A solid majority of compliance departments in Corporate America still rely on standard Microsoft products to manage their governance, risk, and compliance chores, despite the notorious security weaknesses Microsoft can pose, according to an exclusive Compliance Week study.
The survey of 386 compliance, risk, and audit executives, conducted by Compliance Week and the software firm Paisley, found that 59.2 percent used Microsoft Word, Excel, or some similar program for tasks such as policy documentation, policy sign-off, risk assessments, and the like. Another 12.8 percent reported using no software tool at all, and 10.8 percent said they used some internally developed program. Only 17.2 percent used GRC software purchased from an outside vendor.
When asked what software they use for broad GRC functions (compliance management, risk assessment, GRC management, and so forth) instead of specific tasks, the picture didn’t get much better: 16.7 percent reported using a Microsoft product, and 6 percent used software from some other vendor—but a whopping 77.3 percent did not respond, implying that the companies used no tools at all for those functions.
Rost
Mike Rost, vice president of marketing for Paisley, says the findings underscore the early stage of maturity that companies have right now with their compliance functions. He compared the situation to homeowners trying to manage immediate house repairs with a hammer, pliers, and duct tape. “That’s probably not the best way to go about doing it,” he says, “but at times when I’m first trying to fix something, I use what I have.”
The same can be said for GRC functions. Technically, Rost says, all of a company’s financial accounting can be done in Excel spreadsheets—but part of being a compliance professional is to “at least be aware of the other tools that are out there, and assess whether there’s a better tool to do the job.”
Rasmussen
Some argue that many tools are out there that aren’t being used. Michael Rasmussen, an independent analyst and head of consulting firm Corporate Integrity, estimates the total possible market for GRC software—such as policy and procedure management, control and audit management, risk management, and continuous control monitoring—at $30 billion. He estimates current sales, however, at only $3 billion to $5 billion. “There’s a lot of room for growth,” he says.
“The more sophisticated the analysis needs to be done, the more sophisticated the level of software tools you need.”
—Tom Eid,
Research Director,
Gartner Dataquest
This figure doesn’t even include the potential market size for the many intricate sub-segments of the GRC market, such as environmental safety, quality, and management, Rasmussen adds. Nor does it include related markets such as security, which itself is much larger than $30 billion, he says.
Rasmussen, Rost, and other analysts do predict the market for GRC software will grow as companies’ mastery of compliance matures. “As people get a better handle and understanding on what it is they’re trying to optimize as far as the business process, they will adapt to more purpose-filled tools to help them up that maturity curve,” Rost says.
Rost adds that GRC platforms “aren’t meant to replace entirely all the work that’s done with office productivity tools,” but rather to put more “purpose-built structure” around the process.
Rasmussen agrees. Companies can use Microsoft tools to draft and circulate compliance policies, but when doing so, they need to assure that “the intricacies of the management of policies are recorded as well,” he says. Simply publishing a compliance policy on Microsoft Sharepoint, for example, “really isn’t managing the policy lifecycle; it’s just an element of it.”
And Excel spreadsheets—probably the most common tool out there for compliance chores—are a “recipe for disaster” without proper management, Rasmussen adds. For example, Excel spreadsheets lack a “repudiation” function that can be vital for compliance and risk management.
“You can’t go back and validate that a person answered that question on that date and time,” Rasmussen says. “It’s a huge issue particularly from a legal and compliance standpoint, because somebody might come back and try to cover their trails and modify their answers in the spreadsheet.”
Rasmussen also says that a centralized platform can net companies a 30 to 40 percent savings in reporting time. He offers the example of one company he knows that collects 38,000 spreadsheets for the purpose of Sarbanes-Oxley compliance alone. “Trying to consolidate all that and report on all that can be a nightmare,” he says.
Sumit Pal, head of IT compliance services for consulting firm WithumSmith+Brown, says that an integrated GRC platform offers numerous benefits to companies, including greater efficiency and effectiveness, better risk management, and more secure operations, among other things.
Eid
“The more sophisticated the analysis needs to be done, the more sophisticated the level of software tools you need, especially when it comes to rolling up financial performance and then being able to certify those results,” says Tom Eid, research director at Gartner Dataquest.
Adds Eid: “Your starting point is going to be different than your ending point, but you need both personal tools, as well as fairly sophisticated enterprise-class tools to support that full process.”
Best Practices
Companies that do rely on desktop applications as their risk and compliance backbone should consider the following questions:
Do you have a policy style guide?
Do all policies have owners?
Can you route policies to those owners for approval and managing policy exceptions?
Can you track all those policy exceptions?
Can you ensure the policy goes through an approval process or re-approval process every year to ensure it’s still appropriate?
Companies should also try to map investigations to policies, so that when a problem arises, you can see which policies have been violated. “That might be an indication of where policies need to be rewritten, where you lack policies, or they’re not clear or you need to provide further training,” says Rasmussen.
GRC is “primarily a people and process issue, not a technology issue,” stressed David Barton, a technology auditor for UHY Advisors. “The best tool in the world is only as good as the data and information that is put into it … The tool is not a silver bullet; the hard work is in getting the people and process issues solved, not the technology solution.”
No comments yet