How moving from spreadsheets to a GRC solution provides better reporting
Updated: Jan 7
GRC expert Michael Rasmussen explains the limitations and potential pitfalls of using spreadsheets for GRC, and why it's important for organisations to move towards integrated GRC management solutions that provide audit trails, consistency, and integrated reporting.
Spreadsheets are the most prevalent GRC tool used by organisations. Their use, particularly in reporting, leads to the inevitability of failure.Â
Consider one organisation that was spending 200 hours building a report for the board on risk events that have happened. All the information was trapped in spreadsheets that they had to aggregate, tabulate, and build this report from. Every year 200 hours (it now takes them a minute). The last year they did it this way, they found out they had risk issues that started eleven months back. That is not managing risk; that is reacting to it well after the fact.Â
Another example is a mid-sized bank. They did an internal study of their risk, compliance, and audit staff and found out that eighty percent of their time was spent managing and chasing spreadsheets and building reports from these and NOT managing risk and compliance. They were swamped trying to reconcile and report on thousands of spreadsheets and, at the end of the day, found the reports filled with errors from manual reconciliation.
Utilisation of spreadsheets for GRC
In my research, organisations use spreadsheets for a variety of purposes. They are used to:
Conduct risk, compliance, and control surveys, questionnaires, and assessments
Inventory policies and manage related tasks
Conduct investigations and remediate issues
Document and assess controls
Model and assess risk and finance
Report on GRC
Manage the financial close process
I am simply scratching the surface; the use of spreadsheets is pervasive in GRC and business processes. In GRC strategies, I am continuously told that the primary reason the organisation is looking to improve GRC-related areas is to get away from the negative impact the use of spreadsheets has on GRC.
One mid-sized bank that GRC 20/20 has interviewed stated that one of their regulators told them that the use of spreadsheets for compliance, risk, and control assessments was inadequate as they did not provide the right audit trails and integrity of what was assessed, who assessed it, and control any modifications to the assessment. Anyone could come back and paint a different picture, cover up a trail, and get themselves or the organisation out of trouble. They demanded that the organisation have a full audit trail of assessment activity.
Spreadsheets make for ineffective, inefficient, and unagile GRC processes and have some serious integrity issues that violate the principles of GRC. They are very useful tools. I use them everyday in my business, but for managing GRC information they – left to themselves – do not meet par.
Why spreadsheets fair for GRC
The reasons spreadsheets fail for GRC are as follows:
No audit trail. By themselves, without some additional tools/solutions and significant configuration, spreadsheets do not have inherent audit trails. You cannot go back and state that you know with a specific level of certainty that those answers were gathered from that specific individual on this date and time and represent their actual, unaltered, authenticated answer to that survey, assessment, analysis, policy attestation or audit.
Easy to manipulate. It is a simple task for anybody to go back and manipulate responses to paint a rosier picture to get himself or herself, someone else, or the organization out of hot water. Someone can easily go back and cover their trail when there is no audit trail and authentication happening that tracks changes, what those changes were, who made them, and keeps a record of all changes.
Slipping through the cracks. There is no structure of required workflow and task management. Things quickly become impossible to manage in spreadsheets and emails asking for assessments to be done, audit findings to be responded to, policy attestations to be made . . . and no one gets it done. It ends up in the trash, junk folder, filed away, and never responded to until someone is screaming.
No consistency. It is hard to make assessments, surveys, attestations, policies and other GRC related information consistent. If a new assessment is needed – we just open up a spreadsheet and create a new assessment from scratch and fail to realise that there is another assessment asking the same people half of the same questions as our new assessment. Further, different spreadsheets are formatted in different ways and each requires its own learning curve.
Compilation nightmares. Have you ever been asked to compile reports involving hundreds or even thousands of spreadsheets? If you are a GRC professional the odds are you have. My research and interviews with organisations find that it often takes 80+ man-hours to compile GRC (risk/compliance/audit) reports from mountains of spreadsheets. There is a significant amount of time needed to integrate and compile information. Myself, I would not be interested in a job very long where 80% of my time is cut, paste, and manipulate data for reports. My interest is in analysis and managing risk and compliance, not in cut and paste – that is what I did in kindergarten.
Compilation errors. At the end of the day, all this work compiling and integrating hundreds to thousands of spreadsheets is inevitable failure. Odds are there is something wrong. That much manual reporting is bound to have serious errors. Not malicious, but inadvertent. It happens all the time.
Those are my primary reasons why documents, spreadsheets and emails by themselves fail in GRC. There are ways to fix this. Solutions that provide and enforce consistency and audit trails within spreadsheets, but these do not account for workflow and task management needs.
The best approach to address these limitations is to implement GRC management solutions that provide for audit trails, consistency, and integrated reporting. Solutions that bring efficiency (both human and financial capital efficiency), effectiveness (accurate and auditable reporting), and agility (timely and relevant information when it is needed).