Understand Your “Spreadsheet Cost” Before Deciding on GRC

spreadsheetWe know that compliance and risk management have become more complex and more closely scrutinized activities over the last several years. We know that compliance officers are more stressed than ever before and that their jobs are on increasingly uncertain footing. We all know the story by heart: a shifting (and growing) tide of regulatory change and increasingly complex business operations are placing demands on the organization that they are not equipped to handle with existing practices. This is driving spikes in compliance and risk hiring as well as new technology investments, particularly in governance, risk and compliance (GRC) solutions.

GRC offers to help organizations combat all of the above complexity through centralized information management, automated processes and workflow, intelligence and analytics capabilities, and increased monitoring capabilities. The decision to accept that promise (and authorize new spend) requires an understanding of the limitations of the existing processes and tools to be replaced. Focusing on the core aspects of GRC (centralized data management and process automation), that existing tool is often no more than a spreadsheet. Through a series of interviews with compliance and risk officers, Blue Hill has identified the limitations that spreadsheets often insert within compliance and risk management as well as in business operations.

Due to their versatility and ubiquity, spreadsheets tend to become the default solutions for a variety of enterprise functions. Within compliance and risk functions alone, they frequently occupy roles supporting process management, controls management, risk analysis, audit, and reporting. Despite their familiarity and ease of deployment, spreadsheets often tie organizations to manual processes and limit collaboration because they cannot scale with expansions in stakeholders, regulatory complexity, or changing business needs. Within low complexity and single stakeholder environments, these solutions may be more than sufficient. However, as the volume of information, number of stakeholders, and complexity of requirements expands, the characteristics that made spreadsheets begin to constrain compliance and risk activities.

Spreadsheets are designed for primarily individual use and with a great deal of flexibility in mind. As a result, they often require manual data management and entry, which is time consuming and introduces risks of error and tampering among user chains. As distribution and collaboration generally requires stakeholders to receive individual versions of files, they also offer limited functionality as uniform repositories of up-to-date data and historical trends. As organizations encounter increasingly complex and changing regulatory and business environments, these limitations begin to generate costs in the form of (1) the productivity of compliance and risk staff, (2) impediments to business execution, and (3) risk exposures.

Table 1 summarizes the reported costs and how they derived from the organization’s use of spreadsheets.

table 1

Participating organizations most often emphasized how costs resulted from the manual operations involved in spreadsheet use, the difficulty of maintaining a centralized, uniform data repository, and the likelihood (and difficulty of discovering) accidental entry of incorrect data. The former concerns were most often articulated in terms of their impact on overhead or an inability to keep pace with changing regulations and business operations. This was also said to increase risk exposure, which was the primary concern related to erroneous data entry. Participants also reported great difficulty in locating information requested by auditors and regulators. Organizations with multiple compliance and risk units indicated concerns with contradictory or redundant risk and compliance activities.

The most common concern we heard was that spreadsheets constrained the organization’s ability to scale compliance and risk activities. This is often what contributes to expansions in hiring in compliance and risk roles.

see_related_researchIf we compare the results reported by participants using GRC, we find greater efficiency and scale in their compliance activities. That doesn’t mean that organizations will not need to expand staff, but participants did report that it permitted individual staff members to be more productive and take on an increasing number of responsibilities. While these organizations relied on qualitative or anecdotal evidence of improvement related to business operations and risk reduction, those that provided estimates, reported time saved in the execution of compliance and risk tasks ranging between 25% and 30%.

Other gains reported by organizations using GRC largely related to the costs derived from the use of spreadsheets, with organizations also reporting greater visibility into performance and exposures as well as reduced risk and improved interactions with regulators. Our full report The Hidden Costs of Spreadsheets in Compliance and Risk Management, provides more detail regarding these gains, how they resulted from the use of GRC,  and how organizations that made the implementation developed their own business cases.

 

About David Houlihan, Esq.

David Houlihan researches enterprise risk management, compliance and policy management, and legal technology. He is an experienced advisor in legal and technology fields with a unique understanding of complex information environments and business legal needs.
Posted on by David Houlihan, Esq.

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest Blog

Q2 Research Agenda Announced Blue Cedar Puts Mobile Application Security Far Ahead of MDM Apple iPhone X Highlights Enterprise Corporate-Liable vs. BYOD Conundrum

Topics of Interest

Advanced Analytics

AI

Analytics

Anodot

Artifical Intelligence

Attunity

Augmented Reality

authentication

BI

Big Data

Blog

Business Intelligence

BYOD

Cloud

Cognitive Computing

Corporate Payments

Data Management

Data Preparation

Data Wrangling

DataKitchen

DataOps

DataRobot

design

design thinking

Domo

Emerging Tech

enterprise applications

Enterprise Mobility

Enterprise Performance Management

enterprise video

fog computing

General Industry

GoodData

GRC

Hadoop World

Human Resources

IBM

IBM Interconnect

Iguazio

ILTACON

Informatica

Information Builders

innovation

Internet of Things

IoT

iPhone

iPhoneX

ITEM

knowledge

legacy IT

Legal

Legal Tech

Log Data

Machine Learning

Managed Mobiity Services

Managed Mobility Services

Microsoft

Mixed Reality

MMS

Mobile

Mobile App Security

Mobile devices

Mobile Managed Services

Mobility

Nexla

Order-to-Cash

passwords

Pentaho

Podcast

Predictive Analytics

Private Equity

Procure-to-Pay

Qubole

Questioning Authority

Recurring Revenue

Risk Management

ROI

Sales Enablement

Salesforce

Security

service desk

Social Media

Strata

Striim

Supply Chain Finance

Switchboard Software

Tableau

Talend

Tangoe

Telecom Expense Management

TEM

Time-to-Value

Trifacta

TWIDO

Unified Communications

usability

USER Applications

User Experience

User Interface

video platform

Virtual Reality

Virtualization

Visualization

Wearable Tech

Yellowfin