Reasons to ditch Spreadsheets for GRC Processes

Blog Articles

Reasons to ditch Spreadsheets for GRC Processes

President Biden’s Cybersecurity EO presents a watershed event for the Governance Risk & Compliance (GRC) industry. Rules and requirements defined in the EO will dictate how federal agencies will procure and use software and handle security incidents. This EO puts the industry using spreadsheets for on the same page. Spreadsheets can no longer help with the enforcement of section 4 and 5 within the EO. While Microsoft Excel is the most widely used Governance, Risk and Compliance (GRC) software, it presents a lot of issues with inherent security flaws. As per SecurEnds GRC’s last poll, spreadsheets were used for managing risk, issues, exceptions, assessments, remediation plans and vulnerabilities.

Using Spreadsheet for GRC Process Means Data Clutter

The biggest anti pattern of spreadsheets is data hygiene. A typical organization with multiple business groups ends up with different versions of excel. Any update to one version does not automatically update other versions. This spells disaster for data hygiene.

Using Spreadsheet for GRC Process Means No Audit Trail

Microsoft Excel does have the ability to track some changes in spreadsheet data, but the Track Changes feature is not a 21 CFR Compliant Audit Trail. Few organizations circumvent this issue by writing macros to log an audit trail of any changes to your Excel worksheet. The problem with macros is they get corrupted.

Using Spreadsheet for GRC Process Means Redundancy

It is hard to make assessments, surveys, attestations, policies and other GRC related information consistent. If a new assessment is needed — we just open up Excel and create a new assessment from scratch and fail to realize that there is another assessment asking the same people half of the same questions as our new assessment. Further, different documents and spreadsheets are formatted in different ways and each requires its own learning curve.

Like all C-suite executives, the Chief Risk Officer (CRO) and Chief Information Security Officer (CISO) has a difficult job. Making that job even more difficult in light of President Biden EO is continued use of excel or word documents in place of using a GRC software.
SecurEnds GRC is helping CRO and CISO of organizations of all sizes reap the benefits of a cloud native Risk & Compliance software to meet EO mandate. CROs and CISO will find value in their processes and reduce the manual effort owing to SecurEnds GRC intuitive workflows, email notifications, data security, configurations, evidence, and versioning, and overall governance