.31 NPV’s advantages are a result of utilizing discounted incremental cash flows rather than forecast profits, which are used in the book rate of return and payback period methods. Discounted incremental cash flows are more realistic because forecast profits are dependent on the company’s accounting methods.32 Furthermore, the payback period is biased against long-term investments.
Identifying incremental cash flows is about identifying the difference in cash flows for the organization when accepting the investment and rejecting it. In accordance with Val IT’s principles and its investment management processes, such as IM4 (Develop full life-cycle costs and benefits), incremental cash flows should be those incurred during the investment’s full economic life cycle, thus including system acquisition, operation and retirement costs. Costs correspond to cash outflows whereas benefits correspond to cash inflows. Therefore, quantifying benefits and costs is required to perform an appraisal using NPV.
Cash flows must include the full scope of activities required to achieve business value, and these may come in many forms. Figure 5 identifies and explains rules33 for identifying cash flows when applying the NPV investment appraisal method. These rules should be used as a checklist whenever the NPV method is used. For instance, an unused server capacity or idle IT operations staff that will be utilized to operate an ERP system will have an opportunity cost, which must be reflected as a cash outflow. Just because they are currently available does not mean that they should be ignored.
Each cash flow is then discounted from the future period in which it will be realized back to the present date of the decision (e.g., year zero or today). The factor by which those future cash flows are divided to achieve present value is a function of the “discount rate.” It reflects the cost of capital and uncertainty in future cash flows as reflected in the investment’s risks. In essence, a higher discount rate is used for riskier investments because contingency is built into the discount rate. This can be viewed from the perspective that higher returns are required from riskier investments and, therefore, is consistent with the concept described as risk-adjusted return in the CGEIT Review Manual.34
Finally, the discounted cash flows (DCFs) in present values at year zero are then summed to arrive at the investment’s NPV. With other strategic and nonfinancial factors being constant, a firm should accept an investment if it has a positive NPV and reject it if it has a negative NPV. In practice, however, numbers do not tell a complete story, and the NPV value is not the sole determinant of decision making over investments. Step four in ISACA’s business case development method clearly states that nonfinancial benefits must be identified and considered as part of an investment’s appraisal.35 Managerial judgment is necessary.
It is a reality. IT must be run and, therefore, governed and managed as a business.36 Management is running out of excuses for accepting investments that do not deliver on promised business benefits, require costs and require reactions to multiple unplanned risk incidents. Fortunately, the abundance of GEIT best practices can help.
In particular, the business case is an instrumental tool for appraising investments and managing them throughout their life cycles. An effective business case may be based on the NPV investment appraisal method, thus considering expected benefits, costs and risk. For ERP investments, general benefits and costs are understood, and there exist common risk factors. Understanding these common risk factors can guide an organization to better understand and manage ERP investment risk. Applying the NPV method, including an understanding of the expected benefits, costs and risk, is a common practice in the business and finance community. Not only can this approach aid IT professionals in performing better informed appraisals, but it will also help them better communicate with the business and finance community, which often controls access to funds. The end result, therefore, includes improved communication, business-IT alignment and benefits realization.
1 ISACA, The Val IT Framework 2.0, 2008, www.isaca.org/valit2 Ibid.3 ISACA, COBIT 5, USA 2012, www.isaca.org/cobit54 ISACA, CGEIT Review Manual 2013, USA, 2012, www.isaca.org/bookstore5 Op cit, ISACA, 20086 Please see the mapping of Val IT and Risk IT practices referenced in this article to COBIT 5 practices in: ISACA, COBIT 5: Enabling Processes, 2012, www.isaca.org/cobit5, p. 222-224.7 Op cit, ISACA, COBIT 5, 20128 Op cit, ISACA, CGEIT Review Manual 2013, 20129 ISACA, Enterprise Value: Governance of IT Investments, The Business Case, USA, 2006, www.isaca.org10 Anand, N.; R. Daft; “What Is the Right Organization Design?,” Organizational Dynamics, Elsevier, vol. 36, no. 4, 2007, p. 329-34411 McKinsey Global Institute (MGI), Big Data: The Next Frontier for Innovation, Competition, and Productivity, 201112 Davenport, T. H.; “Competing on Analytics,” Harvard Business Review, January 200613 Shewhart, W. A., Statistical Method From the Viewpoint of Quality Control, Dover, USA, 193914 Op cit, COBIT 5, 201215 UK Cabinet Office, Information Technology Infrastructure Library (ITIL), UK, 201116 Software Engineering Institute (SEI), Capability Maturity Model Integration version 1.3, 201017 Kimberling, E.; The Case for and Against Using Multiple ERP Systems Across Your Organization, Panorama Consulting, 201218 Op cit, ISACA, CGEIT Review Manual 2013, 201219 Brealey, R.; S. Myers; F. Allen; Principles of Corporate Finance, 9th Edition, International Edition, McGraw-Hill Inc., 200820 ISACA, Risk IT, USA, 2009, www.isaca.org/riskit21 ISACA, Information Risks: Whose Business Are They? IT Governance Domain Practices and Competencies Series, USA, 2005, www.isaca.org22 Op cit, ISACA, 200923 Committee of Sponsoring Organizations (COSO), Enterprise Risk Management—Integrated Framework, 200424 Op cit, Software Engineering Institute 25 The author identified these risk factors as part of his wider practical case study research on GEIT and ERP system acquisitions, which also included risk management strategies for ERP system acquisitions.26 Ehie, I. C.; M. Madsen; “Identifying Critical Issues in Enterprise Resource Planning (ERP) Implementation,” Computers in Industry, Elsevier, no. 56, 2005, p. 545-55727 Wong, A.; H. Scarbrough; P. Y. K. Chau; R. Davison; Critical Failure Factors in ERP Implementation, 200528 Kimberling, E.; Nightmare Continues, Panorama Consulting, 201029 Op cit, Brealey, 200830 Op cit, ISACA, 200631 ISACA, Optimising Value Creation From IT Investments, IT Governance Domain Practices and Competencies, USA, 2005, www.isaca.org32 Op cit, Brealey, 200833 Ibid.34 Op cit, ISACA, CGEIT Review Manual 2013, 201235 ISACA, 200636 Innovation Value Institute (IVI), Information Technology Capability Maturity Framework (IT-CMF), 2012
Gregory Zoughbi, CISM, CGEIT, PMP, TOGAF9, ITIL Expert, COBIT 4.1 (F), is currently an advisor to chief information officers, promoting the education and adoption of governance of enterprise IT (GEIT). He previously worked at the headquarters of CAE Inc., General Dynamics Canada, and BMW Financial Services. He is a recipient of the ISACA CGEIT Geographic Achievement award.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.