I was on a call the other week with the Enterprise Risk Manager of a relatively sizable multi-national corporation (over 20,000 employees across a few hundred locations on nearly every continent), and she said something that got me thinking.
She said, “For us, right now – Excel is good enough.” I responded by saying that “I understood,” we discussed a few other topics on the call and hung up.
It wasn’t until afterwards that I realized how much her view about Excel took me aback. As an enterprise software sales professional, I believe in companies moving to automation. But the reason the statement took me aback was because I realized that this might be a common mindset across many people and firms. How many other people think, “Excel is good enough”?
A Senior Manager on my team, Mark Winey, was also on the call. After the meeting we spoke, and he reminded me that one of my first roles was in Operational Risk Reporting and Monitoring (R&M), so I should be able to understand their perspective. I began to reflect on this.
Earlier in my career, my team had built out the firm’s first op risk and control R&M function completely manually in excel. Part of my role was to spend the first few hours of the day updating spreadsheets with additional information for the metrics I was tasked with tracking. We had defined thresholds of red, amber, and green based on a formula we created using standard deviations, and when those thresholds were breached, we needed to escalate.
Once I was done compiling the additional information, the next few hours were spent chasing on threshold breaches and gathering commentary around root cause and resolution. When that was finally complete, I would spend the vast majority of the rest of my day consolidating the prior month’s end reporting. This then went on for about 3 weeks until the “Month End Report” was done. At this point, we would reach out to executives in order to have meetings scheduled on their calendars; this took another 3 to 4 weeks before we could meet and present the report.
This brief narrative reveals two important insights:
First, and perhaps the more obvious insight, is that by the time we finally met with executives, the data was at least 45 days stale! This was in 2009 and we all understood the importance of accurate, real-time data; however, every month, as things stood, we were always looking in the rear view, and pretty far behind, at that.
Second, and this is the implied insight, I spent the smallest portion of my time thinking critically about the data. As an analyst, by definition “a person who analyzes or who is skilled in analysis (thank you Google, http://www.dictionary.com/browse/analyst?s=t),” I spent very little time actually analyzing. This was counter-intuitive to me – I was getting paid to dig-in and think critically, but most of the time was spent on redundant manual efforts.
I’d like to estimate some numbers to illustrate how concerning this should be as risk practitioners. Let’s start with the assumptions that on average there are:
- 8 working hours in a day
- 5 days in a week
- 4 weeks in a month
After factoring out lunch, holidays, vacations, etc., these assumptions should be fairly accurate. I didn’t document the precise time I spent on every activity, but let’s say that for the first 3 weeks of the month my day consisted of:
- 2 hours of updating spreadsheets
- 2 hours of reaching out on breaches
- 2 hours of month end reporting
- 2 hours on administrative tasks (meetings, emails, phone calls, etc.)
My day looked exactly the same for the last week of the month, except for this key difference: I now had 2 free hours a day since the “Month End Report” was complete!
In an interview a client of ours said, “We see the GRC Program really enabling the commoditization of the existing compliance activities and governance activities, so that managers have time to think about what’s the next risk, and really use intellectual capacity to manage risk going forward.” Given the manual approach described above, as an analyst I would have spent 6.25% of my time thinking about “the next risk” and “managing risk going forward.” After reading this, does 10 hours a month seem like an adequate effort for risk analysis? Do you still think Excel is good enough?