Blog

Spreadsheets vs. Systems for Risk Management – a layman’s guide.  

There is no doubt that spreadsheets have proliferated every area of the organization today.  And no wonder why.  How much simpler can it be to click an icon and in a few minutes perfectly formed calculations, grids, tables are used to convey a view or result of information.  Or is it?

The system most used for risk management today is Microsoft Excel.  It’s a great tool to create basic risk registers and with macros and calculations can be extended to provide some additional validation and functionality. However, spreadsheets fall short in a number of areas:

As spreadsheets are used and enhanced over time, the inherent flexibility disappears.  Consistency and standardization are harder to manage.  A good system manages the frameworks and methodologies, supporting extensions, rework, and relationships in a consistent manner.

1. Development. As risk is inculcated into the organization, it requires that more people add data, more consolidation needs to occur and more permutations need to be accounted for.  Templates, best practices, security and confidentiality become compromised. User documentation, online help take time to create and manage resulting in ongoing overhead, direct cost of resources and time becoming a greater burden.  And not to mention having to rework or extend a predecessor’s set of macro’s and multiple sheet formulas.  On the other hand a system for managing risk is developed once and shared across a large user base.  It has documentation, training, best practice frameworks and takes care of security integrated with the organization policies.
2. Standardization.  Each department/division will deploy its own version of a spreadsheet if allowed.  How does one consolidate this?  A system will support either one methodology or in the case of sophisticated systems, like Cura, will allow multiple methodologies to be used and provide normalization and consolidation functionality. Standardization also extends to version control, deployment, as well as integration and interoperability with other systems.
3. Auditability and data consistency are hard or impossible to achieve in spreadsheets.  On the other hand, effective systems will have audit trails and data validation built in to ensure that there is consistency and truth in the information at any point in time.  Accountability for data in a system is based on permissions granted to staff.
4. Data Changes.  How does one compare old information to new information in spreadsheets.  Trending is almost an impossible function over a period of time.  On the other hand risk systems maintain accurate history of all data.  For instance, a risk recorded in a previous period and deleted in the current  period in spreadsheets is discarded.  In a system, this information is retained so that one can analyze decisions taken and trends based on external factors.
5. Actions and Notifications.  How does a spreadsheet convey tasks remind users of the requirements to update information? How does it escalate information that has not been acted upon?  A system will manage the tasks, workflows and notifications related to data and will pre-emptively e-mail/communicate reminders and even escalate.
6. Libraries.  For spreadsheets to manage libraries of risk or controls becomes a complex task of either creating and integrating into a database source, or build complex macros that update central spreadsheets.  And when libraries need to change, how do those changes ripple through the spreadsheets floating about in the organization and force users to re-asses the changed items.  An effective system on the other hand will manage library items consistently, manage additions and changes to libraries, propagate changes and trigger e-mail and other notifications to relevant users.
7. Reports.  Spreadsheets provide some nice graphical information and the text tables/registers can be formatted to represent information neatly.  However, drilling down to core data is cumbersome and the reporting is highly reliant on cell selection being correct.  Systems, today, are supplied with report writers, predefined and best practice reporting built in with exporting to multiple formats (even Excel!).  Reports are consistent as they deal with fixed table structures, and integrity can be assured.

In summary, for the above reasons and more, moving to a system based approach can greatly enhance the efficiency of staff, reduce distractions and help achieve a more reliable and consistent approach to recording and managing risk information throughout the organization.