More companies than ever are focusing on their governance, risk management and compliance management (GRC) efforts. Corporate executives increasingly see the need to manage their company’s risk exposure more effectively – that is, in a much more comprehensive, enterprise-wide fashion so that they explicitly include risk assessments as part of their decision-making process. They recognize that risk exposure must be assessed at the enterprise level because “risk” at divisional and business unit levels may be different in nature and in scope than at the headquarters level. (For example reputational and financial risk may be substantially magnified as the result of an event at a small subsidiary casting a shadow over the entire organization.) Enterprise risks also exist because of cross functional risks – events that occur in one part of the company affecting another. (Failure of the contractor to complete building inspections in a timely fashion, for instance, delays a store opening which means already-ordered time-sensitive inventory will need to be disposed of at a loss.)
When I look at how companies track, communicate and analyze their enterprise risk management efforts I’m struck by the heavy use of desktop spreadsheets in almost every aspect of this work. This is ironic because desktop spreadsheets programs fall short in providing five key ingredients (the “Five A’s”) that are necessary for comprehensive GRC efforts:
not provide these capabilities in sufficient strength, desktop spreadsheets as part of a risk management effort imposes a risk by itself – a risk that can and should be managed better.
Desktop spreadsheet programs such as Microsoft Excel are indispensable for a wide range of business purposes in almost every part of a corporation. Yet, as I have frequently pointed out, they can be the wrong choice when used for any repetitive “enterprise” task such a risk management. Even when you know they exist, they are difficult to audit – and that even assumes that you know what spreadsheets you need to audit, since companies rarely even know what spreadsheets they are using and how they are using them. Unless the spreadsheet is on a central server (which would make them easier to track), there may be access issues. Errors in spreadsheets are a longstanding issue – errors that are difficult for companies to find, let alone control. Moreover, since risk and compliance management involve repetitive, collaborative tasks, organizations can benefit from using automation – managing workflows, monitoring status and exceptions, creating notifications and checking to confirm tasks have been completed in all respects. Attaching files to e-mails is a poor substitute for this kind of automation, especially if the e-mail archives are lost or deleted.
One reason why companies rely so much on spreadsheets is they appear to be the path of least resistance. This is, in part, because people have grown accustomed to using desktop spreadsheets as a tool for storing and sharing data. But it also reflects the lack of any comprehensive approach to using information technology to manage GRC efforts. Every time a GRC requirement needs to be addressed it produces a one-off solution. To be sure, there is no end-to-end “governance, risk and compliance” application available – nor do I expect to see one anytime soon. Nonetheless, there are three basic areas where companies can use either existing licensed applications or implement new capabilities that provide the necessary foundational elements for GRC management. Capabilities that are likely to make the solutions more bullet-proof, increase control and visibility into governance and risk-management efforts and, in the long run, reduce the costs of managing risk and compliance programs in your company.
One area covers basic IT infrastructure requirements. Examples include access management, identity management, transactions monitoring and controls monitoring. Increasingly companies rely on their IT systems to manage and control many – even most – facets of running a business. Therefore, it’s important to be sure that your company can control the ability of individuals to access these systems, that the people are who they claim to be and that any suspicious activity (such as events that are happening too frequently, happening at the wrong time or not happening when they should) is spotted immediately. Each of these capabilities reduces the need for internal and external audit activities because they act as high level controls that reduce or eliminate the need to audit or they make it possible to automate data gathering and analysis for the purpose of performing an audit. In deciding whether to invest in these areas companies should take into account that while the specific project may require such an investment, the same capabilities may be reused over and again. By analogy, while it may be hard to justify buying a set of socket wrenches to be used on a single, simple home repair job, most people will buy one because they expect they will need to reuse the tool many times over the years. Not only will having the right tool make doing today’s job easier and probably produce better results, having the tool readily available will make it easier to tackle the next project.
A second type of core capabilities includes generic tools for document management, business intelligence, analytics and reporting. It’s very likely that your company is already using the last three for a wide range of business purposes including performance management. It’s not especially difficult to extend these efforts for risk and compliance management as a way of ensuring that data collection analysis and reporting are accessible, controlled and performed efficiently. Document management has been around for decades and documentation is central to governance and control efforts. Formalizing electronic documentation – rather than relying on paper-based systems or circulating word processing file through e-mails – can decrease risk, enable executives and managers to have far greater visibility into the status of compliance efforts and provide a secure way of bringing together text and numerical data in a way that reduces errors and facilitates auditability.
The third area of capabilities are process management/workflow capabilities that are incorporated in most transactions management systems such as ERP, customer relationship management (CRM) and supply chain management (SCM). Our research shows that organizations often do not take advantage of their ability to manage process flows from end-to-end (such as order-to-cash or authorize/purchase-to-pay). Not only do workflows simplify cross-functional handoffs, they also allow a company to monitor and control these more completely.
Let me know your thoughts or come and collaborate with me on Facebook, LinkedIn and Twitter.
Robert Kugel CFA - SVP of Research