An estimated billion people use Excel. Clearly, the business community has bought into its effectiveness. And it’s no wonder: Excel has many great features. However, when it comes to managing Governance, Risk and Compliance (GRC), spreadsheets can actually be a dangerous tool.
There are many frameworks and standards that provide tremendous guidelines on implementing and improving enterprise risk management. As Albert Sica from ALS Group recently pointed out, one of the key components is to find out what the objectives are and then address risks to those objectives. ISO 31000 provides the most comprehensive guide to establishing an effective ERM process and one of the key mantras is that it all come backs to the risks to objectives.
One of the challenges most organizations face is that ERM is a process, not an event. The use of excel or other spreadsheet approaches can create more problems than they resolve. Although for an initial listing of risks and perhaps some assessments, they are very helpful. But to create an ongoing process, it soon becomes clear that these tools are not up to the task for the long term.
First Off, What is GRC?
The G in GRC can be anything from government regulations through contractual obligations and societal demands and on to organizational policies. Understanding the obligations imposed and the potential impact on the organization is critical to its survival. There are many examples of governance failures such as poorly implemented anti-bribery legislative requirements or plain old inept business practices. Perhaps the worst offender is non-specific contract language (“I didn’t know about that” is not a useful response).
Here it is critical to consider risk and reward — in its simplest state it’s “don’t risk a lot for a little”. It’s really a balance between what is enough risk compared with not enough risk. When the potential risk outweighs the potential reward you had better have some really effective control over the risks or be prepared to lose everything. Simplest examples can be found in the many media events where people do the stupidest things in the hope of getting some reward like a little money or fleeting fame. From a corporate perspective things are a little more painful: ranging from media reports of contract-gaining bribes to senseless cost cutting that ends in massive injury awards.
Simply, making sure the right things are being done in the right way at the right time. The trick is not to expend so much effort that the organization grinds to a halt.
The Challenges With GRC
GRC is not a singular challenge for organizations. In fact, governance, risk and compliance are merely categories for a whole host of challenges and risks embedded within each of those categories. While there is no universally accepted definition of GRC, its three elements are usually characterized roughly as follows:
- Governance refers to the overall management processes of a given organization, which is essentially driven by the senior management (C-level) team.
- Risk Management refers to an organization’s attempts to identify and analyze threats to its operations. Often, these threats involve failure to conform to government regulations.
- Compliance refers to corrective actions made by the organization to mitigate risks that have been previously identified.
Why Spreadsheets Are Dangerous for Governance Risk and Compliance
To start with, many people who need to interact with the data do not do this on a daily basis, often much less frequently, and to expect probably >95% of the people who need to provide data and respond to the information, is usually asking too much, even if the spreadsheets have protected cells and drop downs. In addition, the need to make changes to these drop downs and cells creates huge problems in an excel driven environment. For example, the simple process of making a change to a drop down. Easy to do in one spreadsheet, but then there is the requirement for all users to have the same version or the data gathering will become a mess and the information gathered will be flawed.
Also, consider the need to be able to provide evidence to the wide range of stakeholders as to where the data came from – certainly it is possible to see the most current data, but where did that data come from and how has it changed? In an excel environment, this soon becomes meaningless and unsustainable. A secure audit trail is critical to support an ERM process, especially as the integration of risk data from just about every part of an organization is becoming the norm, not the exception.
While there are many other factors that make a spreadsheet supported ERM process impossible to maintain correctly, consider just one other factor: “one source of the truth.”
With myriad spreadsheets, key data is often in multiple places and a change in one component will not be reflected in all the aggregated data until, or if, the relevant spreadsheet is even uploaded into some form of mega spreadsheet. How will the user of this data have any hope of knowing this data is current and accurate if using many spreadsheets. Spreadsheets only lead to a false sense of knowledge and accuracy, and inevitably result in poor decisions based on faulty data.
GRC is complex. And if you’re using silo-inducing spreadsheets, which “speak the language” of only one department or one type of data set in each document, the likelihood of being able to manage through that complexity is almost nil.
Here are three reasons spreadsheets actually get in the way of managing GRC:
- They are difficult to manage.
- They are prone to errors.
- They do not provide a chain of evidence.
Spreadsheets Are Difficult To Manage
Searching a spreadsheet is easy. Searching many of them, not so much. With that in mind, are reams of spreadsheets an effective way to find information? Not really. Of course, you could always consolidate your many spreadsheets into one, but this is just as labor intensive.
It’s likely your risk and compliance team members spend enormous amounts of hours constructing, posting, editing, and reporting via spreadsheets. It’s critical work but is it efficient? Or cost effective? Or easy to build good reports? And finally, do they scale well? More often than not, the answer to these questions is “no.”
Spreadsheets burn through your payroll, consuming time and resources–requiring your staff to be Excel wizards instead of actual GRC experts who could be leveraged to solve critical challenges.
Spreadsheets Are Prone To Errors
Myriad spreadsheets often mean myriad mistakes. Research even suggests that 88 percent of business spreadsheets contain errors. Errors regularly result from the misinterpretation of data as one evaluates a multitude of spreadsheets in different formats; or from mistakes made while manually re-entering data in order to consolidate many spreadsheets into one.
As such, spreadsheets either lead to a false sense of knowledge and accuracy, or, conversely, they lead to complete data distrust. Either way, poor decision making is often the outcome.
Spreadsheets Do Not Provide A Chain Of Evidence
Version control and data security are real struggles with spreadsheets. Much uncertainty exists around if and when information has been updated and who updated the information. It can leave users asking
- Is this the correct date? Or was it changed?
- Is this an accurate entry? Or was it modified?
- Did I make this entry? Or did someone else?
This can further contribute to mistake-laden data, as well as a lack of accountability for faulty information that could negatively impact your business.
How To Prevent Spreadsheets From Threatening GRC
Spreadsheets have many advantages, but not when it comes to managing governance, risk or compliance. Integrated Risk Management technology, on the other hand, solves for many of the problems that spreadsheets create—simply because of its design.
First and foremost, such technology operates in the cloud—automatically collecting and updating data in real time. It surfaces relevant GRC information from wherever it’s hiding in your organization; connects it with other internal and external data; and then normalizes it with data processing tools to ensure consistency among the data you’re comparing.
As such, it’s easy to access and analyze up-to-the second risk management data with just a few clicks instead cobbling together a bunch of spreadsheets into a mega spreadsheet that will essentially be out of date once it’s time to report.
Even more, the right Integrated Risk Management technology will be specifically tailored for managing GRC—providing a whole suite of applications to improve efficiency and consistency of all business processes and decisions related to corporate governance, risk and compliance.
Don’t let spreadsheets stand in the way. Integrated Risk Management technology can simplify and automate your GRC programs—allowing you to implement, tailor, extend and scale your GRC capabilities.
How To Improve The ROI of Your GRC Investment
Extracting return on investment (ROI) from GRC is a bit like finding the lost city of Atlantis, the Holy Grail, or even an easy way to complete a tax return. It is important to at least establish some defendable parameters around the value to the organization before even bothering about all this governance, risk and compliance.
This may seem a bit negative but we are at a tipping point in how all this can be brought together in a rational, cost effective way. Technology has changed the whole industry, even in the past 5-10 years. Creating a single view into the organization-wide governance, risk and compliance makes overlaps and shortfalls jump right out. With today’s connectivity available at vastly lower costs and reduced time, managers can now see all the moving parts and take actions to manage the governance over their organization, understand and appropriately respond to the risks this governance brings, and carry out the optimum level of compliance.
Get the free Proving the ROI of Automating Risk and Compliance white paper!However, while ROI is hard to define accurately, the core cost of the technology that powers integrated risk management systems can be spread out as it scales across the enterprise. The ability to work with other parts of the organization to get this integrated view increases the value of the Risk function to the organization. Far from being a cost center, Risk can become an integral part of making the strategy of the organization and work as expected.
None of this replaces the reliance on management to manage — but it will make that role more manageable.