Rethinking the RCM
Making It More Than Just a Spreadsheet
By Jason Rohlf
This month will mark my 7th anniversary working with the Onspring team and frankly speaking, it’s been the best phase of my career. There have been many fun, rewarding and interesting moments in that time (and my current level of excitement is very high for our upcoming 15.0 release—more on that soon!). Our first version of the Onspring Platform was launched in October of 2013, which is essentially when I started working in the tool. In the five-plus years since its release, I have spent a great deal of time analyzing, designing, building and deploying solutions that aim to make our clients’ lives better. A big part of my role is giving guided demonstrations of the Onspring platform and solutions so that the folks we are seeking to assist can get a sense of how their critical processes and data will fit into the system and how their responsibilities will be impacted by Onspring.
One thing I’ve learned about myself over the course of my life, and particularly during the past few years, is that I tend to look for patterns in seemingly random sets of information. During my time at Onspring, I’ve picked up on themes related to what aspects of our technology people are most interested in discussing (reporting, access control and messaging are the most common), the aspects of each process that seems to matter most (for vendor management, it’s third party assessments while risk professionals want to discuss risk evaluation criteria), and even in the types of people I tend to encounter on demos (engaged, curious and skeptical are all common).
When it comes to dealing with assurance professionals, one of the most common topics of discussion is the Process-Risk-Control Matrix (usually referred to as an RCM). The primary reason for developing an RCM is as simple as it is critical: The assurance professional responsible for evaluating the process must understand the risks, opportunities, threats and exposures that could prevent the process from meeting its stated objective, and in doing so must identify and evaluate the processes and procedures that have been designed to respond to those risks.
Diving a bit deeper into the conversations I’ve had with various prospects and clients, I’ve noticed the following RCM themes:
- Excel-based, typically with a good deal of custom formatting, most commonly involving merged cells
- Metadata about the project or activity to which the RCM relates, including who may have prepared and/or reviewed it
- Layout presents processes first, then underlying risks for that process, and finally individual controls mapped to each risk
- Each main data element has one or multiple additional data attributes that are presented in the file
- Some level of evaluation or audit-specific information (i.e. Is the control in scope? Were there any findings identified?)
Much like fire and early man, the Excel-based RCM-to-Assurance Professional relationship has seemingly been in existence since the dawn of time (or at least the dawn of Excel). Further, it is quite easy to understand why this approach has been in place as long as it has: Excel is accessible by virtually every employee, it’s relatively easy to use, it provides a simple method for structuring and capturing data, and it presents a useful visual of the critical process-risk-control relationships that exist within an organization. Below is a typical example that I’ve run across in the past:
Not a Good Idea
While this Excel-based approach does serve a basic need, it simply does not provide a best-in-class method for doing so, especially when you consider the importance of the task at hand, as well as the availability of technology that can enhance the assurance function’s ability to achieve the task. To offer a simple analogy: if I’m building a house and need to cut several 2×4’s, I could certainly use a hand saw—it’s a cost effective option and it will (eventually) get the job done (albeit somewhat shoddily). But if I invested a bit more up front, I could get an electric circular saw which will help me do the job much faster and better.
To go a bit beyond this oversimplified comparison, here are a few additional reasons why relying on Excel as your primary RCM tool is not the best idea:
- The most concerning aspect of the Excel-based RCM approach is the “one and done” nature of the analysis. In producing a standalone Excel file as support for your most critical analytical procedures, while you may be performing adequate due diligence in the context of a single project at a specific point in time, the results of your hard work rarely if ever last beyond the conclusion of that engagement. This makes it very difficult for your group to identify key trends, monitor the impact of changes and identify pervasive issues, which is precisely what your organization relies on an assurance function to do.
- When issues or gaps in the process are identified, it is common for the evaluator to populate and manage them in a separate Excel file or other database, which detracts from your ability to properly manage the extent and status of issues in the context of the process elements from which they were identified.
- Storing this critical information in a single Excel file makes it more difficult for multiple individuals to access and interact with the data. Given that most assurance functions rely on a good deal of collaboration and review, this can create an accessibility and quality issue.
- From a user-friendliness standpoint, while building the initial RCM may be simple and intuitive, making changes, updates and modifications can prove to be quite difficult. For example, in situations where there are merged cells, inserting new risks or controls, or reordering them for presentation purposes when things inevitably change often creates more work than necessary.
A Better Way
Thankfully there is a better way to manage this critical element of your assurance process. And you can do it without having to sacrifice what made the Excel-based approach so appealing in the first place—structured data, demonstration of key relationships, management of key attributes—while standing to gain much more:
- Ability to maintain and demonstrate the relational intricacies of all critical data elements
- Provide real-time visibility and insight based on the relationships to all users simultaneously
- Manage and modify any additions, changes and/or updates in a seamless manner and automatically alert key involved parties when such updates are made
- Identify and track findings and issues in the context of the organizational elements from which they arose
- Maintain historical perspective alongside real time updates and identify critical trends and patterns impacting the organization
- Extract and maintain the integrity of data as a historical representation of the state and status of the process-risk-control relationship at any point of the evaluation process
Onspring’s fully integrated set of GRC solutions enable you to start establishing, evaluating and monitoring this critical aspect of your assurance function using the structure, data elements and evaluation criteria that matter most to you and your organization. The overall result is an assurance function that trends in the direction of adding significant value to its stakeholders, which is the best result you can hope for.