Why are companies still drowning in spreadsheets when the regulatory tide is rising?
The headlines shout about operational resilience, about DORA and NIS2, but the real story is often buried in the mundane — the sprawling, disconnected workflows that plague most large organizations. We’re talking about Enterprise Risk Management, or ERM, a function that, by its very nature, should be the connective tissue holding a business’s risk posture together. Instead, for a staggering number of firms, it’s a tangled mess of legacy systems, manual processes, and isolated data points. And it’s costing them. A lot.
Parker & Lawrence Research, in their recent dive into the RegTech space, highlighted RiskSmart, a platform aiming to untangle this very knot. Their conversation with Ryan Swann, co-founder, laid bare the operational reality: 80% of compliance teams still lean on manual workflows. Let that sink in. In an era where technology dependencies and AI governance create a hyper-interconnected risk landscape, nearly four out of five compliance teams are slogging through spreadsheets. The projected rise in legacy system spend — from $36.7 billion in 2022 to a staggering $57.1 billion by 2028 — isn’t a sign of strong investment; it’s a canary in the coal mine, signaling a deepening reliance on the very systems that create the problem.
The core issue? Resilience, in the modern business context, demands connection. Risks aren’t isolated events; they ripple outwards, interacting with controls, third-party dependencies, and regulatory obligations. When these elements are scattered across disparate spreadsheets and email chains, the ability to see how a single control weakness might cascade into a major regulatory breach — or worse — evaporates. Regulators, and by extension, business leaders, are waking up to this. A stark statistic from the research reveals that 79% of organizations feel ill-equipped to handle new operational resilience regulations, with a dismal 20% of executives believing their firms can actually prevent or respond to outages effectively. This isn’t just a European problem; it’s a global operational reality.
The Myth of ‘Good Enough’ Compliance
Europe, despite its maturity in IT security RegTech, lags in resilience. Why? The article points to a structural bias: security threats are tangible, measurable. Resilience is abstract, outcome-based, and inherently cross-functional. It’s a harder nut to crack. But here’s the kicker: risk and compliance functions are often the de facto data hubs for an entire organization. They hold views on products, processes, customers, suppliers, incidents, and emerging threats. The potential for these teams to shift from mere reporting to strategic advisory—guiding the business on which risks are acceptable and how to pursue growth safely—is immense. Yet, this potential is suffocated by fragmented systems.
“Risk is about decisions and data.”
That quote from Ryan Swann is deceptively simple, but it gets to the heart of it. If your risk data is fragmented, inaccessible, and buried under manual drudgery, your decisions will inevitably be flawed. Controls that aren’t mapped to multiple risks mean redundant assurance work. Unlinked regulatory obligations translate to a compliance paper trail that’s a nightmare to navigate when the auditors knock. The consequence? Risk remains an abstract concept for front-line teams, trapped in the second line of defense rather than being an embedded part of daily operations.
Is Your Risk Management Actually Managing Risk?
The cultural disconnect is palpable. Companies preach a desire for stronger risk ownership, yet equip their teams with tools that make risk feel like an arcane, technical discipline. The language of risk fails to translate into actionable business insights. Static risk registers, those ubiquitous spreadsheets listing every conceivable threat, rarely convey why a particular risk truly matters to the company’s bottom line or strategic objectives. First-line teams, the ones executing the actual business, disengage because risk management feels like a periodic compliance burden, not an integral part of how they make decisions. Boards want better risk culture; risk teams crave forward-looking insight; front-line teams desperately need clarity on their responsibilities. Without a connected, intelligent system, these objectives remain aspirational, not achievable.
RiskSmart’s proposed solution is a platform designed to knit these disparate elements together. It aims to link risks directly to controls, actions, indicators, obligations, policies, and other relevant records. The goal is to move beyond the static, siloed approach and foster a dynamic, interconnected view of the enterprise’s risk landscape. This isn’t just about better reporting; it’s about fundamentally altering how businesses perceive and manage risk, enabling them to not only avoid pitfalls but to strategically harness calculated risks for growth.
The real cost of fragmented ERM isn’t just the dollar amount spent on inefficient processes; it’s the missed opportunities, the amplified vulnerabilities, and the growing chasm between regulatory expectations and operational reality. It’s the hidden tax on agility and the silent drain on strategic foresight. For firms that continue to rely on yesterday’s tools for tomorrow’s risks, the bill is coming due, and it’s likely to be far higher than they imagine.
