Spreadsheets and GRC

Philip Howard

Written By:
Published: 15th May, 2008
Content Copyright © 2008 Bloor. All Rights Reserved.

I have for sometime been extolling the importance of discovering your spreadsheets, assessing the risks associated with them, and the need to take control of significant spreadsheets, as a part of any data governance initiative. However, I have not previously written about the role of spreadsheet management within the emerging market for GRC (governance, risk and compliance) software.

The big players in the GRC market are the 800lb gorillas of the software world, companies like SAP, Oracle, CA and IBM. If we take SAP as an example, it has a variety of software offerings that "automate end-to-end GRC processes to address corporate governance and oversight, risk management, and compliance management and reporting". These options work directly with SAP application software and the company sees its ability to offer such capability as a competitive advantage.

However, the downside to this GRC approach is that it is limited to SAP applications and the databases and infrastructure that support the SAP environment. Which is fine, up to a point, if you are a dedicated SAP shop and don't have, say, Oracle applications also running in your environment. Of course, CA and IBM are less proprietary when it comes to application software so a GRC solution from one of these vendors will not force you to have multiple solutions.

Except that none of these vendors (as far as I know) have any support for end user computing (EUC) such as Access databases, spreadsheets and so forth. And given that research indicates that upwards of a third of all corporate data resides in spreadsheets this would seem to leave a large hole. Of course, there are tools from a variety of vendors for managing spreadsheets but they have, hitherto, been separate and distinct from any conventional GRC solutions, which means that to do a complete job of GRC you have been obliged to have multiple systems supporting multiple dashboards to monitor your GRC environment—which is clearly a bad thing.

However, Compassoft has just released version 4.0 of its Compassoft Enterprise product and, apart, from beefing up its spreadsheet management capabilities the big news in this release is that it has opened up its environment, so that you can either import (typically by means of web services though there are other mechanisms available) other GRC information into the Compassoft environment and present data through its dashboard or, conversely, you can export data in the same fashion so that you can present EUC management information within the dashboard of your (say) SAP GRC portal.

While it is likely in the future that the major vendors will buy up spreadsheet management suppliers (or build their own capabilities—less likely) precisely so that they can include this sort of functionality within their GRC suites in the future, such consolidation has not yet started to happen. At present, therefore, this leaves in Compassoft in an enviable position, with a distinct advantage over its rivals in terms of GRC functionality.

Post a comment?

We welcome constructive criticism on all of our published content. Your name will be published against this comment after it has been moderated. We reserve the right to contact you by email if needed.

If you don't want to see the security question, please register and login.