There are plenty of reasons why many GRC professionals still use spreadsheets—often along with MS Word Docs and SharePoint—to run their risk management and compliance processes. The problem is that the reasons are, well, usually not very good.
I know all too well the syndrome of putting up with something that I have used for years because it is familiar and does the job, more or less, in a clunky sort of way (and because I have got used to the limitations and know the workarounds!). Sometimes I keep using something that is clearly outdated because of some misplaced sense of economic frugality, or perhaps reluctance to deal with the expected challenges and effort of learning something new. There is also some sense of suspecting that the glittery new version won’t really be much better after all.
I am guilty of this in terms of several technologies, whether they be software or hardware, electronics or cars.
The A-ha! revelation
I also know the revelation that occurs when I do finally get around to upgrading things and discover, time and time again, that technology really has made huge progress for the better. Things that once involved a bunch of separate components now just work in seamless unison. For example, I recently upgraded my car and found that I no longer have to click remotes, use ignition keys or connect devices by wire: the door unlocks as I approach, the seats and mirrors move to my preferences, the stereo starts playing music from my iPhone while it is still in my pocket, and the hybrid electric motors work seamlessly with the gas engine, doubling fuel economy.
I strongly suspect that this lesson applies to the many GRC professionals who have been putting up with homegrown, spreadsheet and document-based systems for managing risks and compliance requirements and analyzing data. Making the move to current GRC software technology—designed specifically for the task and to bring together multiple capabilities within one highly integrated system—can produce that same sense of revelation as when I finally upgraded my laptop and car: “Hey, this stuff really works well!”
The outcomes of using stuff that just works well
I experienced exactly the same reaction when I saw the ACL Spring ‘17 Release and its integration of ACL GRC with the rest of the ACL Platform. My goal is is not to promote ACL products here, so much as to point out that a well-designed, well-built and well-integrated GRC software product is, when compared to using shared spreadsheets and documents, quite a revelation. It just works really well. Products from other GRC vendors may well be equally impressive—though I certainly doubt that any other product deals with integrating analytic engines in as cool a way as ACL manages to do!
Of course, while “stuff that works well” is a good starting point, the real issue is about outcomes and the improvements that result in GRC processes from using best-fit technology.
Oh, the irony of relying on risky technology for risk management…
Many of you will already have read about the shortcomings of spreadsheets. (If not, check out the details in various reports produced by a number of analyst firms). Most GRC professionals are already aware of the risks of using spreadsheets and the very high incidents of errors.
The irony of a risk and compliance management professional relying upon an inherently risky technology is hopefully one of which many are aware! And internal auditors should be particularly sensitive to the lack of audit trail to track changes in spreadsheets.
In addition to the risks of many forms of errors in using and compiling multiple spreadsheets, there is also the inherent inefficiency to consider. It may not be apparent to someone who is regularly updating a few spreadsheets with current data just how much effort is involved in then producing a report that can be used to actually help manage risks in an intelligent way.
The view from the other side
What are the outcomes of giving up on spreadsheets and moving to a specialized data-driven, content-enabled GRC system?
Let’s start with the end result: efficient production of a dashboard that enables executive and other management to obtain up-to-date, fact-based insight into the risks that the organization is currently facing to achievement of its objectives—and likely to face in the future—along with an understanding of what is being done or needs to be done to address the risks. Then add to this a dramatic improvement in underlying GRC processes, resulting in the business seeing risk management as a core part of their job, instead of a painful burden which often seems to have no obvious benefit.
Could you achieve all of this with a homegrown spreadsheet system? Perhaps it is possible, though unlikely. Probably painful. And without doubt, it will be at an overall cost to the organization that far exceeds that of ditching spreadsheets and moving to a system that just works really well. Like my new car.
Written by: John Verver, CPA CA, CISA, CMC, Advisor to ACL