Have your GRC spreadsheets hit the complexity barrier?
Using spreadsheets and documents across disparate systems to manage risk processes is ‘the inevitability of failure’.
By AnsaradaFri Feb 10 2023CEO-CFO, Security and risk management, Governance Risk and Compliance
Most organizations use manual or semi-automated processes and spreadsheets to capture, manage, and report compliance, risk management, and regulatory change across the business. These processes take the form of spreadsheets and can be a great start to an organization’s Governance, Risk and Compliance (GRC) program. They allow the user to quickly articulate the organization’s risk framework, set up a risk register, formulate the obligations register and meet some immediate needs. As such, they have gained traction in managing compliance efforts and risk within many organizations.
But is it cost-effective to continue using them in a GRC context, when regulators are now looking for licensees to embed compliance and risk management within their businesses, with increased interest in Conduct Risk, Financial Crime, Data Protection and numerous other initiatives?
According to GRC expert Michael Rasmussen, using spreadsheets and documents across disparate systems to manage risk processes is ‘the inevitability of failure’. At the GRC2020 keynote he said: “We live in an integrated risk environment. We need to see these different parts of risk coming at us from different parts of the organizaton; they are too often buried in siloes and we fail to see these interrelationships.”
The truth is, single documents, such as spreadsheets, can quickly become static without extensive manual handling and editing. Additionally, maintaining version/document control elements and ensuring that formula mistakes are not providing false results become time-consuming.
Ideally, the spreadsheet requires a gatekeeper who maintains and understands the process, and that’s when it stops presenting as cost-effective. Spreadsheets are not databases, nor do they provide the audit trail of change required to evidence requirements. This becomes even more critical in the wake of new regulatory requirements for Operational Resilience and Environmental, Social and Governance (ESG) reporting, further increasing the complexity and workload for regulators and compliance managers.
This is when the spreadsheet has hit the complexity barrier as risk and compliance managers spend more time chasing staff and updating these tools than carrying out their actual functions. Research has uncovered that up to 80% of staff time was on chasing and managing documents, rather than managing risk (GRC 2020).
The alternative of an enterprise GRC solution can be easily justified. It is far cheaper than hiring more staff, provides a consistent approach, continuity of knowledge/standards, and makes reporting far easier.
If you find yourself engulfed in the black hole of GRC spreadsheet systems, it’s time to incorporate a dedicated and automated system into your GRC framework.
But is it cost-effective to continue using them in a GRC context, when regulators are now looking for licensees to embed compliance and risk management within their businesses, with increased interest in Conduct Risk, Financial Crime, Data Protection and numerous other initiatives?
According to GRC expert Michael Rasmussen, using spreadsheets and documents across disparate systems to manage risk processes is ‘the inevitability of failure’. At the GRC2020 keynote he said: “We live in an integrated risk environment. We need to see these different parts of risk coming at us from different parts of the organizaton; they are too often buried in siloes and we fail to see these interrelationships.”
The truth is, single documents, such as spreadsheets, can quickly become static without extensive manual handling and editing. Additionally, maintaining version/document control elements and ensuring that formula mistakes are not providing false results become time-consuming.
Ideally, the spreadsheet requires a gatekeeper who maintains and understands the process, and that’s when it stops presenting as cost-effective. Spreadsheets are not databases, nor do they provide the audit trail of change required to evidence requirements. This becomes even more critical in the wake of new regulatory requirements for Operational Resilience and Environmental, Social and Governance (ESG) reporting, further increasing the complexity and workload for regulators and compliance managers.
This is when the spreadsheet has hit the complexity barrier as risk and compliance managers spend more time chasing staff and updating these tools than carrying out their actual functions. Research has uncovered that up to 80% of staff time was on chasing and managing documents, rather than managing risk (GRC 2020).
The alternative of an enterprise GRC solution can be easily justified. It is far cheaper than hiring more staff, provides a consistent approach, continuity of knowledge/standards, and makes reporting far easier.
If you find yourself engulfed in the black hole of GRC spreadsheet systems, it’s time to incorporate a dedicated and automated system into your GRC framework.
It's time to ditch the spreadsheets
From messy to magic, Ansarada TriLine GRC brings unmatched order to your organization so you can confidently achieve objectives, manage risks and navigate uncertainty.
Book a demo of Ansarada TriLine GRC
