In many organizations the genesis of their GRC efforts can be traced backto a few isolated projects that were quick responses to external factors (e.g. scrambling to pass the first PCI audit, “What’s this HIPAA thing all about?”, etc.) To get these projects going people turned to their reliable “universal tool”, the spreadsheet. Suddenly spreadsheets became assessment tools, scoring programs, aggregated databases, report generators, etc. For these projects, spreadsheet-based GRC rose to the occasion and saved the day!