Add Spreadsheets to Your Risk Inventory

July 2009

Enterprise risk management (ERM) programs are hard to implement in any business, and our understanding of the scope, complexity, and interrelationships between an organization's critical risks is continuously evolving. However, our ability to advance our understanding and our ERM evolution to "higher" forms of ERM success can be limited by the tools we use.

by Chris Duncan
Business Management Consultant

Just like our distant ancestors were perfectly happy with a sharpened rock for hunting and protection for thousands of years, it wasn't until someone invented metals to go on spears and arrows that our ability to expand our ability of self-preservation and calorie collection gained momentum.

So what's our modern-day ERM metal-covered rock? The spreadsheet—that wonderful, two dimensional, rows and cells, everybody in the world knows how to use it, comfortable "Swiss army knife" of data manipulation and analysis. The spreadsheet changed the business world forever! It empowered us, much like the ancient metal-dipped sharpened rock, to expand our understanding of the business world and our impact on it; it democratized business by extending into the masses a multipurpose tool of business planning, analysis, what-if scenarios, along with a world of fonts, colors, lines, boxes, and shadings to make the ugliest profit and loss statement look beautiful.

Spreadsheets remind me of the famous line from Saturday Night Live character, Fernando (Billy Crystal), "Darling, and you know who you are, it's more important to look good than to feel good." Spreadsheets are indeed "absolutely marvelous," but it's not the right tool for increasingly complex ERM needs! One major risk facing all businesses today is we are almost exclusively dependent on the spreadsheet, and dare I say, the ever-present sound bite driven PowerPoint "deck," as the basis of most management decision-making. Okay, so we have two sharpened rocks …

Before you think that I'm a business technology Luddite, I use both spreadsheets and PowerPoint every day. Can't get by without either of them, and if you take away my Blackberry, the third god of the unholy business technology trinity, my productivity comes to a screeching halt, and I start sucking my thumb as withdrawal symptoms ensue.

But when it comes to something serious like identifying the critical risks of the modern organization across functions, business lines, geographies—both quantifiable and subjective—establishing the relationship and interactions between these risks,¹ tracking how these risks change and evolve over time, keeping up with the ever-evolving mitigation efforts, plans, documentations and analyses for these critical risks (and who's on point and responsible for them), all the while trying to communicate a synthesized version of this to senior management and your board to improve decision-making, you quickly find using a spreadsheet is like using a rock in a gun fight. You might bruise the other guy a bit, but you'll truly understand your need for more firepower in a real and personal way!

What Risks Do Spreadsheets Pose?

I tell business students to not get too enamored with spreadsheets, that in fact they are a risk in and of themselves. Here are my top 10 reasons why spreadsheets are a risk to add to your ERM inventory:

1. Lack of Auditability
2. Sometimes Low Cost Leads to Higher Cost
3. No Visualization of Critical Risk Relationships
4. Lack of Data Security
5. Lack of Consistent Data Management
6. Ease of Use
7. Limited Accountability
8. Difficult Knowledge Collection and Knowledge Transfer
9. No Help Growing Your Risk Culture
10. Doesn't Optimize Communications with Leadership

These are discussed in more detail below.

1. Lack of Auditability

Can you audit a spreadsheet? One of the key issues in Sarbanes-Oxley Act 404 audit of internal financial controls is a business's reliance on spreadsheets for critical inputs and analysis that produce results that are embedded and material to the financial statements. Here's the problem: Spreadsheets grow to become complex and huge. Over time, they become rambling ranch houses with multiple rooms added on, increasingly harder to understand how the rooms are connected, and how the variables and assumptions interact. They are subject to innocent errors that fundamentally change the outcome, sometimes materially.

A robust ERM technology platform must allow for every single change in a critical risk to be documented and tracked as changes are made to this risk, who made it, and why. Otherwise, it must not be a critical risk! It will make both your internal and external auditors very happy if you have an auditable system for your risks and risk actions.

2. Sometimes Low Cost Leads to Higher Costs

Spreadsheets are cheap; already paid for sitting right there on your PC. Why not leverage this useful "Swiss army knife"? It's the hidden costs that kill you. Yes, you can start with a simple ERM risk inventory in a spreadsheet, but as your risks grow, and the desire to understand them in more detail, monitor, measure, mitigate and communicate them, you have to duplicate more and more spreadsheet work into other programs (like PowerPoint, access, statistical modeling, project management, etc.) to accomplish the outcomes you need to drive your ERM efforts. Not to mention keeping track of versions of spreadsheets you have to send around to get even some "online" collaboration going. All of these are hidden costs of productivity and forgone effectiveness. Starting out with the right tool for the job saves you a lot of re-work down the road.

3. No Visualization of Critical Risk Relationships

"A picture speaks a thousand words." The Emperor of the Xia Dynasty in China got it right about 4,000 years ago. Being able to communicate risks and the interrelationships between them is one of the key tenants of ERM. It's not only important to understand the risks to the organization, but to be able to communicate the interrelationships of risks, and their cumulative impacts that may destroy the organization. You hit a wall with pivot tables in spreadsheets versus very easy-to-understand dynamic visualizations of risk through color-coded risk profiles and heat maps.

4. Lack of Security

Is there more sensitive information in or around your organization than board-level information around risk identification and management of that risk? It is very difficult to prevent unauthorized changes in a spreadsheet and almost impossible to eliminate version control issues and concerns over passing spreadsheets back and forth—oftentimes through unsecure e-mail systems. Human nature tells us to protect our own stuff, yet we have overcome this innate emotion with our money. We don't hear of too many educated executives who keep their net worth in cash under their mattress or buried in the backyard with an "X" marking the spot.

It may be difficult to cross that hurdle of letting someone else secure the organization's data, but I am convinced a good software as a service model (SaaS) cannot only better protect your data and provide the best security for your information, but can also provide cost savings and efficiencies among employees who can access information and files from anywhere. The model can also better serve customers in terms of web-enabled capabilities, access, and mobile capabilities.

5. Lack of Consistent Data Management and Communication

All animals communicate with each other in some form or another, and we humans have developed the highest form of it (although I'm having a hard time explaining the usefulness of "Twitter"). We have all experienced the challenge of communicating with someone who speaks a different language. Simple things can be communicated, but it doesn't take long before you have no idea what the other is saying or needing.

Data management also requires agreement on a common nomenclature and taxonomy. We work in an interconnected world. You can set definitions for your organization. They may hold together within one unit or group, but it is very difficult in a spreadsheet environment when you are emailing hundreds or thousands of spreadsheets across a large global organization to standardize, agree, and enforce a common risk language. A central repository for risk is the solution to this challenge and significantly reduces the risk of the risk of spreadsheet misunderstandings.

6. Ease of Familiarity Constrains Progress

I can create a spreadsheet in minutes. Give me a few more minutes, and it will have intricate pivot tables, colored frames, and all kinds of formulas. I love my spreadsheets, which may skew my thinking that what I've created must be true (which is a risk in and of itself). I am as comfortable with a spreadsheet as I am breathing—it's second nature. But technology changes, and we change with it—for good reason.

When the Blackberry came to market, I was convinced not to stick with a cell phone with no text messaging, no e-mail, no voicemail, no contact records, and no synchronization because it yielded a better productivity outcome. While we are all so comfortable with our spreadsheets, new technology for identifying, assessing, and managing risks should be easy to use as well. Yes, there is a learning curve, but progress only happens when the creative tension of the need to expand our understanding crashes into the brick walls of our set ways and routine.

I discovered how to work differently, and expand my understanding of business and the world around me, and my productivity soared when I went from graph paper to Lotus 1-2-3, from the landline phone to the pager, from the pager to the cell, and the cell to the Blackberry (and other PDAs). If the technology you are considering for managing your risks does not evolve over time, you may be looking at the wrong solution and missing the opportunity to become more productive and gain more insights into your risks.

Do your research. Check references of vendors to make sure your selection can grow your risk intelligence and is easy to implement and easy to use.

7. Lack of Accountability

Accountability is one of the major keys to attaining desired results. Lack of clarity around a project, responsibilities, or goals often leads to inadequate communication, inefficient results, and unmet goals. Accountability involves assigning clear responsibilities and ownership around all parts of a project or risk, not just at the senior executive level, but also pushed down through the business unit, the business process or the function, to the risk owner. This level of granularity is difficult to see, understand, and manage within the confines of spreadsheets.

When employees can clearly see the project, the tasks involved, and what responsibilities are owned by each, they gain a more complete understanding of the expected results and how they will be measured. ERM technology should facilitate this process by enabling participation, gaining buy-in from employees, and measuring results through inherent risk levels, historical risk levels, target risk levels, and other measures to help all involved move forward to the next benchmarks and milestones.

8. Difficult Knowledge Collection and Difficult Knowledge Transfer

Any risk management technology platform should fundamentally do two things:

1. Radiate enhanced risk understanding, or risk intelligence, outward to others in the organization that will use this information for better "risk adjusted" decision-making, and
2. Draw these same influencers and subject matter experts into the process of identifying, prioritizing, and responding to risks.

Spreadsheets don't create a community of risk intelligence to be shared, and spreadsheets don't draw others into the process.

For example, one of the examples of effective use of risk technology systems to communicate and transfer knowledge is the ability to have online and near instantaneous feedback from across the organization via surveys. One Fortune 100 company I know well has a risk inventory of several hundred key risks, and uses an online survey to track the movements of these risks as perceived by its top 300 managers. These folks are on the frontline and really know what's going on. The same survey "watches" the top 60-80 risks every quarter and rotates in the rest of the risks twice a year, along with providing an opportunity for these managers to introduce new ones to consider.

This data is fed back to the managers in its composite form across the organization, by line of business and by geography. This virtuous circle of input, review, and output communicates to the core leadership the top risks in the company and what is to be done about them. That's powerful, actionable information. You're not going to get that easily with a spreadsheet.

9. No Help Garnering Your Risk Culture throughout the Organization

Risk culture is certainly a significant part of an effective ERM process and program, and a very difficult thing to define and understand. Yet, we can all agree on things that would certainly hurt an effort to spread the appropriate risk culture throughout the organization and things that would positively affect your risk culture. It's pretty clear. Technology should help you involve the people within the organization.

Chrysler involved people at all levels of its organization as it entered a final peak period years ago. According to one report:

In 4 years, Chrysler solicited 4,600 ideas from suppliers; 60 percent were used, saving over $235 million. Customers were also called in during "virtually every stage" of the development of new models to provide suggestions (rather than just ratings of what they liked).

Spreadsheets don't have the capacity to deal with input from the people. ERM technology should. To spread the desired risk culture, you should also involve people in setting goals and in setting objectives. Spreadsheets have no capacity for dealing with numerous users, their level of input, views, and ideas. Again, ERM technology should.

To help spread the desired risk culture, you should involve the people within the organization in learning from successes and mistakes and changes that need to be made. Spreadsheets don't even come close. ERM technology should certainly allow for risk levels, goals, and tracking of mitigation activities and efforts that had both a positive and negative impact.

10. Doesn't Enhance Communication with Leadership

Effective ERM technology delivers dashboards of risks that matter to each executive, as well as summary level rollups to the C-Suite and board. It provides tracking and movement of risk profiles over time. Are risks increasing or decreasing? Is our response improving likely outcomes? Are we losing ground?

It provides drill-down capabilities to look at underlying risks and relationships between them. It shows what risk owners have in their area of responsibility and if they are tracking to completion of mitigation and control activities. At best, spreadsheets can deliver suboptimal snapshots of most of the above, but only after tremendous investment of time and effort, which must be reinvested time and time again.

Conclusion

Fortunately, the ERM technology industry continues to evolve, with various players delivering new advances to the market almost on a monthly basis. Cutting-edge technology providing the ability to visualize risks and risk relationships is increasingly common in the marketplace, as newcomers force entrenched technology companies to respond. The advent of "cloud computing" is bringing the SaaS model to the forefront of technology delivery, changing the cost model of application development and services to the industry. Companies are moving beyond simple heat maps and into risk relationships, and mitigation tracking.

The lines between risk management information systems, ERM, business continuity planning/crisis response are blurring as companies increasingly realize that these management areas, while perhaps specialized in their own right, are fundamentally connected to the companies' ability to survive and thrive. Spreadsheets won't get there—a great sharpened rock if a rock is all you need, but if you want to use spreadsheets beyond that, the shortcomings become a risk in and of themselves.

---

¹Would you feel comfortable communicating deadly drug interactions across thousands of pills without the complex interactions well known and mapped? Of course not!

---

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.