For years, large organisations have benefited from integrated risk management, governance and compliance processes and technology, yet many medium sized organisations have not been able to reap the same benefits. Tony Harb from InConsult examines the pitfalls of using spreadsheets and the emergence of ‘GRC’ technology in today’s business environment.
More connected organisations
Technology is all around us and many organisations understand this. Most businesses now use Twitter and Facebook to communicate with their customers, stakeholders and community at large. Some organisations have taken a step further, like Adelaide City Council; they have an ‘Innovation Lab’ to create an environment where anyone in the community can see, share, touch and play with cool technologies.
But how innovative and connected are organisations when it comes to risk management, governance, audit and compliance technology?
Spreadsheets get you to first base
Spreadsheets were first introduced over 30 years ago and today, most organisations use spreadsheets for recording, analysing and monitoring risks. Spreadsheets are a great tool to quickly collect, analyse and present information because they are readily-available, inexpensive and easy-to-use. When starting a risk management journey, they are useful to perform some basic risk management processes and to present results.
But as an organisations risk management and governance processes mature, spreadsheets can inhibit risk analysis and monitoring, fail to support a more integrated risk management framework and become a source of risk themselves as a wide range of problems emerge.
Inherent risks with spreadsheets
- Version Control: Version control issues arise when activities start to extend beyond a single person to many risk owners and internal auditors. One spreadsheet will multiply into various versions stored in emails, shared-drives and even USB sticks. People will be asking – which is the latest version? Does this version include the recent feedback and updates?
- No Audit Trail: Spreadsheets lack audit trail capabilities. People don’t know what changes were made, when and by whom? Data can be materially changed, rows can be added and entire rows easily or accidently deleted.
- Data Inconsistency: Unless you use a lot of pivot tables all over the spreadsheet and closely review every cell in every spreadsheet, it is hard to get consistency as data can be manipulated. Data inconsistency will compromise data integrity and prevent quality reporting to stake holders including the risk and audit committee.
- Cumbersome Change Management: What happens when you want to capture additional information? That’s right, every spreadsheet will have to be changed as well as your reporting templates.
- Lack of Security: There is little or no data security in a spreadsheet. It is virtually impossible to ensure that the data hasn’t been tampered with, viewed by unauthorized individuals within the organisation or forwarded to others outside the organisation.
- Report Compilation Horrors: Spreadsheets are ‘flat files’ and typically contain specific data relating to one area or risk profile. Providing detailed analysis of risk trends over time like related incidents and control breakdowns identified by internal audit, is impossible unless you spend time updating spreadsheets. If you do, you’ll find that trend results are latent and error-prone. The more risk register spreadsheets you have, the more time-consuming and error-prone the risk analysis will be.
The need to synchronise
After a number of global scandals and collapses, large organisations were facing greater regulatory burdens and looking for a better way to strengthen their lines of defence against risk. The conclusion was unanimous. Rather than each area working individually in silos, they recognized the need for and benefits of working together and a new acronym emerged – GRC. GRC is the umbrella term covering an organisation’s approach to the areas of governance, risk management and compliance (GRC). This approach aims to synchronize information and processes between governance, risk management and compliance to enable effective information sharing, create efficiency, improve reporting and avoid wasteful overlaps.
Emergence of GRC technology
With different departments now wanting to work closer together to manage risk and improve governance, a new problem emerged…how to share information? From this pivotal question, GRC technology solutions emerged and today, are one of the fastest growing areas in information technology.
GRC technology is more than web-based risk management technology. In fact, GRC technology is already more than just governance, risk management and compliance. Today, it includes other important governance processes such as audit, incident management, compliance surveys and business continuity.
Implementing GRC technology
Service providers make implementing GRC technology simple. Many are web-based, and easy to use with existing business rules that can be customised. But be cautious. Successful implementation of GRC technology follows good business processes, well trained staff and a culture of good governance and risk management…without these, no GRC technology will be entirely effective.
Return on investment
Like any other system implementation, Organisations need to consider quantitative measures for the business case and cost/benefit analysis. Some considerations include:
- What is the cost of bad governance, risk management, incident management? What is the potential exposure to fines, insurance claims and breaches of the law?
- How important is ownership and visibility of the governance and risk management processes to effective decision making and culture?
- What are the process efficiencies gained by streamlining risk and governance processes? How much can be saved in removing the need for collating, checking, reformatting and producing reports and dashboards manually. Can some internal controls can be eliminated?
- What improvements can be gained in the flow of information across risk management, governance and compliance? How can this information be used to better manage risks and improve processes?
Unlike spreadsheets, GRC technology may look ‘unfamiliar’ to staff. Ensure that there is wide consultation with user representatives. Highlight the benefits of the technology to staff, not just to the organisation and the Risk and Audit Committee.
A step closer to good practice
GRC technology has evolved quickly in the last 10 years. Whilst ‘doing nothing’ may be a legitimate risk management strategy for some risks, ignoring GRC technology will not make it go away. With more organisations embracing innovative technology and looking to improve risk management, perhaps it’s time for the risk and governance functions to take charge of technology to improve their processes, quality and efficiency.
Tony Harb is Director at InConsult. He has over 20 years’ experience in internal audit, governance and risk management. He can be contacted on 02 9241 1344 or via email at firstname.lastname@example.org.