5 Reasons to Stop Using Spreadsheets to Manage Risk
Recently, there’s been an undeniable increase in the demand for effective risk management, which is unsurprising considering the growing complexity of threats organizations face globally – from pandemic and supply chain issues, to emerging cyber risks and changing consumer expectations around Environmental, Social, & Governance (ESG) and more.
Spreadsheets are an obvious and seemingly easy first step for an initial introduction of risk management, but in all but the simplest applications, the use of spreadsheets in managing risk falls short and can actually cause more harm than good.
And yet businesses of all sorts rely on spreadsheets for this task, largely because until recently most of the alternative, purpose-built applications are costly and cumbersome. Now there are affordable, easy-to-use alternatives that we’ll describe later. But first, let’s explore why spreadsheets are so problematic.
1. Spreadsheets’ method of inputs makes it difficult to clearly visualize risk and responsibilities.
As you might already know, each row requires separate inputs, and they don’t easily connect a control applied to one risk to incidents and actions relating to the same risk.
2. Because spreadsheets are manually intensive, those with risk management responsibilities are inclined to merely acknowledge their awareness of – rather than manage – the risks.
Business users quickly lose confidence in manually intensive and prone to error processes, which leads them to assume risk management is a box-ticking exercise with minimal business benefits.
Long story short – risk management becomes a passive exercise that doesn’t fully engage leaders or employees to take ownership in heading off the dangers such risks pose.
3. Because spreadsheets require extensive manual work for as little as minor changes, updating information can be quite time-wasting.
That means that the lag or incomplete updating undermines the validity of reporting and is a risk that companies cannot afford to run in an era when boards are legally accountable for signing off on reports.
The Enron scandal in the United States, in which erroneous audits were signed off on by the board, resulted in legislation that put the onus on boards to check and verify the accuracy of the reports they received.
Clearly, running a serious risk that would have financial consequences but doesn’t appear in the reports could be calamitous for a company.
4. The same issues limit spreadsheets’ ability to serve as a useful source for increasingly important and demanded risk modelling and quantitative risk assessments.
With information that’s possibly not up to date or complete, it is impossible to analyse collected data and gain insights. That curtails management’s ability to control risk and respond accordingly.
This is due to poor inputs that can result from the lack of a centralised area to coordinate all of an organisation’s information gathering and analysis.
Most spreadsheet implementations of risk assessment use qualitative risk heat maps which, although easy to understand have some serious limitations which undermine the management of critical business risks.
Quite a lot of analysis methodologies such as Monte Carlo can be run on Excel, however it takes hours to run, as well as specialised knowledge to properly apply such calculations using a spreadsheet.
5. Development of spreadsheet applications for risk management require advanced skills and are often reliant on the availability of the original developer for updates.
This is one of the many aspects of the human element of operating risk-management systems. So looking at the big picture, not only do you need capable platforms, but platforms that anticipate the potential of human errors or shortcomings as well.
Having a centralised system with visibility throughout the organisation can promote checking each other’s work and correcting errors or having missing information added, which in its due course saves time and money by using one agreed-upon process and data set rather than separate departments and/or individuals duplicating the work.
Beware of even more hidden risks
Cyber, privacy and vendor risks have all escalated in recent years with potential to cause material damage to organizations, alongside more traditional enterprise risks. These new risks require quite specific attention, but the Board wants an overall consolidated view of risk status across all material enterprise risks so that it can prioritize and allocate resources accordingly.
Spreadsheets or parochial enterprise risk management tools that simply imitate spreadsheet functionality do not have the capability to address these new risks to business for the 2020s, so we will see the increasing adoption of flexible integrated risk management platforms that can adapt to the changing risk environment.
Countless hours and resources spent on risk management – what can I do?
We get it – you trust spreadsheets, you’ve been using them for years and while it might have all these downsides which you may already be aware of. But take a minute and imagine all that work done in an immensely more efficient way – quicker, safer and more accurate.
That’s why we have IRM platforms such as STREAM, our award-winning integrated risk management software that does exactly what the above statement says.
Through centralization and automation of risk management and compliance, STREAM eliminates guesswork, reduces manual processes, communicates risk in business terms and builds stakeholder confidence.
We’re happy to give you a demonstration to show exactly how STREAM works and how it will benefit you.