Spreadsheet Risk Management is Key to GRC Success in Organizations
Most large organizations have deployed one or more GRC systems to provide visibility across areas such as Operational Risk, IT Risk and Model Risk Governance; in support of the company’s policies and risk profiles.
GRC solutions are designed to ensure that organizations are able to effectively monitor and control their underlying business processes to ensure that the business is aligned with the organization’s desired risk profile.
Today, spreadsheets are an integral part of any organization’s business processes. These Excel files are critical to some of the GRC controls – either as evidence in support of the controls or as the controls themselves. As such, the spreadsheets need to be monitored and managed for change. Historically, one of the control questions may have been as simple as “do you ensure that any changes to the spreadsheet are reviewed and approved?” The answer may be “yes”, but would not have necessarily been supported by any evidence or audit trail.
Spreadsheets are notoriously difficult to manage for change. Excel does not a have redline function like Word, so in order to provide evidence that the spreadsheets have been reviewed and approved when changed, either the spreadsheet is designed to only allow change within narrow parameters or significant human resources are deployed to check for all changes made. In a complex multi-row, multi-worksheet file, this task is very labor-intensive; since organizations have typically tens, if not hundreds or thousands of such business-critical spreadsheets, this labor overhead should not be underestimated if the reviews are to be carried out effectively.
Automating spreadsheet risk management
Recognizing the role that spreadsheets play in GRC initiatives, regulators have become wise to the simple “yes” answer described above. They are now demanding that organizations demonstrate more detailed evidence of spreadsheet risk management and control. For example, for Sarbanes-Oxley compliance, the Public Company Accounting Oversight Board (PCAOB) is impelling auditors to ensure organizations are suitably monitoring and controlling their critical spreadsheets in order to demonstrate that their spreadsheet management is accurate, transparent and immediate.
The concept is equally applicable to other regulations such as CCAR, DFAST, Solvency II, BCBS 239, IFRS9, GDPR, IFRS9, SR 11-7 and so on, where appropriate controls are being sought by regulators as they recognize that poor spreadsheet management could result in control breaks.
But worry not – there is technology available to help organizations deliver controls in a cost efficient, transparent and timely manner. A spreadsheet risk management solution allows organizations to measure, monitor, and manage every time a change is made to a business-critical spreadsheet. Example of changes may be a simple as a value threshold being exceeded, a change in the code of a macro or an external data feed to the Excel file failing to function. The GRC process manager is alerted to this control break and can kick-off a remediation process to be undertaken by the Excel owner. This remediation procedure is a closed loop and auditable process, which circles back to the GRC Control owner that the Excel owner has reviewed and approved any updates and alternations in detail.
Such a spreadsheet risk management solution supplements traditional GRC systems with evidence and functionality that is accurate, transparent, auditable and cost-effective. If spreadsheet management for GRC is an area that you are exploring, please get in touch with us.