We know that compliance and risk management have become more complex and more closely scrutinized activities over the last several years. We know that compliance officers are more stressed than ever before and that their jobs are on increasingly uncertain footing. We all know the story by heart: a shifting (and growing) tide of regulatory change and increasingly complex business operations are placing demands on the organization that they are not equipped to handle with existing practices. This is driving spikes in compliance and risk hiring as well as new technology investments, particularly in governance, risk and compliance (GRC) solutions.
GRC offers to help organizations combat all of the above complexity through centralized information management, automated processes and workflow, intelligence and analytics capabilities, and increased monitoring capabilities. The decision to accept that promise (and authorize new spend) requires an understanding of the limitations of the existing processes and tools to be replaced. Focusing on the core aspects of GRC (centralized data management and process automation), that existing tool is often no more than a spreadsheet. Through a series of interviews with compliance and risk officers, Blue Hill has identified the limitations that spreadsheets often insert within compliance and risk management as well as in business operations.
Due to their versatility and ubiquity, spreadsheets tend to become the default solutions for a variety of enterprise functions. Within compliance and risk functions alone, they frequently occupy roles supporting process management, controls management, risk analysis, audit, and reporting. Despite their familiarity and ease of deployment, spreadsheets often tie organizations to manual processes and limit collaboration because they cannot scale with expansions in stakeholders, regulatory complexity, or changing business needs. Within low complexity and single stakeholder environments, these solutions may be more than sufficient. However, as the volume of information, number of stakeholders, and complexity of requirements expands, the characteristics that made spreadsheets begin to constrain compliance and risk activities.
Spreadsheets are designed for primarily individual use and with a great deal of flexibility in mind. As a result, they often require manual data management and entry, which is time consuming and introduces risks of error and tampering among user chains. As distribution and collaboration generally requires stakeholders to receive individual versions of files, they also offer limited functionality as uniform repositories of up-to-date data and historical trends. As organizations encounter increasingly complex and changing regulatory and business environments, these limitations begin to generate costs in the form of (1) the productivity of compliance and risk staff, (2) impediments to business execution, and (3) risk exposures.
Table 1 summarizes the reported costs and how they derived from the organization’s use of spreadsheets.
Participating organizations most often emphasized how costs resulted from the manual operations involved in spreadsheet use, the difficulty of maintaining a centralized, uniform data repository, and the likelihood (and difficulty of discovering) accidental entry of incorrect data. The former concerns were most often articulated in terms of their impact on overhead or an inability to keep pace with changing regulations and business operations. This was also said to increase risk exposure, which was the primary concern related to erroneous data entry. Participants also reported great difficulty in locating information requested by auditors and regulators. Organizations with multiple compliance and risk units indicated concerns with contradictory or redundant risk and compliance activities.
The most common concern we heard was that spreadsheets constrained the organization’s ability to scale compliance and risk activities. This is often what contributes to expansions in hiring in compliance and risk roles.
If we compare the results reported by participants using GRC, we find greater efficiency and scale in their compliance activities. That doesn’t mean that organizations will not need to expand staff, but participants did report that it permitted individual staff members to be more productive and take on an increasing number of responsibilities. While these organizations relied on qualitative or anecdotal evidence of improvement related to business operations and risk reduction, those that provided estimates, reported time saved in the execution of compliance and risk tasks ranging between 25% and 30%.
Other gains reported by organizations using GRC largely related to the costs derived from the use of spreadsheets, with organizations also reporting greater visibility into performance and exposures as well as reduced risk and improved interactions with regulators. Our full report The Hidden Costs of Spreadsheets in Compliance and Risk Management, provides more detail regarding these gains, how they resulted from the use of GRC, and how organizations that made the implementation developed their own business cases.