ISACA Journal
Volume 1, 2,014 


Unlocking Hidden Value in ERP System Acquisitions Using Risk Management 

Gregory Zoughbi, CISA, CISM, CGEIT, CRISC, COBIT 4.1 (F), ABCP, CISSP, ITIL Expert, PMP, TOGAF 9 (C) 

A proper understanding of a potential enterprise resource planning (ERP) investment’s benefits, costs and risk is essential for successfully creating its business case. In particular, the business case includes a net present value (NPV) calculation, but this requires quantifying the benefits, costs and risk.1 Generally, the NPV increases as benefits increase and as risk and costs decrease. One way to make an ERP investment more attractive is to reduce its risk while ensuring that its benefits minus costs remain constant or increase. One way to achieve this is using risk management practices.2

A Simplified Risk Management Process

Various frameworks and standards for risk management exist, including ISACA’s Risk IT,3 ISO’s 31000:2009 Risk Management,4 Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s Enterprise Risk Management—Integrated Framework5 and the National Institute of Standards and Technology (NIST)’s Special Publication (SP) 800-30 Guide for Conducting Risk Assessments.6 A simplified risk management process is illustrated in figure 1.

Figure 1

The process begins by defining the scope and context for risk management. This is then followed by a risk assessment step in which risk is identified and analyzed qualitatively and, as much as possible, quantitatively.

Once risk is understood, controls can be added to reduce the likelihood of the risk occurrence or its impact. Because risk is a function of its likelihood and impact, reducing either of those elements results in a reduced residual risk (the risk that remains after a control is implemented). In addition, a control may be added to transfer the risk, in full or in part, to third parties, e.g., by purchasing insurance. In this way, the impact of risk to the organization is reduced. Finally, risk can also be reduced by avoiding the activities or circumstances that create the risk scenario.

As a result, acceptable residual risk—the risk that remains after risk treatment—remains. Risk management is a cyclic process, so scope definition, or revision, follows. Risk must be continuously monitored so that appropriate responses are taken.

ERP Risk Assessment

An appropriate risk assessment requires identifying and understanding risk factors, which are “those factors that influence the frequency and/or business impact of risk scenarios.”7 Risk factors common across ERP system acquisitions are presented in figures 2 and 3.8, 9

Figure 2

ERP Risk Treatment and Its Impact on the Business Case

Figure 3In NPV calculations, risk is represented by the discount rate for future cash flows. Because organizations require higher returns on riskier investments, the discount rate changes in the same direction as the risk—an increase in risk results in a higher discount rate and vice versa, i.e., the higher the discount rate, the less the impact of future cash flows on the NPV. If one reduces risk, the discount rate for future cash flows decreases, thus leading to an increased impact of future cash flows on the NPV. Because net cash flows attributed to ERP systems are more likely to be positive in later years, reducing the risk and the discount rate generally results in a higher NPV. This makes the business case for an ERP system acquisition more attractive.

Figure 4 illustrates an NPV calculation example for an ERP system acquisition based on a nine-year life cycle. In this example, risk treatment resulted in reducing the discount rate from 15 percent to 10 percent, which resulted in increasing the NPV from a negative US $487,000 to a positive US $1,549,994. As a result, a previously unattractive investment became desirable with proper risk treatment. One way to estimate the discount rate is to compare the investment being evaluated to other investments with known risk and discount rates. These may be, for instance, past investments of this organization or similar investments of other organizations.

Figure 4As demonstrated, treating risk can significantly alter the business case. Risk related to these risk factors can be treated in various ways. One method is to add administrative controls—“the rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies.”10 The following are three examples of risk treatment techniques using administrative controls:

  • Define IT principles.
  • Require professional certifications.
  • Enhance the IT governance framework.

Define IT Principles

IT principles are “general rules and guidelines, intended to be enduring and seldom amended, that…provide guidance on the use and deployment of all IT resources and assets across the enterprise. They are developed in order to make the information environment as productive and cost-effective as possible.”11

An organization should define IT principles that are suitable to its context and strategic objectives. The life cycle of ERP systems is measured in years and can exceed a decade. Acquisition alone can take a few years because ERP systems impact the entire organization. For instance, ERP systems include several modules such as finance, human resources (HR), procurement and learning management. Furthermore, each module is often implemented in phases, prolonging the acquisition period. Therefore, it is appropriate to define IT principles to guide ERP system acquisitions.

Given the common ERP risk factors previously discussed, it is possible to define IT principles to mitigate related risk. In essence, IT principles serve as administrative controls to reduce the likelihood and/or impact of risk. Figure 5 provides examples of IT principles for the ERP risk factors. For example, an IT principle to “involve top management in key decisions and obtain their support” can reduce risk related to top management support (risk factor number four in figure 5) by addressing areas of concern such as the allocation of sufficient financial and human resources, the resolution of political problems, and communication with employees. Because members of top management contributed to making the decisions, they are more likely to feel like owners of the initiative and, therefore, support it.

Figure 5

Require Professional Certifications

Organizations can reap benefits by requiring staff and consultants to hold appropriate professional certifications. Certifications provide an independent confirmation of credibility, enable job standardization and, most important, ensure that certification holders are skilled and motivated.12 Requiring ERP project team members to hold relevant certifications can mitigate ERP system acquisition risk and, therefore, increase the likelihood of acquisition success and business benefit realization. Implementing this should ideally be achieved in collaboration with the HR department.

Obtaining a professional certification typically requires demonstrating competency by successfully passing an examination and completing a minimum number of relevant years of work experience. For example, ISACA defines task statements and knowledge statements for each of its professional certifications. Task statements are used to demonstrate relevant work experience, whereas examinations are based on knowledge statements. Of special relevance to ERP risk factors are ISACA’s Certified in Risk and Information Systems Control (CRISC),14 Certified in the Governance of Enterprise IT (CGEIT)15 and Certified Information Systems Auditor (CISA).16 CRISC is concerned with risk management and, therefore, is generally relevant to all risk factors. CGEIT and CISA are also relevant to all risk factors, but are likely to be more useful for some risk factors over others. For instance, CGEIT is more relevant for obtaining top management support (risk factor number four) than for project management (risk factor number one) because of governance’s focus on executive/top management and boards of directors. Similarly, CISA is more relevant for auditing ERP evaluation and selection (risk factor number three) than for managing expectations (risk factor number nine).

In addition, the Project Management Institute (PMI) defines the Project Management Body of Knowledge (PMBOK)17 for the Project Management Professional (PMP®)18 certification. A PMP certification is especially relevant for the ERP project manager and project management team because it requires practicing proper project management (risk factor number one), including ERP evaluation and selection (risk factor number three), obtaining top management support (risk factor number four), and managing expectations (risk factor number nine).

Another relevant certification is The Open Group’s TOGAF® 9.19 TOGAF is an enterprise architecture framework that includes business, information systems and technology architectures in its scope. Therefore, it is relevant to all risk factors but, given the architectural complexity of ERP systems, TOGAF 9 is especially relevant for BPR and change management (risk factor number two) and ERP evaluation and selection (risk factor number three) because they are directly impacted by the architecture.

Figure 6Furthermore, some non-IT certifications are also relevant. For example, the Institute of Management Consultants USA (IMC USA) defines a common body of knowledge20 for its Certified Management Consultant (CMC)21 certification. One may ensure that independent consultants (risk factor number five) hold this certification to ensure that they follow proper consulting practices and utilize CMC competencies for BPR and change management (risk factor number two) and managing expectations (risk factor number nine). Furthermore, various HR certifications are also helpful for human resource development (risk factor number eight).

Other certifications can also be helpful and include the APMG Sourcing Governance Foundation22 because its scope includes acquisitions and outsourcing. Furthermore, vendor-specific IT certifications, such as those of SAP, Oracle, Microsoft and IBM, are especially important for ensuring technical competency of the ERP product being implemented and its supporting IT infrastructure (risk factor number 10).

Figure 6 summarizes the relationships between these certifications and ERP risk factors.

Enhance the IT Governance Framework

Establishing and maintaining an IT governance framework is key to effective governance of enterprise IT. Leadership, organizational structures and processes are the key components of an IT governance framework.23 An effective IT governance framework supports the objective of governance, which is value creation through benefits realization, risk optimization and resource optimization.24

Every organization should have its own specific IT governance and IT management frameworks.25, 26, 27 However, they can benefit from established IT governance and management frameworks to reduce the ERP risk factors. For instance, COBIT 5 and its previous versions introduced processes common to effective IT organizations. Each process is described in detail by identifying, for example, its inputs, practices, outputs, measures and goals. By considering these, an organization can enhance its IT governance and management frameworks by considering lessons learned by other organizations.

Figure 7Figure 7 illustrates how COBIT 5 can be used to treat risk resulting from top management support (risk factor number four). First, the risk factor’s areas of concern are analyzed separately. Next, COBIT 5 processes that can treat risk related to the area of concern are identified. Finally, COBIT 5 processes for all areas of concern for that risk factor are grouped together to form control drivers. As a result, the control drivers become best practice guidance for reducing risk related to the risk factor.

Repeating this process for the top five risk factors identifies the control drivers (figure 8). Of these control drivers, eight COBIT 5 processes address approximately 70 percent of the risk related to these five risk factors. This accounts for the difference in risk factor importance and assumes that areas of concern within a single risk factor have equal importance. These control drivers are COBIT 5 EDM01, EDM02, EDM03, EDM04, EDM05, APO07, APO08 and BAI01.

Figure 8
Click to view larger image.

Additionally, other frameworks can also assist with governance-related issues (see, for example, the related guidance section at the end of each COBIT 5 process). For instance, the Information Technology Infrastructure Library (ITIL®)28 covers IT service management and, therefore, it assists in improving the delivery of IT services including ERP information services. Furthermore, PMBOK is relevant for managing IT projects, and so is Capability Maturity Model Integration (CMMI)29 because it focuses on product development and acquisitions. TOGAF also includes an architecture development method (ADM) that addresses business, information systems and technology architectures. Finally, the APMG sourcing governance330 is also relevant because it focuses on outsourcing and acquisitions.

Figure 9Figure 9 identifies the control drivers for the top five risk factors.


Risk is an important element of an ERP system acquisition business case; its role and impact are tremendous and can completely alter the investment decision. A business case creator must understand risk management practices and make sure appropriate risk management is conducted before a decision is made on the business case. In this way, an organization can avoid rejecting an ERP investment that can produce business benefits if appropriate risk management is performed. Therefore, risk treatment can unlock hidden value and business benefits in potential ERP investments.

Risk treatment can be done in various ways and may be simple to achieve. Given the common ERP risk factors, this article has presented three risk treatment techniques that are based on defining IT principles, requiring professional certifications and enhancing the IT governance framework. A risk management practitioner is well positioned to use these risk treatment techniques and can do so with the assistance of numerous widely accepted IT certifications and IT governance and management frameworks. The wheel need not be reinvented, but rather intelligently utilized to unlock hidden value in investments through early risk treatment and appropriately preparing more favorable business cases.


1 Zoughbi, G.; “Creating the Business Case for ERP System Acquisitions Using GEIT,” ISACA Journal, vol. 1, 2013
2 Zoughbi, G.; G. Kattnig; S. Parkinson; “Using Governance and Risk Management Practices to Improve Outcomes of Enterprise Resource Planning (ERP) System Acquisitions,” BCS International IT Conference, 2013
3 With the release of COBIT 5 in 2012, key elements of Risk IT have been incorporated in COBIT. COBIT for Risk was released in August 2013 and can be found at
4 International Organization for Standardization (ISO), ISO 31000:2009, Risk management—Principles and guidelines, 2009
5 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management—Integrated Framework, 2004
6 National Institute of Standards and Technology (NIST), Special Publication 800-30, Guide for Conducting Risk Assessments, 2012
7 ISACA, Risk IT, USA, 2009,
8 Op cit, Zoughbi, Kattnig and Parkinson, 2013
9 Op cit, Zoughbi, 2013
10 ISACA, Glossary, 2013,
11 The Open Group, The Open Group Architecture Framework (TOGAF), 2011
12 Smart, B.; “Why Should Organizations Care About Professional Certifications?,” ISACA Journal, vol. 2, 2013
13 Herzberg, F.; “One More Time: How Do You Motivate Employees?” Harvard Business Review, September-October 1987, p. 5-16
14 ISACA, CRISC Certification Job Practice, 2013,
15 ISACA, CGEIT Certification Job Practice, 2013,
16 ISACA, CISA Certification Job Practice, 2013,
17 Project Management Institute (PMI), A Guide to the Project Management Body of Knowledge (PMBOK Guide), 4th Edition, 2008
18 Project Management Institute (PMI), PMI PMP Credential, 2013,
19 The Open Group, TOGAF 9 Certification Program,, 2011
20 Institute of Management Consultants USA, IMC USA’s Competency Framework and Certification Scheme for Certified Management Consultants (CMC), 2010,
21 Institute of Management Consultants USA, “What Is the CMC?,” 2013,
22 APMG-International, Sourcing Governance Foundation Certification, 2013,
23 ISACA, Board Briefing on IT Governance, 3rd Edition, 2003
24 ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, 2012,
25 Burns, T.; G. M. Stalker; The Management of Innovation, London, 1961
26 Lawrence, P. R.; J. W. Lorsch; Organization and Environment: Managing Differentiation and Integration, Harvard University, USA, 1967
27 Chandler Jr., A. D.; Strategy and Structure: Chapters in the History of the American Industrial Enterprise, MIT Press, USA, 1962
28 The APM Group Ltd., ITIL, version 3, UK, 2007
29 Software Engineering Institute (SEI), Capability Maturity Model Integration, version 1.3, 2010
30 APMG-International, The Demand Supply Governance Framework, 2012

Gregory Zoughbi, CISA, CISM, CGEIT, CRISC, COBIT 4.1 (F), ABCP, CISSP, ITIL Expert, PMP, TOGAF 9 (C), is an advisor to chief information officers (CIOs) and chief executive officers (CEOs) on the governance of enterprise IT (GEIT) and business administration. He advocates using business administration concepts in the governance and management of enterprise IT. Zoughbi previously worked at the headquarters of CAE Inc., General Dynamics Canada and BMW Financial Services. He is a recipient of the ISACA CGEIT Geographic Achievement Award.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.