We seem to be living in a golden age of software. Applications have rendered almost every business function a more-efficient one, more consistent in following best practices, and more capable of producing data-rich reporting for executive decision-making.
If you started a new job, you would most likely be surprised if they were not using a centralised system, imagine joining a finance team with no finance system or a sales team with no CRM!
These systems become the lynchpin of their departments and enable the centralization and sharing of critical information. They enable companies to quickly implement best-practice processes, reduce admin and duplication and streamline processes. Furthermore, these systems are constantly capturing data which provide up to date information to aid decision making and provide critical data to executive teams.
Is it too much to ask that risk & compliance teams are afforded this same luxury? Perhaps a few years back it may have seemed over the top for small department. But with ever increasing regulatory requirements and the variety of risks and compliance requirements touching every business function many organisations are realising that it is no longer a luxury but a necessity!
Why Do Many Organizations Shy Away from GRC Software Investments?
Large global organisations with complex regulatory requirements have been reaping the benefits of Risk & Compliance software for many years. But the recent events have shown that there are significant risks facing business of all shapes and sizes, from third party risk and information security to operational risk and remaining compliant with regulatory obligations, it is a mine field out there.
When it comes to governance, risk and compliance (GRC) departments, however, some leaders shy away from investments in software. They continue to use manually assembled spreadsheets and reports to meet objectives, overlooking the risks inherent in their approach. Objections to implementing GRC software include the small size of their departments versus the high cost of software, complexity of implementation, and “we’ve always done it this way.” The advantages they could gain from quality risk and compliance software can’t be ignored, however, and it’s time for GRC departments to put spreadsheets away for good.
When we consider the benefits of risk and compliance software, objections become less consequential, and obstacles less insurmountable. This post discusses the risks inherent in relying on spreadsheets, challenges common objections to implementing a GRC software solution, and outlines the advantages that good risk and compliance software will provide.
Exploring The Pros & Cons of Spreadsheets
Spreadsheets are among the most important tools available to organisations and businesses. They empower users to perform analyses that would be too time-consuming to prepare manually. Often, departments rely on spreadsheets as they await system implementations or upgrades. But it’s ironic to consider the use of spreadsheets to manage risk, when spreadsheets themselves introduce enormous risks in business. In a GRC department run on spreadsheets, individual risk and compliance professionals will develop their own reports instead of adhering to a departmental standard. They’ll struggle to establish a single source of truth with spreadsheets that aren’t centrally maintained. They’ll have problems discerning the quality and origin of their spreadsheet data. They’ll make the data entry, calculation, and even formatting errors to which spreadsheets are especially vulnerable. (Errors in spreadsheets occur at an estimated rate of 94 percent, and stories abound about the cost of spreadsheet errors to organisations. One error can invalidate multiple formulas, and such errors can go undetected for years.) If the local Excel wizard becomes unavailable, stakeholders can get stuck with reports no one knows how to produce or maintain.
On the other hand, software purpose-built for risk and compliance provides formal data definitions, automated enforcement of standard processes, logging of user actions, and notification features.
Getting Executive Buy-in for a GRC Solution
When enterprise leaders consider new software for any department, they often have efficiency and cost reduction in mind. Following this logic, they’ll prioritise the departments with the largest labour costs first. GRC departments often lose out when department size is a principal consideration in technology investment. Now, however, senior executives are seeing never-ending news about compliance failures. They’re reluctant to risk the cost in fines, reputational damage, and market goodwill that attends noncompliance. They’re recognising that compliance obligations are increasing, and the rate of regulatory change accelerating. as Carlo V. di Florio, former Securities and Exchange Commission’s Director of the Office of Compliance Inspections and Examinations put it: “The scope of risks expands beyond regulatory risk to also include market, credit and operational risk,” and that scope has expanded to “include risk management, finance, internal audit and other key risk and control functions.” Senior executives are aware of the growing significance of GRC as a key function, and they’re prepared to consider new approaches to make small GRC teams more effective.
Still, GRC leaders might be reluctant to entertain the cost of entry that GRC software represents to them. Their perceptions may be coloured by older models of software acquisition that include high initial costs and significant implementation efforts. While hosting their own applications is still an option (and often the best choice), subscription models like “software as a service” (SaaS) will level out initial costs, and allow GRC departments to experience benefits before making any large capital expenditure.
A third objection GRC leaders have: “we’ve always done it this way.” They’re familiar and comfortable with the diverse spreadsheets and manually-assembled reports via which they’ve always achieved department objectives. They may dread the unfamiliarity of new software and the pitfalls of leading teams through difficult changes. But the right software vendor will offer ease of setup. Some vendors design their offerings for “rapid time to value,” delivering solutions that are deployed quickly. These software providers take a collaborative approach to implementation, and deliver training that ensures enthusiastic and confident users from day one.
GRC leaders who guide their departments away from spreadsheets and on to purpose-built software discover a number of immediate benefits. The best GRC software will:
- Help organisations anticipate risk more effectively. It will enable organisations to identify and track new or emerging risks and to respond to them quickly.
- Help GRC departments manage stakeholder expectations. Good software will provide the data — and analytical tools — to create achievable goals, achievable timelines, and realistic resourcing.
- Support decision-making. Better-informed decisions will minimise threats and maximise opportunities to facilitate growth and control costs.
- Enable risk management stakeholders to see what risks are present throughout the organisation, to track status and responses, and to know who’s taking action.
- Generate notifications of actions to ensure accountability.
- Provide secure access at any time and from any location to ensure timeliness and transparency of risk information.
- Guide users toward a consistent approach to routine tasks based on best practices for the GRC discipline.
- Centralize and share information throughout the department and beyond. A central GRC data structure, provides up-to-the-minute, integrated views of risk, and more effective reporting for leaders.
- Provide visibility into risks across all enterprise departments and channels, and create an historical trail of departmental activity.
Once the advantages of GRC software are known and objections are reconsidered, GRC leaders can initiate efforts to identify the right software – and vendor:
- Seek out advice from GRC software experts.
- Look for GRC software vendors whose products are consistently well-reviewed. Look for high marks not only for software features, but also for rapid time-to-value and support of user success.
- Identify the best of the vendors, read up on their product features and performance, and request demos.
The use of spreadsheets for such mission-critical functions as risk and compliance has grown prohibitively hazardous as GRC grows more complex. GRC departments are smaller in headcount than some other key business functions; but they still need purpose-built software to protect their organisations from the damage of unaddressed risk and noncompliance. The risk of managing risk with spreadsheets alone is just too great.
Request a no obligation demo of Camms.Risk today and see for yourself how we can take your risk & compliance processes to the next level of automation.