Oct 20, 2016
Six Reasons to Avoid Spreadsheets in GRC
To say Excel is a poor choice for managing your assets, risks or an entire GRC program is an understatement. And it's not just Excel, any form of a spreadsheet is the wrong tool that most of the times will cause you more trouble than it's worth.
Don't get me wrong; I use Excel on a daily basis, and even though we have our differences, since I understood how dynamic tables work, our relationship has been nothing but mutual respect and some level of admiration. The fact is Excel can be a great tool for simpler tasks, and even more complex ones, assuming you know how to handle it.
Spreadsheets are a great tool for general data work, such as calculations, storage, sorting and sharing of data. Most people know at least the basics, and it is very easy to share if it is a small one-time endeavor. The problem arises when you need to perform more complex tasks or handle a larger amount of information. Saving several versions of the same file end up making version controlling a nightmare. Complex formulas don't always come with an instruction manual so getting stuck because you can't understand how your coworker built that calculation gets frustrating.
Here are six reasons why you should ditch spreadsheets for a proper GRC solution!
1. Too Many Spreadsheets
Without a formal structure and systematic approach, you are more than likely required to deal with several spreadsheets, probably created by different people. Every spreadsheet is different, and the amount of time wasted making sense of it is senseless (no pun intended).
Sure, you can lay out some ground rules, document some guidelines, distribute them amongst your team and hope they will follow. (They likely won't!) Without any form of boundary, the freedom Excel gives introduces a complicated case for standardization. Multiple people with different thinking processes and an abundance of great ideas will result in a varied collection of files, leading to time-wasting and - in not so rare occasions - information loss.
One way to deal with this kind of issue is to maintain spreadsheets as simple as possible, but this restricts. Being simple is great, being simple and restricted is a bad tradeoff.
2. Collaboration: Just a Distant Dream
Working with individual spreadsheets is a nightmare for collaboration. Aside from having very limited control over who is doing what, doing work in parallel is often not an option.
If working offline or using a spreadsheet file on a network drive, only one person is allowed to write, while the rest of the team is limited to read-only access, having to synchronize any change later and hoping no information will be overwritten and lost.
Sure, some solutions like Office 365, Confluence or Google Sheets allow for multiple users to work simultaneously, but you are restricted to working while online with several functions (at least in Excels case) not available.
3. Integration Capabilities? Nope.
Excel files are like islands with very limited access in and out. There is no simple way of implementing integration to your spreadsheets. Outside of performing them manually, or using custom scripting and import rules where you hope the job runs all the while praying no one changes the file name or file structure. Unfortunately, there is no solution to solve this issue using spreadsheets alone. It is a design limitation that - again - will cost you effectiveness.
4. A Spreadsheet is NOT a Database
Excel and other spreadsheets solutions can handle a large amount of data, but as you increase the amount of information, performance can drop significantly, even for the most basic edits.
And it's not just performance that you have to worry about, simple tasks like creating new fields, lines or columns, organizing the information and creating useful queries become a major time sink.
Again, this is a design limitation, as Excel and every other spreadsheet software were not designed to replace databases.
5. Data Leak and Data Loss
Having to deal with multiple files over network shares, individual hard drives or mobile storage means that creating a reliable backup is a test of faith.
Since information is not centralized and accessed by multiple users, it is likely that someone will make a mistake and delete or unintentionally disclose some pretty confidential information. The lack of audit information will make things easier for that not-all-too-loyal employee that is leaving the company and intends to sensitive information.
Those are just a few examples of the risks you incur when information is not centralized, and controls are lacking.
6. Little to No Security
Excel has extremely limited security features. Adding a password to your files seems like an excellent idea, but remember: it is all or nothing. If you wish your users have different access levels, you will have to split information throughout several different files. Oh, and don't forget that password, or else you are going to have a bad week.
With the lack of proper auditability, in most cases, you will be limited to information about who opened the file and what time it was last modified. And that is it, no more audit info, meaning that errors are hard to track and incorrect or even fraudulent changes can go unnoticed for quite some time, and it is not feasible to trace back who did it.
The only practical solution is migrating your data from spreadsheets to an enterprise level GRC platform. The required investment for a dedicated solution may be initially perceived merely as additional costs since most organizations already own spreadsheet software, but in the long run the added value to the business regarding effectiveness, security and reliability is evident.
Amazing GRC platforms don't have to be expensive either; there are a lot of great tools out there providing a centralized source of record, single source of truth, with enterprise security, automated backups, a complete audit trail and have a consistent, standardized way of handling your information.
Excel and other spreadsheet software are excellent for handling certain data, calculations and organizing information, but constructing critical business processes based on such limited tools is a sure way of wasting your business' resources.