Excel has a variety of organizational features, and we often see customers and prospects managing their risks, issues, exceptions, assessments, remediation plans, vulnerabilities, workflows, etc. over highly configured spreadsheets or documents. Because everyone is familiar with spreadsheets, this model eliminates the need for user training—but it can also lead to unnecessary problems.
When it comes to managing governance, risk, and compliance (GRC), spreadsheets can cause a lot of manual errors and frustration. Challenges like managing dropdowns, multiple user responses, versioning, tracking, and overall GRC process management become increasingly cumbersome. Your solution for some of these issues might be a cloud-based tool, such as Google Sheets. When you implement this model, you run the risk of users overwriting various data, leadership forgetting to change permissions when users leave your organization, or facing a security breach due to the lack of security on such a public platform.
Some of the common examples of spreadsheets being used to manage GRC processes are:
- Risk Registers: Managing all the identified risks in one sheet with multiple tabs and numerous columns for evaluation, treatment, owners, and tracking.
- Risk Assessments: Multiple rows and sheets of questions that include response cells with pre-defined dropdowns. There are additional sheets of reporting and dashboards with assessment scores and classifications.
- Compliance Assessments: Multiple sheets with design or effectiveness questions, or surveys for controls that are further tied to standards and regulations such as PCI DSS, HIPAA, ISO, etc.
- Issue & Exception Register: Multiple sheets with issue/exceptions details, plans, tasks, owners, and a single cell with all the updates and their respective dates
- Vendor Risk Assessments: These sheets are shared with vendor representatives to gather their responses to different questionnaires like SIG lite, Security Assessments, Cloud Security, etc.
In addition to these common examples, we have seen extensive processes like business continuity being managed over complex spreadsheets. There are also occasions where teams within an organization use different sheets to manage similar processes. With so many spreadsheets, key data often exists in multiple places, and a change in one component is not reflected in all the aggregated data unless the relevant spreadsheet is uploaded into some form of mega spreadsheet.
During proof of concepts and personalized demos, potential customers often seem pleasantly surprised to see their own data being processed through the GRC platform with additional features like workflows, email notifications, data security, easy updates, configurations, evidence, versioning, and overall governance adding value to their processes and reducing the manual effort required. Eliminating these inefficient spreadsheets frees up time and resources for people who were previously relegated to manual GRC tasks.
GRC is more complex than a simple Excel file. If you’re using silo-inducing spreadsheets that “speak the language” of only one department or one type of data set, effective management of GRC processes is very unlikely. Don’t let spreadsheets stand in your way. GRC platforms and their technology can simplify and automate your GRC programs, allowing you to implement, tailor, extend, and scale your GRC capabilities.
For more information on moving your risk processes from a spreadsheet to a fully automated solution, schedule a demo with me at https://truops.com/free-demo/