As risk professionals finish up for the year and take a well-earned break over the festive season, they might be forgiven for feeling less than enthused about returning to work in the new year. For those using spreadsheets to manage GRC, it really is easy to understand why. Just like Jack Skellington in the Tim Burton movie ‘The Nightmare Before Christmas’, mundane processes and repetition can be inefficient and hinder the spreading of joy. Now, slightly different contexts for sure, but the nightmare waiting for your GRC teams when they return after the festivities is very real. Sometimes, just like Jack, we have to think differently and change tact.
Although every company must start their risk management journey somewhere – and spreadsheets are a logical first step for small organisations – as businesses grow & expand, so too does their need for a more robust GRC solution. If your company is big enough to have a dedicated risk manager, then the chances are – you have probably outgrown spreadsheets! You’ll know, GRC software is not a case of one size fits all, and the complexity of your risk landscape and scale of operations – or even the direction your company is heading over the next 12-18 months – might just mean it’s time to pause and evaluate options – a festive snack or drink is optional!
Imagine a purpose-built, comprehensive SaaS risk management solution, to fully automate your processes – creating a more risk-aware culture in the process. Give yourself or your team, the gift of ‘saved time’ and many efficiencies gained, it could just be the Christmas gift that will last all year long and for many more to come!
In this blog we will explore ‘10 signs’ that you are ready for an automated GRC solution, explore the challenges with using spreadsheets to manage risk, and uncover some of the time and cost savings that can be achieved from taking a more automated approach to GRC.
10 tell-tail signs that you are ready to move from spreadsheets to software
- Your risk register is becoming messy, due to inconsistent data entry and incomplete fields.
- Risk assessment results are not captured centrally – and it is difficult to analyse the findings and implement the appropriate actions.
- Individual teams and departments lack accountability for risk.
- Your risk team spends too much time on manipulating data and creating reports, rather than analysing data and making process improvements.
- You don’t have a holistic view of risk across different departments and sites.
- Risk management is an isolated discipline and is not connected to live operational data.
- You want to map risk to your enterprise performance & strategic objectives – and spreadsheets don’t allow for the complex mapping required.
- You struggle to capture risk treatment actions and route cause analysis and tie them back to risks or incidents.
- Risk monitoring is done manually, leaving room for human error and delays on detecting excessive risk.
- Your risk process is predominantly focused on reducing risk – rather than identifying risks that are worth taking and providing the Board with data to inform strategic decision-making.
But how can organisations improve their risk management process and get it running as smooth as Santa’s workshop with every employee playing their part in the risk management process? Let’s look a how a purpose-built risk management solution can resolve some of the problems perpetuated by the use of spreadsheets.
Improved Risk Assessments
Firstly, using a purpose-built ‘risk management solution’ grants you access to best-practice online risk assessment templates. There are many advantages to using these templates, the out-of-the-box forms already contain the recommended fields for a risk assessment – with the option to further customise the forms based on your individual requirements and wording. Choose a highly configurable GRC solution that lets your teams amend forms without costly coding. Most GRC solutions enable you to tailor the forms and customise dropdown menus and selectable options – this ensures all forms are completed consistently and in the desired text format – adding an essential layer of data governance to the process. Users can set up automated workflows to send out risk assessments on a regular basis. They can even schedule them for the entire year upfront and automatic emails can be sent to relevant employees, along with chaser emails if they don’t complete on time. Risk teams can easily view the status of all risk assessments using reports and dashboards.
Digital Risk Register
Hosting your risk register within a GRC software tool brings many advantages for risk teams. Out-of-the-box templates will be available to log a risk, and these can be further customised to include any additional information you need to capture. The standardised fields, menus and drop-downs ensure the accurate and consistent logging of risks. Users can categorise risks into core groups like operational risk, cyber & IT risk, ESG risk, and strategic risk – and allocate ownership for each individual risk or risk area. ‘Key Risk Indicators’ can be set for each risk; these can even be based on live transactional or operational data which can feed into the solution via API integrations with your other data sources and systems – ensuring a single source of truth. Users can enter key attributes relating to each logged risk including, priority, likelihood, impact, recommended response, risk owner and status – and management teams can then make informed decisions about if they will accept, transfer, mitigate or avoid the risk.
When using a GRC tool to host your risk register, as the data is held digitally and entered consistently, management can easily view reports and dashboards to understand which business areas are likely to face a risk related incident. These real-time reports can also be used for audit purposes and reporting to the Board. As part of your digital risk register many GRC tools also allow you to log and manage the positive upside of risk as potential opportunities – enabling leaders to make well-informed risk-based decisions.
Automated Control Monitoring
The critical layer of oversight provided by automated control monitoring is simply not possible when using spreadsheets. Automated control monitoring is essentially a set of rules organisations can set to look out for certain metrics in large data sets. This is particularly useful in risk management as it can be used to detect when your KRI’s indicate that you are nearing your risk tolerance, it can also be set to detect unusual transactions in large data sets, and to flag missed deadlines & performance issues. Once the solution detects that levels have reached a certain limit (based on the pre-defined parameters), automatic notifications are sent to the relevant parties so a decision can be made on whether to proceed or investigate further. It is like an extra layer of policing that humans may not detect, adding another line of defence. This functionality has been widely used in large financial services institutions for decades to detect unusual transactions and is an essential layer of the risk management process in mid to large organisations.
Automated Key Risk Indicators
All risk teams will have certain metrics or Key Risk Indicators (KRIs) that will indicate they are nearing their risk tolerance. This information usually comes from other systems and data sources within the organisation or is collected via a series of surveys, online forms, and questionnaires. When using spreadsheets for risk management, this data would need to be regularly cross checked with the KRI’s to understand if the organisation is nearing its risk tolerance. This can be cumbersome and time consuming and open to error and interpretation.
Using GRC software enables organisations to automate this process by mapping the data. Information can be pulled from other systems and sources into the GRC tool, enabling organisations to set KRIs against live operational and transactional data. This gives a live view of when businesses are nearing their risk tolerance and notifications can be sent to the relevant stakeholder enabling them to take action. Organisations can roll out any surveys, risk assessments, safety checks, and questionnaires online, this ensures data is captured consistently and centrally and it can be easily reported on.
Standard Risk Management Frameworks
Many organisations face many of the same risks & regulations. Therefore, choosing a GRC solution that offers out-of-the-box frameworks and templates to adhere to risk management guidance & standards like ISO31000, NIST, GDPR, COSO and BASEL II is a great option for organisations looking to mature their risk management programme.
Simply tell potential GRC software vendors what risk management frameworks you wish to comply with, and they should be able to equip you with the correct framework consisting of the relevant workflows, templates, and forms to enable your organisation to adapt its processes to operate in line with the relevant requirements. This is a much simpler approach than reading the standard and trying to work out what you should do as an organisation to comply with those standards.
Risk Treatments & Mitigating actions
When using spreadsheets for risk management, implementing risk treatments and mitigating actions that tie back to the originating risk can be a challenge. GRC software offers the functionality to document, assign and track detailed risk treatment plans to manage risk on an on-going basis. The solution can be easily configured to compare against your defined risk appetite and current risk ratings to decide the treatment actions required. Pre-defined workflows enable the relevant employee to log treatment actions and conduct full investigations and route cause analysis.
Governance and Security
Spreadsheets simply lack the governance and security required to run a risk management programme. The risk of spreadsheets being overwritten, formulas not working, and insufficient rules around data entry leave organisations that use spreadsheets for risk management in a vulnerable position. When it comes to governance, GRC tools can be configured to only accept data in the format needed using pre-configured fields and dropdowns. Rules can be set to ensure no risk can be logged unless all fields are completed in the correct format. All activity is logged & time stamped so organisations can see which user made any changes. Multiple users can access the system at the same time with no risk of overriding work, and layers of security can be added to ensure users only see the information relevant to them – ensuring sensitive information remains confidential. GRC software offers approval workflows, therefore when users log a risk, it can be automatically forwarded to the correct person for approval – speeding up the process.
In terms of security, GRC software is way more secure than a spreadsheet, the solutions are backed up in the cloud and providers often adhere to security standards like ‘cyber essentials’ to protect client data.
Enhanced Reporting & Live Dashboards
Getting a holistic view of risk across the organisation is critical for risk managers. That is why so many of them spend their time crunching data and running reports. But this is not where risk managers should be spending their time – they should be analysing the data and supporting management to make risk-based decisions.
When using spreadsheets risk managers are forced to run manual reports – creating a moment in time view of risk that can quickly change. These reports are time consuming to create and don’t enable teams to drill further into specific areas to perform investigations. GRC software comes with built-in dashboard and reporting functionality. Reports can easily be configured, enabling users to view the data they need at the touch of a button. Most dashboards and reports are drillable, enabling management teams to deep dive into certain areas of the organisation where risk is particularly high.
Linking risk management to strategy
Many organisations are willing to accept a certain level of risk in pursuit of their strategic goals and objectives. Afterall there is only a certain amount of budget and resources that can be spent on reducing risk and critical decisions must be made regarding which areas pose the most risk and should receive additional funding and support. That’s why linking risk management to your strategic goals and objectives is essential to further mature a risk management programme. Spreadsheets don’t allow for the extensive mapping needed to integrate these 2 functions.
More advanced GRC technology solutions (including Camms) enable you to link risk management to your strategic goals and objectives through extensive mapping capabilities. This enables organisations to get a holistic view of strategic risk and put the necessary measures in place to ensure the strategy is not impacted by risk.
Linking risk to other business areas
Strategy isn’t the only area that should be closely linked to risk management. Unlike spreadsheets many modern GRC tools will enable you to link risk to other core areas like, compliance, incident management, and audits & inspections. Spreadsheets simply can’t facilitate this kind of intense mapping. GRC software enables organisations to establish critical links across core GRC processes so they can know what incidents relate to risks, which audits they have come up in, and any compliance requirements that mandate the mitigation of certain risks. This helps organisations to focus time and resources in the right places to protect the organisation from its most critical risks.
Why switch to GRC software?
Of course, all these things make the process easier for risk teams and enable them to add more value to their organisation, but there are countless other benefits. Firstly, GRC software creates a culture where everyone is responsible for risk, it enables all employees across the organisations to log risk and be responsible for certain risk areas – creating a risk aware accountable culture. This maximises buy-in for the risk management process, not only from frontline staff, but at a leadership and Board level. Senior teams can use the reports to get a holistic view of risk across the organisation. The risk intelligence will help them to make critical decisions about which risks they are willing to accept, and which risks they will allocate budget & resources to – to reduce the risk. Teams that switch to GRC software find they save significant time and resources on admin and reporting – representing an overall cost saving to the organisation in terms of wages, operating costs, reduced fines & penalties, and uncovering the right risks to take to add value to the organisation.
So, are you really willing to start the new year managing risk in spreadsheets? Start the conversation about GRC software now and we hope you can soon automate and centralise your risk process and start to create value from risk management, even before you’re faced with the nightmare of spreadsheets waiting for you after Christmas!