Have your GRC spreadsheets hit the complexity barrier?
Using spreadsheets and documents across disparate systems to manage risk processes is ‘the inevitability of failure’.
But is it cost-effective to continue using them in a GRC context, when regulators are now looking for licensees to embed compliance and risk management within their businesses, with increased interest in Conduct Risk, Financial Crime, Data Protection and numerous other initiatives?
According to GRC expert Michael Rasmussen, using spreadsheets and documents across disparate systems to manage risk processes is ‘the inevitability of failure’. At the GRC2020 keynote he said: “We live in an integrated risk environment. We need to see these different parts of risk coming at us from different parts of the organizaton; they are too often buried in siloes and we fail to see these interrelationships.”
The truth is, single documents, such as spreadsheets, can quickly become static without extensive manual handling and editing. Additionally, maintaining version/document control elements and ensuring that formula mistakes are not providing false results become time-consuming.
Ideally, the spreadsheet requires a gatekeeper who maintains and understands the process, and that’s when it stops presenting as cost-effective. Spreadsheets are not databases, nor do they provide the audit trail of change required to evidence requirements. This becomes even more critical in the wake of new regulatory requirements for Operational Resilience and Environmental, Social and Governance (ESG) reporting, further increasing the complexity and workload for regulators and compliance managers.
This is when the spreadsheet has hit the complexity barrier as risk and compliance managers spend more time chasing staff and updating these tools than carrying out their actual functions. Research has uncovered that up to 80% of staff time was on chasing and managing documents, rather than managing risk (GRC 2020).
The alternative of an enterprise GRC solution can be easily justified. It is far cheaper than hiring more staff, provides a consistent approach, continuity of knowledge/standards, and makes reporting far easier.
If you find yourself engulfed in the black hole of GRC spreadsheet systems, it’s time to incorporate a dedicated and automated system into your GRC framework.