Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Using spreadsheets to manage risk is risky business indeed!

Spreadsheets should be banned from the risk management process says Keith Ricketts.

Spreadsheets are universally loved. Why? Because they give everyone their own version of the truth, with complete autonomy to update and amend them as often as they like, without interference from anyone else. However, while spreadsheets might be great tool at an individual level they are completely un-scalable, and therefore totally unsuitable for compiling and analysing information enterprise-wide, or even for individual projects.

When applied to a risk management scenario, the potential horrors magnify. Who knows what risks are lurking in a spreadsheet so far undiscovered, with all around thinking that they have ‘ticked the box’ and that risk is managed.  Using spreadsheets and emails to manage risk, is a very risky approach.

Here are the main reasons that the spreadsheet approach doesn’t work:

Lack of integrity – spreadsheets are easily manipulated. Anyone could make changes to data to help present a better picture. This could be to cover up a situation once it has happened, to help move blame or mitigate responsibility, or to present a situation or opportunity in a better light.

No audit trail – you can’t easily check who changed what when.  You have no guarantee of the provenance of data supplied, and you can’t see how it may have changed over time.

Deadlines missed – spreadsheets don’t have any workflows or processes built into them. So while someone may request a review, some information or an audit, if there is no response, there is no mechanism to highlight missed deadlines.

No consistency – with no formal structure, each time a new spreadsheet is set up the formatting will be different.

Difficult to compile information – risk management information could be held within hundreds of spreadsheets across the organization.  Compiling them is a very long and arduous task.

Risk management is too important to leave to a spreadsheet!

It is well documented that a mature approach to enterprise and project risk management pays dividends. Whether it’s increased profitability, on-time delivery, more accurate forecasting or better strategic planning, effective risk management provides a competitive differentiator and drives top and bottom line results.

Increasingly risk management is no longer a standalone function. Taking a proactive approach to risk management is becoming ever more critical to success and can deliver major benefits including:

  • Improved EBITDA: up to three times, according to an Ernst & Young study in 2012;
  • Improved visibility: enhanced visibility and accountability builds confidence in the risk management process;
  • Actionable information: supports more effective strategic planning and decision making;
  • Better resource allocation across the enterprise leads to better asset utilisation;
  • Achieve goals: increased ability to deliver capital projects on time and on budget;
  • Better relationships with insurance providers, regulators and stakeholders.

Comparing spreadsheets with enterprise risk management software

Modern risk management for both project and the enterprise has evolved way beyond what spreadsheets and emails are capable of handling. Organizations need access to risk data seven days a week, 24 hours a day.  Information must be easily accessible, understandable and actionable. Risk management necessarily involves every department and asset within the business, which amounts to a lot of data that needs to be collected with an easy to use tool. The software can then calculate the risks, the likely impacts on the business and communicate that information to those that need to know.

With the sheer scale of the data involved, the geographic spread of many organizations, risk management can only by managed effectively using purpose built software. Unlike spreadsheets enterprise and project risk management solutions can bring the risk management process to life. They can help to identify emerging risks that may otherwise go unnoticed, enable best practice for mitigating risk, and highlight opportunities that can help organizations to reach goals, win more business and increase revenue/profitability.

A web-based ERM software approach

A spreadsheet approach to risk management

Consistent capture of data – validated at input

Little or no data entry validation – ‘garbage in’ will get magnified as it progresses up through the business

Sophisticated simulations and probability assessments can be applied to the data

Easy to corrupt formulas and calculations

Data is always up to date and available 24 hours a day

Data is not real time and cannot be guaranteed to be current

Processes become robust and secure 

Open to fraud and mis-representation. Data on laptops, tablets and USB sticks can be easily lost or stolen.

Full audit trail provides transparency and certainty

Lack of audit trail and difficult to share information across an organization

Standardized metrics and automated reports streamline the review and handling of risks at all levels of management

The 'beautification' of information to manually create presentations for management and the board can introduce errors, costs money and takes time and resources

A single system provides the ‘true picture’ of risks and opportunities across the business

Information is fragmented and spread throughout the organization with the possibility of multiple versions of documents which can become out of synch.

Risks can be linked to related information such as controls, mitigation plans and losses

It is difficult to see the full, integrated process and overall picture

Aids compliance with the growing range of standards such as ISO 31000, COSO, AS/NZS 4360, SOX and PmBok

Makes compliance to standards difficult to achieve and to demonstrate

Making a difference to the bottom line

Manual methods and spreadsheet solutions have become the high-risk option for managing risks and are no longer up to the job. Only a true enterprise risk management solution will capture consistent data, provide a single version of the truth, allow access to real-time, trustworthy information and provide the reports required to proactively manage risk and opportunities. ERM can move risk management from a cost to the business to a value-adding process which can make a difference to the bottom line of any organization or project.

The author

Keith Ricketts is marketing director at Sword Active Risk.

•Date: 12th February 2014 • UK/World •Type: Article • Topic: Enterprise risk management

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here