At times I can sound like a broken record – repeating myself over, and over, and over, and over again, and again, and again. One of my prominent soapboxes over the past two decades has been the failure of spreadsheets, documents, and emails to assess, audit, manage, and monitor governance, risk management, and compliance (GRC) processes.
Yes, I acknowledge that Microsoft is the largest GRC software vendor on the planet with Word, Excel, Outlook/Exchange, and Sharepoint. However, these tools, and their counterparts from Google and others, make for ineffective, inefficient, and unagile GRC processes and have some serious integrity issues that violate principles of GRC. They are very useful tools. I use them everyday in my business, but for managing GRC information they – by themselves – do not meet par.
In fact, after two decades of screaming and preaching from my GRC soapbox, I hear that the regulators are cracking down. I am in the process of substantiating this, but I have heard from a few sources that the U.S. financial services regulators are now stating that using documents and spreadsheets for audits and risk/compliance assessments (by themselves without additional tools to enhance them) are not acceptable.
The reasons documents, spreadsheets, and emails fail for GRC are as follows . . .
[THE REST OF THIS ARTICLE CAN BE FOUND ON THE TRUOPS BLOG WHERE GRC 20/20’S MICHAEL RASMUSSEN IS A GUEST AUTHOR]