Beyond Spreadsheets: How GRC Solutions Transform Reporting

Consider this example: one organization was spending 200 hours building a report for the board on risk events that have happened. All the information was trapped in spreadsheets that they had to aggregate, tabulate, and build this report from. Every year, another 200 hours—it now takes them a minute. The last year they did it this way, they found out they had risk issues that started eleven months back. That is not managing risk: that is reacting to it well after the fact.

Another example is a mid-sized bank. They did an internal study of their risk, compliance, and audit staff and found out that eighty percent of their time was spent managing and chasing spreadsheets and building reports from these and NOT managing risk and compliance. They were swamped trying to reconcile and report on thousands of spreadsheets and, at the end of the day, found the reports filled with errors from manual reconciliation.

In my research, organizations utilize spreadsheets for a variety of purposes. They are used to:

• Conduct risk, compliance, and control surveys, questionnaires, and assessments
• Inventory policies and manage related tasks
• Conduct investigations and remediate issues
• Document and assess controls
• Model and assess risk and finance
• Report on GRC
• Manage the financial close process

I am simply scratching the surface; the use of spreadsheets is pervasive in GRC and business processes. In GRC strategies, I am continuously told that the primary reason the organization is looking to improve GRC-related areas is to get away from the negative impact the use of spreadsheets has on GRC.

One mid-sized bank that GRC 20/20 has interviewed stated that one of their regulators told them that the use of spreadsheets for compliance, risk, and control assessments was inadequate as they did not provide the right audit trails and integrity of what was assessed, who assessed it, and failed to control any modifications to the assessment. Anyone could come back and paint a different picture, cover up a trail, and get themselves or the organization out of trouble. The regulator demanded that the organization have a full audit trail of assessment activity.

Spreadsheets make for ineffective, inefficient, and unagile GRC processes and have some serious integrity issues that violate the principles of GRC. Elsewhere, they are very useful tools—I use them every day in my business—but for managing GRC information, they, left to themselves, do not meet par.

The reasons spreadsheets fail for GRC are:

• No audit trail. By themselves, without some additional tools/solutions and significant configuration, spreadsheets do not have inherent audit trails. You cannot go back and state that you know with a specific level of certainty that those answers were gathered from that specific individual on this date and time and represent their actual, unaltered, and authenticated answer to that survey, assessment, analysis, policy attestation, or audit.
• Easy to manipulate. It is a simple task for anybody to go back and manipulate responses to paint a 'rosier' picture to get themself, someone else, or the organization out of hot water. Someone can easily go back and cover their trail when there is no audit trail and authentication present that tracks changes, what those changes were, who made them, and/or keeps a record of all changes.
• Slipping through the cracks. There is no structure of required workflow and task management. Things quickly become impossible to manage in spreadsheets and emails asking for assessments to be done, audit findings to be responded to, policy attestations to be made, etc., and no one gets it done. It ends up filed away, in the trash, junk folder, or never responded to until someone is screaming for it.
• No consistency. It is hard to make assessments, surveys, attestations, policies, and other GRC-related information consistent. If a new assessment is needed, we just open up a spreadsheet and create a new assessment from scratch and fail to realize that there is another assessment asking the same people half of the same questions as our new assessment. Furthermore, different spreadsheets are formatted in different ways, and each requires its own learning curve.
• Compilation nightmares. Have you ever been asked to compile reports involving hundreds or even thousands of spreadsheets? If you are a GRC professional, odds are you have. My research and interviews with organizations find that it often takes 80+ man-hours to compile GRC (risk, compliance, audit) reports from mountains of spreadsheets. There is a significant amount of time needed to integrate and compile information. Myself, I would not be interested in a job for very long where 80% of my time is: cut, paste, and manipulate data for reports. My interest is in analysis and managing risk and compliance, not in cut and paste—that is what I did in kindergarten.
• Compilation errors. At the end of the day, all this work compiling and integrating hundreds to thousands of spreadsheets is inevitable failure. Odds are there is something wrong. That much manual reporting is bound to have serious errors: not malicious, but inadvertent. With that much chance of human error, it happens all the time.

Those are my primary reasons why documents, spreadsheets, and emails by themselves fail in GRC. At the end of the day, it is just too much to be handled manually and leaves too much room for errors to be made and/or go without being noticed. With new ESG regulations and policies and more on the way, the growing threat of cyberattacks, and the emergence of AI technology, having a structure and processes that are efficient, effective, and agile is as vital as ever.

Awareness of and concern for issues related to environmental, social, and governance (ESG) have never been higher for organizations. In addition to social pressures, companies and other entities are now going to be regulated on ESG. The European Union (EU) has led the way in this regard, rolling out several regulations in recent years that pertain particularly to reporting on ESG-related information. The rest of the world is following suit, at varying speeds in different regions, and as a result, organizations should begin preparing their reporting processes accordingly now.

Cybercrime has been on the rise recently, and, more importantly, the scale of impact has increased. A single cybersecurity breach can result in millions of dollars in costs and thousands of individuals affected. Organizations who fall victim to these breaches will inevitably have to report on how and when the breach occurred, how it was responded to, what information was compromised, and who was impacted.

Perhaps the hottest topic of discussion both in culture and the business world last year was the development of artificial intelligence (AI) technology, and specifically the emergence of generative-AI (genAI) technology. In response, organizations have been scrambling to employ this new innovative technology, either by developing their own or adopting someone else's genAI platform. The major cause of concern here is how this new technology is going to be regulated, something nobody has a clear answer to yet. While regulations are forthcoming, organizations should be preparing to report on their usage of AI technology as legislators explore and get a feel for its implementation and impacts, as well as preparing to comply with regulations as they roll out.

In spite of the shortcomings and disadvantages that spreadsheets bring when on their own, there are ways to fix this: solutions that provide and enforce consistency and audit trails within spreadsheets, but these do not account for workflow and task management needs. The best approach to address these limitations is to implement GRC management solutions that provide for audit trails, consistency, and integrated reporting. Solutions that bring efficiency (both human and financial capital efficiency), effectiveness (accurate and auditable reporting), and agility (timely and relevant information when it is needed).

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.