In the advent of automated GRC tools, data-compliance professionals are shooting themselves in the feet by over-relying on old-fashioned spreadsheets. Joe Stanganelli and Alia Luria discuss a better way to manage GRC data.
Terry Ray, a senior vice president at cybersecurity-software firm Imperva, is fond of saying that even when organizations are able to identify where their data is, they still fall short when it comes to identifying where their data isn’t. This truism has become the state of compliance-tracking data.
Data-compliance teams still overwhelmingly rely upon rudimentary, locally stored spreadsheets for critical policy and tracking functions. This represents a significant security, privacy and compliance risk. Unlike with cloud-based compliance-tracking software, manually tracking governance, risk and compliance (GRC) with locally stored electronic spreadsheets may mean having several spreadsheet files representing countless typically undocumented or poorly documented versions floating around a large or midsize enterprise. And without compliance-management SaaS tools, this data hygiene problem compounds itself as people are left to share compliance-related spreadsheets via insecure channels like email (or, worse, USB drives).
More problematically for compliance, poor data hygiene may mean a failure in maintaining a single version of the truth – if one can even fairly call it “truth.”
Decentralized GRC Data
All of this goes to the problems of data decentralization. Data becomes “dirtier” as it continues to decentralize. In this decentralization process, therefore, organizations don’t so much maintain truthful data as they curate an indeterminate set of closely related lies.
All of those spreadsheet files represent different versions that represent different degrees of up-to-date-ness or accuracy. Changes to one version do not automatically mean changes to other versions. This spells disaster for the company’s audit trail; an outsider or newcomer accessing one of these spreadsheets may not necessarily know if it’s accurate – or if it’s out of date, a discarded draft or how to reconcile it with other spreadsheets. They may not even be able to determine basic chain-of-evidence information like who accessed what when and who made what changes when. (Having basic metadata for when the spreadsheet was written to the system or last opened won’t necessarily cut it.)
In recent years, generalist cloud providers have been pressured to up their compliance game for banking regulations. (In this author’s humble opinion, the regulatory burden faced by the financial services industry is far more complex than those of the data regulatory frameworks governing any other sector.) While general-purpose cloud storage and app solutions can help centralize data compliance – assuming the enterprise allows employees to use these general free or low-cost cloud tools (many don’t) – many tasks remain manual on these platforms. Even a few SaaS solutions specific to data compliance wind up being not a lot more than a dedicated spreadsheet in the cloud.
The fundamental problem with spreadsheets, therefore, is their lack of automation.
GRC the Hard Way
To err is human. At scale, everybody forgets or overlooks or neglects something here or there – and in the realm of regulatory compliance, human error is a very real risk factor.
This is half of the reason we have software to track and manage compliance and a bunch of other things for us to begin with. Specialized software for compliance tracking can catch mistakes and oversights, track dates and other information and even identify and call attention to compliance requirements for parts of a business that might otherwise be missed.
The other half of the reason for automated compliance-management software is it can make otherwise daunting compliance tasks easier (and, hopefully, cheaper). To manage and track all of the necessary items and to-dos manually can be all too much for human compliance officers to feasibly handle while maintaining their sanity – especially in smaller firms, which often have a compliance department of one. In addition to actually easing the workload, some automated compliance software tools can automatically “share the wealth” outside of the company’s compliance team by looping in and delegating data collection, mitigation controls and other GRC/IRM-related functions to other departments. This is especially helpful for third-party management and client management.
To wit, compliance automation is about compliance democratization.
GRC Usability and Collaboration
There are a lot of spreadsheet-phobes out there – some of whom are very vocal. Even those who like using spreadsheets and are good at it don’t always like having to review and interpret others’ spreadsheets.
In this way, automated compliance tools – good ones, with a broadly usable and accessible user interface regardless of whether or not the user works in GRC – can be a golden ticket. For every compliance-tracking factor we can think of, good compliance UX (user experience) is critical to good compliance. If senior management, procurement teams, IT departments and others can’t readily keep track of and navigate their way around the company’s spreadsheet(s), that spells compliance risk.
To be clear, the solution isn’t about entirely eliminating spreadsheets from the compliance and auditing process wholesale. It’s about eliminating the need for them as the entire infrastructure of the compliance-management process – and making that infrastructure more manageable, more secure and more accessible with more automation and less manual data management. Today, compliance is a team sport.