Why Spreadsheets are a Risk to Your Risk Program
Spreadsheets don't lead to improving the likelihood of desired business outcomes.
Overview of risk registers, instructions on how to build and populate a risk register and some templates to help get you started
This article provides an overview of risk registers, instructions on how to build and populate a risk register and some templates to help get you started. The article focuses on registers for enterprise risk management (ERM), but the information and templates provided within can also be applied to other risk disciplines, including project risk, health and safety and operational risk.
If you are currently building a risk register, we also recommend you consider a free no-obligation trial of our Essential ERM software. You will be able to build and manage your register faster and easier this way and you can download your register into a spreadsheet at any time.
A risk register is a tool that is used to help foster discussions among executives and key stakeholders regarding an organization’s key objectives and the unplanned events that could interfere (or enhance) the organization’s ability to achieve them.
Specifically, a risk register is a list of an organization’s risks, along with their ratings (scores or risk levels), responsible executives, areas affected and a summary of the actions being taken in response to the risk.
On the right is an example risk register taken from the Essential ERM system.
The image above shows many of the elements that are typically documented within a risk register, including a name for the risk, a category (and sub-categories), inherent risk scores, control effectiveness, residual risk scores and risk velocity. Risks also usually have a rank showing their relative priority and include a summary of the action plans assigned to them, as well as the areas of the business that would be impacted if the risk events were to occur. They may also indicate if a risk’s residual rating is above, below or within the allowable thresholds set through the organization's risk appetite framework.
Other important areas to consider adding to your register are the strategic objectives impacted, the risk treatment strategy to be followed, root causes, pre-event mitigations (controls), post-event mitigations and eventual consequences (qualitative and quantitative). Note that while this information is extremely important for the risk assessment and process, it is often difficult to capture and maintain in a spreadsheet because of the many-to-many relationships between these risk elements (more on this below).
Most often, risk registers get started on spreadsheets. After all, spreadsheets are free, easy and flexible. They would seem like a good way to get started, and in some cases they can be.
The problem, however, is that in most cases, there are real costs and risks to using spreadsheets. And they’re not the fastest and easiest way to get started either.
Full disclosure - we have a bias at Tracker Networks because we make amazing and easy-to-use risk register software, but in our defence, the entire reason we created our software was because of all the problems that spreadsheets present in risk management.
Talk to any risk manager who is administering and maintaining their risk program on spreadsheets and they will tell you about the pain and time required to manually collect and collate risk information. They get to spend very little time on value-added advisory work, simply because they spend so much of their time gathering and massaging data.
With spreadsheets, follow up on action plans is entirely manual and often doesn’t happen at all. How can a risk program have integrity without accountability and follow through? ERM programs can easily become dreaded “checkbox” activities that don’t add real value to the organization.
On the topic of integrity, changes cannot be tracked properly in spreadsheets. Many risk managers react by locking down access and centralizing risk administration in the hands of a few experts, rather than propagating risk management processes out through the organization where they can add much more value.
Next, spreadsheet-based programs fail to deliver new and meaningful insights. It is not feasible to create many-to-many linkages in a spreadsheet. Managers cannot see the relationships between risks, root causes, controls and consequences in the manner that they could through an automated bow tie diagram. Trending information, drill-downs and flexible reporting are impossible to maintain. Executives become frustrated when they cannot get quick answers to questions or see reports recast from different perspectives.
Business and executive team members hate filling out spreadsheets and often never become engaged in the risk process. Risk never becomes an organizational-wide practice. Risk culture never takes hold. And the true value of risk management – improving decision making and achieving strategic objectives – is never realized.
Finally, risk software, if properly designed, will quickly and easily guide you through the process of creating your risk register in a manner that is consistent with best-practice standards and frameworks including ISO 31000 and COSO. The right risk register software can have you up and running in a matter of minutes and will provide easy workflows and insightful analysis to help get your senior leadership truly engaged.
Managers who are new to building risk registers are often uncertain where to start. They may have inherited some old risk information for past assessments, and/or choose to get started with a generic list of sample risks to consider in their industry.
There is some utility in these approaches, and initial risk discussions with a company’s management team tend to go well. The discussions uncover new insights and give business managers an opportunity to voice concerns about risks they may not have spoken about before and to identify obvious areas for improvement (“low hanging fruit”).
The challenge, however, is setting up your risk program in a way that is sustainable and keeps you leadership and business managers engaged over the long term. In our experience, having the right perspective when starting your risk register can mean the difference between the success and failure of your risk program.
In fact, one of the most common criticisms of risk registers is how quickly they grow to become little more than a long list of potential problems without any context, priority, or connection to an organization’s mission and priorities.
The fix to this is simple and provides the best starting point for your risk register - start with your strategic objectives.
The image above is taken from the Essential ERM system to illustrate the process we recommend when building and populating your risk register:
Identify and document the key objectives for your organization, department or project.
Engaging key stakeholders, identify, discuss and document the uncertain events that if they were to occur, would interfere with your ability to achieve your objectives (risks “to” the strategy).
Engaging key stakeholders, identify, discuss and document the new or enhanced risks that result from pursuing your strategic objectives (risks “from” the strategy).
Following this approach will cause you to build a risk register that is highly aligned to your key objectives. Your leadership and business stakeholders will see the risk process as a useful tool to helping them achieve their objectives and are far more likely to stay engaged and supportive.
In our experience, we find it is better to favor relevance over thoroughness when building a register. In other words, it is better to have a short register of risks that are highly relevant to your objectives, rather than a long register that tries to capture every potential negative event, even when those events are unlikely to materially affect strategic outcomes.
Once you have built your risk register, you should perform an initial assessment of your risks, starting with the risks that impact the most important objectives. The risk bow tie method has emerged as best practice for risk assessment and is enhanced further through risk voting.
Finally, two other areas to consider are incorporating allowable risk thresholds through a risk appetite definition process (to add further business context) and adding key risk and performance indicators (to turn your risk program into a continuous monitoring and intelligence process).
Taken together, your risk ratings, objectives, appetite and indicators will provide helpful context to prioritize and rank the risks in your register that need the most focus and attention.
Spreadsheets don't lead to improving the likelihood of desired business outcomes.