Spreadsheets should be banned from the Risk Management process – Keith Ricketts, Marketing Director at Sword Active Risk explains why.

Spreadsheets are universally loved. Why, because they give everyone their own version of the truth, with complete autonomy to update and amend them as often as they like, without interference from anyone else. However, while spreadsheets might be great tool at an individual level they are completely un-scalable, and therefore totally unsuitable for compiling and analysing information enterprise-wide, or even for individual projects.

When applied to a risk management scenario, the potential horrors magnify. Who knows what risks are lurking in a spreadsheet so far undiscovered, with all around thinking that they have ‘ticked the box’ and that risk is managed.  Using spreadsheets and emails to manage risk, is a very risky approach.

Here are the main reasons that the spreadsheet approach doesn’t work:

Lack of Integrity – Spreadsheets are easily manipulated. Anyone could make changes to data to help present a better picture. This could be to cover up a situation once it has happened, to help move blame or mitigate responsibility, or to present a situation or opportunity in a better light.

No Audit Trail – you can’t easily check who changed what when.  You have no guarantee of the provenance of data supplied, and you can’t see how it may have changed over time.

Deadlines missed – Spreadsheets don’t have any workflows or processes built into them. So while someone may request a review, some information or an audit, if there is no response, there is no mechanism to highlight missed deadlines.

No Consistency – With no formal structure, each time a new spreadsheet is set up the formatting will be different.

Difficult to Compile Information – Risk management information could be held within hundreds of spreadsheets across the organisation.  Compiling them is a very long and arduous task.

 Risk Management is too important to leave to a Spreadsheet

It is well documented that a mature approach to enterprise and project risk management pays dividends. Whether it’s increased profitability, on-time delivery, more accurate forecasting or better strategic planning, effective risk management provides a competitive differentiator and drives top and bottom line results.

Increasingly risk management is no longer a standalone function. Taking a proactive approach to risk management is becoming ever more critical to success and can deliver major benefits including:

• Improved EBITDA – up to three times, according to the Ernst & Young study in 2012
• Improved Visibility  – Enhanced visibility and accountability builds confidence in the risk management process
• Actionable information – supports more effective strategic planning and decision making
• Better resource allocation – across the enterprise leads to better asset utilisation
• Achieve Goals – Increased ability to deliver capital projects on time and on budget
• Better relationships with insurance providers, regulators and stakeholders

 Comparing Spreadsheets with Enterprise Risk Management Software

Modern risk management for both project and the enterprise has evolved way beyond what spreadsheets and emails are capable of handling. Organisations need access to risk data seven days a week, 24 hours a day.  Information must be easily accessible, understandable and actionable. Risk management necessarily involves every department and asset within the business, which amounts to a lot of data that needs to be collected with an easy to use tool. The software can then calculate the risks, the likely impacts on the business and communicate that information to those that need to know.

With the sheer scale of the data involved, the geographic spread of many organisations, risk management can only by managed effectively using purpose built software. Unlike spreadsheets enterprise and project risk management solutions can bring the risk management process to life. They can help to identify emerging risks that may otherwise go unnoticed, enable best practice for mitigating risk, and highlight opportunities that can help organisations to reach goals, win more business and increase revenue/profitability.

A web-based ERM software approach	A spreadsheet approach to risk management
Consistent capture of data – validated at input	Little or no data entry validation – ‘garbage in’ will get magnified as it progresses up through the business
Sophisticated simulations and probability assessments can be applied to the data	Easy to corrupt formulas and calculations
Data is always up to date and available 24 hours a day	Data is not real time and cannot be guaranteed to be current
Processes become robust and secure	Open to fraud and mis-representation. Data on laptops, tablets and USB sticks can be easily lost or stolen.
Full audit trail provides transparency and certainty	Lack of audit trail and difficult to share information across an organization
Standardized metrics and automated reports streamline the review and handling of risks at all levels of management	The “beautification” of information to manually create presentations for management and the board can introduce errors, costs money and takes time and resources
A single system provides the ‘true picture’ of risks and opportunities across the business	Information is fragmented and spread throughout the organization with the possibility of multiple versions of documents which can become out of synch.
Risks can be linked to related information such as controls, mitigation plans and losses	It is difficult to see the full, integrated process and overall picture
Aids compliance with the growing range of standards such as ISO 31000, COSO, AS/NZS 4360, SOX and PmBok	Makes compliance to standards difficult to achieve and to demonstrate

Making a difference to the bottom line

Manual methods and spreadsheet solutions have become the high-risk option for managing risks and are no longer up to the job. Only a true enterprise risk management solution will capture consistent data, provide a single version of the truth, allow access to real-time, trustworthy information and provide the reports required to proactively manage risk and opportunities. ERM can move risk management from a cost to the business to a value-adding process which can make a difference to the bottom line of any organization or project.