At times, those within GRC sound as if they are a pet parrot, trained to repeat the same frustrating mantra over and over again on how cumbersome and error prone manual processes are in governance, risk, and compliance management and reporting. But on a different side of that same coin, the inefficiencies, ineffectiveness, and complete lack of agility within these old processes cannot be understated, and as long as organizations manage theirGRC processes as if they’re stuck in a 1990s throwback, the mantra is worth repeating.
Manual processes - such as spreadsheets, documents, and emails - are woefully ill-equipped to manage GRC information and requirements. One mid-sized bank recently did an internal study and found 80% of their GRC related staff (e.g., risk management, audit, internal control, and compliance)time was spent managing and reconciling documents. Another firm found that they were spending 200 employee hours building one report for the board, merely because of the number of documents it took to sort through and organize to compile the report. Another regional bank said they could not pass their next. regulatory exam if they continued to manage compliance and risk in documents and emails, as there was no defensible record of activities performed. Anybody can make compliance look great overnight by manipulating documents.
Managing GRC information simply leads to inevitable failure if it is managed over tedious, error prone, and labor-intensive processes. Some of the issues one might come across while managing GRC in spreadsheets, documents, and emails are as follows:
- There is no audit trail or history of changes made within the old processes. Anyone can with ease go back and cover up their trail to paint an entirely different picture than the one that exists in reality.
- The lack of structure within spreadsheets, documents, and emails deals a heavy blow to GRC management. Things often slip through the cracks without a clear structure regulating task management, and a lack of complete, organizational contextual awareness can often lead to inconsistencies within assessments.
- All of the work that is required from compiling and integrating hundreds to thousands of spreadsheets leads to inevitable failure. Odds are there is something wrong. That much manual reporting is bound to have serious errors - not malicious necessarily, but inadvertent at least.
This is why documents, spreadsheets and emails fail in GRC, unless complimented with the right technology. Organizations of all sizes benefit from implementing an integrated approach to governance, risk, and compliance that allows different processes and departments to have their view of risk and compliance that can roll into enterprise risk management and reporting to support business objectives. This is accomplished through a. common and shared GRC strategy, process, and technology architecture to support overall business operations and risk management processes. Understanding the full picture of GRC strategies and processes, as well as selecting the right solution and technology architecture, is key to meeting the risk management needs of all organizations.