Table of Contents
An estimated 1,000,000,000 people use Excel spreadsheets.
Clearly, the business community has bought into its effectiveness. And it’s no wonder: Excel has many great features. However, when it comes to managing Governance, Risk and Compliance (GRC), spreadsheets can actually be a dangerous tool.
The use of excel or other spreadsheet approaches can create more problems than they resolve. Although for an initial listing of risks and perhaps some assessments, they are very helpful.
But to create an ongoing process, it soon becomes clear that these tools are not up to the task for the long term.
The G in GRC can be anything from government regulations through contractual obligations and societal demands and on to organizational policies. Understanding the obligations imposed and the potential impact on the organization is critical to its survival.
- There are many examples of governance failures such as poorly implemented anti-bribery legislative requirements or plain old inept business practices.
- Perhaps the worst offender is non-specific contract language (“I didn’t know about that” is not a useful response).
Here it is critical to consider risk and reward — in its simplest state it’s “don’t risk a lot for a little”.
- It’s really a balance between what is enough risk compared with not enough risk.
- When the potential risk outweighs the potential reward you had better have some really effective control over the risks or be prepared to lose everything.
- Simplest examples can be found in the many media events where people do the stupidest things in the hope of getting some reward like a little money or fleeting fame.
- From a corporate perspective things are a little more painful: ranging from media reports of contract-gaining bribes to senseless cost cutting that ends in massive injury awards.
Simply, making sure the right things are being done in the right way at the right time. The trick is not to expend so much effort that the organization grinds to a halt.
How does the cost of complying with regulations compare to the cost of fees and fines incurred when caught out of compliance? Well, recently, a global manufacturer was fined a multi-billion dollar penalty for being found guilty of non-compliance with various regulations.
Let’s break it down a bit:
- U.S. population: approx. 325,000,0001
- World population: approx. 7,400,000,0002
- Total fines/compensation paid by manufacturer: $21,300,000,0003
Using these figures, every person in the world (as of August 2016) would have to incur an average of $2.87 to cover these fines and if the U.S. alone was responsible for this direct loss, it would equal $23 per person.
And these are just the direct costs. Reputational damage and the cost of redesigning processes will probably add another few billion to the total.
In GRC terms for this instance, the governance was ultimately the various regulations to which the company was required to comply.
There may have also been other governance within the company, such as policies not to attempt to cheat or mislead the public, or there may even have been contractual governance in the form of contract between buyer and seller of the product that minimum standards would be achieved.
The risk was that if found to be out of conformance, there could be penalties and costs to remediate.
It would be interesting to see the risk assessment for this instance (if there was one), including the evaluation of potential criminal actions and remediation costs.
Would the cost to comply for the period of this non-compliance have been anywhere close to these numbers, which equal nearly 14% of company revenue?
It’s hard to comprehend the full magnitude of the costs and it will be interesting to see how the company recovers.
Right on the heels of this news, another manufacturer was accused in January of similar fraudulent activities.
So, it’s worth wondering whether we can expect more emphasis in many organizations on fully assessing the risks of certain actions, and how effective monitoring of compliance be implemented and maintained.
GRC is not a singular challenge for organizations. In fact, governance, risk and compliance are merely categories for a whole host of challenges and risks embedded within each of those categories.
While there is no universally accepted definition of GRC, its three elements are usually characterized roughly as follows:
- Governance refers to the overall management processes of a given organization, which is essentially driven by the senior management (C-level) team.
- Risk Management refers to an organization’s attempts to identify and analyze threats to its operations. Often, these threats involve failure to conform to government regulations.
- Compliance refers to corrective actions made by the organization to mitigate risks that have been previously identified.
The Importance of ISO
ISO, the International Standards Organization, has published over 21,000 standards covering just about anything you can think of and probably a few you’d never imagine. It is a global organization, and has 163 national standards bodies as members.
That’s a lot of power as there are nearly 200 countries in the world. While many of its standards are more like guidelines than cast-in-stone mandates, they are often used to assist buyers and others in determining if it is a good idea to buy the product or service to which it applies.
Since the introduction of ISO 31000 on risk management in 2009, risk has increasingly been incorporated into these standards. In part, one assumes, to avoid wasting resources on blindly enforcing compliance with the last letter of the standard.
In April 2016 ISO 37001 was moved into the final stage before implementation. The standard applies to anti-bribery management systems, and is closely aligned to many governmental standards. What sets this standard apart from many standards is that organizations can get certified to be in compliance.
So, we expect to see a rash of opportunities to get trained as a “certifier”. This is, probably not in itself, a bad thing, but there is a need to be aware if two key components: Risk, and Process. Both need to be supported by an adequate level of efficiency, transparency, and auditability.
Risk is an essentially a combination of three factors:
- The likelihood the event will occur.
- The impact if it does occur.
- The timing of the event.
Most people are familiar with a 1:100 flood, but no-one is able to state exactly when that flood will occur. Similarly, how big is the impact? A very costly, ruinous event, or perhaps a slap on the wrist and don’t do it again?
Refer to ISO 31000 for an in-depth description of these components and a lot more related to risk.The questions are, essentially, “can the event occur (yes/no/perhaps)?” and “if it does occur, how bad are the consequences likely to be?” Neither of these values can be exact. To do so would mean there is complete certainty — the opposite of risk.
To be certified, organizations require processes that prove your organization has done enough to prevent bribery from occurring. Of course, there doesn’t seem to be much effort into minimizing the size of bribes, just the likelihood that they will occur. It is analogous to fire sprinklers that have never prevented a fire from starting, but typically do a great job of preventing the fire growing into an inferno. ISO 37001 addresses likelihood, but not impact.
For this the organization must be able to have a clear understanding of the relevant Governance(e.g. anti-bribery regulations in any country in which they operate), the level of risk (not always determined by the size of sales in a specific country), and it’s ability to get assurance from all the relevant participants (employees, customers, vendors, ectc) in an efficient,simple and secure manner.
This has all the hallmarks of another boost for the Chief Compliance Officer role, with a heavy dependence on technology to support the process.
To start with, many people who need to interact with the data do not do this on a daily basis, often much less frequently, and to expect probably >95% of the people who need to provide data and respond to the information, is usually asking too much, even if the spreadsheets have protected cells and drop downs.
In addition, the need to make changes to these drop downs and cells creates huge problems in an excel driven environment. For example, the simple process of making a change to a drop down.
Easy to do in one spreadsheet, but then there is the requirement for all users to have the same version or the data gathering will become a mess and the information gathered will be flawed.
Also, consider the need to be able to provide evidence to the wide range of stakeholders as to where the data came from – certainly it is possible to see the most current data, but where did that data come from and how has it changed?
In an excel environment, this soon becomes meaningless and unsustainable. A secure audit trail is critical to support an ERM process, especially as the integration of risk data from just about every part of an organization is becoming the norm, not the exception.
While there are many other factors that make a spreadsheet supported ERM process impossible to maintain correctly, consider just one other factor: “one source of the truth.”
With myriad spreadsheets, key data is often in multiple places and a change in one component will not be reflected in all the aggregated data until, or if, the relevant spreadsheet is even uploaded into some form of mega spreadsheet.
How will the user of this data have any hope of knowing this data is current and accurate if using many spreadsheets. Spreadsheets only lead to a false sense of knowledge and accuracy, and inevitably result in poor decisions based on faulty data.
GRC is complex. And if you’re using silo-inducing spreadsheets, which “speak the language” of only one department or one type of data set in each document, the likelihood of being able to manage through that complexity is almost nil.
1. Spreadsheets Are Difficult To Manage
Searching a spreadsheet is easy. Searching many of them, not so much. With that in mind, are reams of spreadsheets an effective way to find information?
Not really. Of course, you could always consolidate your many spreadsheets into one, but this is just as labor intensive.
It’s likely your compliance risk management team members spend enormous amounts of hours constructing, posting, editing, and reporting via spreadsheets. It’s critical work but is it efficient? Or cost effective? Or easy to build good reports? And finally, do they scale well? More often than not, the answer to these questions is “no.”
Spreadsheets burn through your payroll, consuming time and resources–requiring your staff to be Excel wizards instead of actual GRC experts who could be leveraged to solve critical challenges.
2. Spreadsheets Are Prone To Errors
Myriad spreadsheets often mean myriad mistakes. Research even suggests that 88 percent of business spreadsheets contain errors.
Errors regularly result from the misinterpretation of data as one evaluates a multitude of spreadsheets in different formats; or from mistakes made while manually re-entering data in order to consolidate many spreadsheets into one.
As such, spreadsheets either lead to a false sense of knowledge and accuracy, or, conversely, they lead to complete data distrust. Either way, poor decision making is often the outcome.
3. Spreadsheets Do Not Provide A Chain Of Evidence
Version control and data security are real struggles with spreadsheets. Much uncertainty exists around if and when information has been updated and who updated the information. It can leave users asking
- Is this the correct date? Or was it changed?
- Is this an accurate entry? Or was it modified?
- Did I make this entry? Or did someone else?
This can further contribute to mistake-laden data, as well as a lack of accountability for faulty information that could negatively impact your business.
Spreadsheets have many advantages, but not when it comes to managing governance, risk or compliance. Integrated Risk Management technology, on the other hand, solves for many of the problems that spreadsheets create—simply because of its design.
First and foremost, such technology operates in the cloud—automatically collecting and updating data in real time.
It surfaces relevant GRC information from wherever it’s hiding in your organization; connects it with other internal and external data; and then normalizes it with data processing tools to ensure consistency among the data you’re comparing.
As such, it’s easy to access and analyze up-to-the second risk management data with just a few clicks instead cobbling together a bunch of spreadsheets into a mega spreadsheet that will essentially be out of date once it’s time to report.
Even more, the right Integrated Risk Management technology will be specifically tailored for managing GRC—providing a whole suite of applications to improve efficiency and consistency of all business processes and decisions related to corporate governance, risk and compliance.
Don’t let spreadsheets stand in the way. Integrated Risk Management technology can simplify and automate your GRC programs—allowing you to implement, tailor, extend and scale your GRC capabilities.
Extracting return on investment (ROI) from GRC is a bit like finding the lost city of Atlantis, the Holy Grail, or even an easy way to complete a tax return.
It is important to at least establish some defendable parameters around the value to the organization before even bothering about all this governance, risk and compliance.
This may seem a bit negative but we are at a tipping point in how all this can be brought together in a rational, cost effective way. Technology has changed the whole industry, even in the past 5-10 years.
Creating a single view into the organization-wide governance, risk and compliance makes overlaps and shortfalls jump right out.
With today’s connectivity available at vastly lower costs and reduced time, managers can now see all the moving parts and take actions to manage the governance over their organization, understand and appropriately respond to the risks this governance brings, and carry out the optimum level of compliance.
However, while ROI is hard to define accurately, the core cost of the technology that powers integrated risk management systems can be spread out as it scales across the enterprise.
The ability to work with other parts of the organization to get this integrated view increases the value of the Risk function to the organization.
Far from being a cost center, Risk can become an integral part of making the strategy of the organization and work as expected.
None of this replaces the reliance on management to manage — but it will make that role more manageable.
Learn more about how risk management software can keep you compliant and ethical.