Conversations in Risk-Based Security

Escape Spreadsheet Hell:  Transitioning Your GRC Efforts

Posted by Don Leatham on Sep 16, 2016 8:34:50 PM

In many organizations the genesis of their GRC efforts can be traced back to a few isolated projects that were quick responses to external factors (e.g. scrambling to pass the first PCI audit, “What’s this HIPAA thing all about?”, etc.)  To get these projects going people turned to their reliable “universal tool”, the spreadsheet.  Suddenly spreadsheets became assessment tools, scoring programs, aggregated databases, report generators, etc.  For these projects, spreadsheet-based GRC rose to the occasion and saved the day!

Fast forward a few years.  The amount of data being processed is soaring and GRC requirements for the organization have increased.  GRC efforts have grown and expanded through almost every department or group.  The once universal tool is now straining to meet the organization’s GRC needs. 

Download Spreadsheet-Based GRC: The "Universal Tool" Gone Wrong

Despite these challenges, many organizations using spreadsheet-based GRC feel that staying the course is their best bet.  They know spreadsheet-based GRC is not perfect, but they’ve decided change would be too disruptive, too costly, and too risky.  But that is not really the case.  They are trapped in spreadsheet hell.

As manual GRC processes expand within an organization, the complexity increases dramatically and the cost and risk factors can escalate at an exponential rate.  This complexity impacts processes, scalability, agility, coordination, and communication.

One of the big initial benefits of spreadsheet-based GRC is the low cost of deployment.  In reality, spreadsheet-based GRC in medium to large organizations has very high costs, measured in the form of inefficiencies, data silos, data reconciliation, collaboration limitations, business operations interference, and productivity losses.

One of the ironies associated with spreadsheet-based GRC is the fact that, in many cases, instead of risk being managed down, it can actually increase. This increase is driven by risk factors such as increased error rates, inaccurate statement of risk/compliance state, lack of an audit trail, and increased auditor scrutiny.

As organizations attempt to scale spreadsheet-based GRC they will encounter increasing levels of complexity that will in turn drive exponential increases in cost and risk. It is highly probable that the increased risk will ultimately lead to a GRC failure, resulting in fines, reputational harm, business disruption, etc. 

If your organization relies primarily on a spreadsheet-based GRC process, it is time to make a change. Now is the time to address your organization’s GRC needs with a more modern and purposeful approach and toolset.  Best practices for transitioning from spreadsheets to a GRC software tool or platform do exist.  Start with our FREE white paper: Spreadsheet-Based GRC:  The “Universal Tool” Gone Wrong.  It’s time for you to escape spreadsheet hell.

Download Spreadsheet-Based GRC: The "Universal Tool" Gone Wrong

Topics: Risk Management, Security, cybersecurity, GRC