Why Spreadsheets are a Risk to Your Risk Program

If you are like many organizations, your enterprise risk program and risk register started on spreadsheets.  After all, spreadsheets are free, easy and flexible, and require little user training.  

Spreadsheets are also a risk to your risk program.

There are many ways to view risk.  One that we find helpful is to think of risks as events that may occur and negatively affect outcomes that are important to you.

So, what are the outcomes that are important to you for your risk program?  Identifying the biggest risks?  Lowing mitigation costs?  Engaging the right stakeholders and contributors?  Supporting better executive and board decision making?  Ensuring integrity in the risk program?  Lowering the cost and pain of managing the program?  How about “operationalizing” risk, so that it becomes a continuous management practice throughout your organization and not just something that the risk experts do?  

Simply put, spreadsheets are a risk to your risk program because they threaten every one of these outcomes.

First, if you are responsible for administering and maintaining your risk program, you know firsthand the pain, time and expense involved in using spreadsheets to collect and collate risk information.  This is the true cost of spreadsheets.  Less time is spent on value-added work, simply because risk managers spend too much time gathering and massaging data. (OK, one could argue that this is not technically a risk, because it is a virtual certainty!).

With spreadsheets, follow up on action plans is entirely manual and often doesn’t happen at all.  How can a risk program have integrity without accountability and follow through?  ERM programs can easily become dreaded annual “checkbox” activities that do not add real value to the organization.

On the topic of integrity, changes cannot be tracked properly in spreadsheets.  Many risk managers react by locking down access and centralizing ERM administration in the hands of a few experts rather than propagating it out through the organization where it can add real value.

Next, spreadsheet-based programs fail to deliver new and meaningful insights.  It is not feasible to create many-to-many linkages in a spreadsheet.  Managers cannot see the relationships between risks, root causes, controls and consequences – preventing them from exploring risk scenarios and uncovering new insights.  Drill-down and flexible reporting is impossible.  Executives become frustrated when they cannot get quick answers to questions or see reports recast from different perspectives.

And now for the big one.  Risk programs based on spreadsheets are not able to effectively engage business and executive team members, because of all the reasons above and the simple fact that executives not not enjoy filling out spreadsheets.  Risk never becomes an organizational-wide practice.  Risk culture never takes hold.  And the true value of risk management – improving the likelihood of desired business outcomes – is never realized.

We spend a lot of time speaking with risk thought leaders about this topic and practical ways to move beyond spreadsheets to improve effectiveness and make things easier.  If any of these challenges sound familiar, or if it is just something you would like to share ideas on, please reach out to us – we’d love to chat.