- Corporate Security Teams
- Risk & Compliance Teams
- Information Security Teams
Governance, Risk and Compliance
By Resolver Modified September 9, 2021
As a subject area Governance, Risk and Compliance (GRC) is broad and all-encompassing. It includes legislative compliance, risk management, policy and procedure management, incident management, control monitoring and audit. The scope can be overwhelming. It can be a nightmare for those trying to manage it. Governance, Risk and Compliance (GRC) applications are meant to manage these complex interactions, but too often they make it more complicated.
According to Michael Rasmussen, Microsoft Excel (in concert with SharePoint and Word) is the most widely used Governance, Risk and Compliance (GRC) software. This approach certainly has many shortcomings, including security, data consistency and integrity, ease of reporting and version management. Most users of the spreadsheet-based approach recognize the need for a true GRC backbone platform. However, Microsoft Excel has some valuable lessons that Governance, Risk and Compliance applications could learn.
The concepts behind a spreadsheet are simple yet incredibly powerful. Users can enter almost any kind of information, create functions and relate information. And spreadsheets don’t require a lot of configuration; users can just open a workbook and begin. GRC systems should also be flexible enough to capture any sort of information, provide facilities to calculate or rollup information and allow multiple relationship modelling. All this should be presented in an interface that is obvious and familiar to the user, perhaps in an interactive table similar to Excel.
It is very rare to find a business desktop that does not have MS Excel installed or a user who does not know how to use it. This application is so pervasive and well known that it is second nature to users. GRC systems should be the same way. They should be deployed on every users’ workstation in the company. Users should employ them as part of their daily life. GRC should become a ubiquitous part of their work experience and ingrained in the deep roots of daily activities.
The spreadsheet was one of the first “killer apps” for the computer. This visible calculator unleashed the power of the pc and its incredible flexibility gave rise to an almost infinite amount of uses. GRC platforms must also be flexible and adaptable. The GRC environment is rapidly changing and evolving and backbone applications must have powerful modelling capabilities to match. This modelling ability must be easy to configure by end-users who can take ownership of the system and keep it up to date.
Spreadsheets make sense. Generally, users look at them and know exactly what to do. They are accustomed to the table format that allows them to see and interact with large quantities of data at the same time. GRC platforms must also be intuitive to end-users. As roles change in an organization, users will come and go and must be able to quickly learn and use GRC platforms as they relate to their duties. GRC platforms must be intuitive, easy to learn and present information in a fashion that users are accustomed to.
Excel is a normal part of knowledge workers’ everyday existence. It is an essential tool used in everyday activities. Users don’t think of it as another application they have to learn. It is just part of their life and routine. GRC platforms must also become unnoticeable to end-users. They should not inconvenience users or put them out of their normal routine. This is essential if GRC platforms are to have widespread usage and adoption within an organization.