Enterprise risk management (ERM)
programs are hard to implement in any business, and our understanding
of the scope, complexity, and interrelationships between an organization's
critical risks is continuously evolving. However, our ability to
advance our understanding and our ERM evolution to "higher" forms
of ERM success can be limited by the tools we use.
Business Management Consultant
Just like our distant ancestors were perfectly happy with a sharpened
rock for hunting and protection for thousands of years, it wasn't
until someone invented metals to go on spears and arrows that our
ability to expand our ability of self-preservation and calorie collection
So what's our modern-day ERM metal-covered rock? The spreadsheet—that
wonderful, two dimensional, rows and cells, everybody in the world
knows how to use it, comfortable "Swiss army knife" of data manipulation
and analysis. The spreadsheet changed the business world forever!
It empowered us, much like the ancient metal-dipped sharpened rock,
to expand our understanding of the business world and our impact
on it; it democratized business by extending into the masses a multipurpose
tool of business planning, analysis, what-if scenarios, along with
a world of fonts, colors, lines, boxes, and shadings to make the
ugliest profit and loss statement look beautiful.
Spreadsheets remind me of the famous line from Saturday Night
Live character, Fernando (Billy Crystal), "Darling, and you know
who you are, it's more important to look good than to feel good."
Spreadsheets are indeed "absolutely marvelous," but it's not the
right tool for increasingly complex ERM needs! One major risk facing
all businesses today is we are almost exclusively dependent on the
spreadsheet, and dare I say, the ever-present sound bite driven
PowerPoint "deck," as the basis of most management decision-making.
Okay, so we have two sharpened rocks …
Before you think that I'm a business technology Luddite, I use
both spreadsheets and PowerPoint every day. Can't get by without
either of them, and if you take away my Blackberry, the third god
of the unholy business technology trinity, my productivity comes
to a screeching halt, and I start sucking my thumb as withdrawal
But when it comes to something serious like identifying the critical
risks of the modern organization across functions, business lines,
geographies—both quantifiable and subjective—establishing the relationship
and interactions between these risks,1
tracking how these risks change and evolve over time, keeping up
with the ever-evolving mitigation efforts, plans, documentations
and analyses for these critical risks (and who's on point and responsible
for them), all the while trying to communicate a synthesized version
of this to senior management and your board to improve decision-making,
you quickly find using a spreadsheet is like using a rock in a gun
fight. You might bruise the other guy a bit, but you'll truly understand
your need for more firepower in a real and personal way!
I tell business students to not get too enamored with spreadsheets,
that in fact they are a risk in and of themselves. Here are my top
10 reasons why spreadsheets are a risk to add to your ERM inventory:
These are discussed in more detail below.
Can you audit a spreadsheet? One of the key issues in Sarbanes-Oxley
Act 404 audit of internal financial controls is a business's reliance
on spreadsheets for critical inputs and analysis that produce results
that are embedded and material to the financial statements. Here's
the problem: Spreadsheets grow to become complex and huge. Over
time, they become rambling ranch houses with multiple rooms added
on, increasingly harder to understand how the rooms are connected,
and how the variables and assumptions interact. They are subject
to innocent errors that fundamentally change the outcome, sometimes
A robust ERM technology platform must allow for every single
change in a critical risk to be documented and tracked as changes
are made to this risk, who made it, and why. Otherwise, it must
not be a critical risk! It will make both your internal and external
auditors very happy if you have an auditable system for your risks
and risk actions.
Spreadsheets are cheap; already paid for sitting right there
on your PC. Why not leverage this useful "Swiss army knife"? It's
the hidden costs that kill you. Yes, you can start with a simple
ERM risk inventory in a spreadsheet, but as your risks grow, and
the desire to understand them in more detail, monitor, measure,
mitigate and communicate them, you have to duplicate more and more
spreadsheet work into other programs (like PowerPoint, access, statistical
modeling, project management, etc.) to accomplish the outcomes you
need to drive your ERM efforts. Not to mention keeping track of
versions of spreadsheets you have to send around to get even some
"online" collaboration going. All of these are hidden costs of productivity
and forgone effectiveness. Starting out with the right tool for
the job saves you a lot of re-work down the road.
"A picture speaks a thousand words." The Emperor of the Xia Dynasty
in China got it right about 4,000 years ago. Being able to communicate
risks and the interrelationships between them is one of the key
tenants of ERM. It's not only important to understand the risks
to the organization, but to be able to communicate the interrelationships
of risks, and their cumulative impacts that may destroy the organization.
You hit a wall with pivot tables in spreadsheets versus very easy-to-understand
dynamic visualizations of risk through color-coded risk profiles
and heat maps.
Is there more sensitive information in or around your organization
than board-level information around risk identification and management
of that risk? It is very difficult to prevent unauthorized changes
in a spreadsheet and almost impossible to eliminate version control
issues and concerns over passing spreadsheets back and forth—oftentimes
through unsecure e-mail systems. Human nature tells us to protect
our own stuff, yet we have overcome this innate emotion with our
money. We don't hear of too many educated executives who keep their
net worth in cash under their mattress or buried in the backyard
with an "X" marking the spot.
It may be difficult to cross that hurdle of letting someone else
secure the organization's data, but I am convinced a good software
as a service model (SaaS) cannot only better protect your data and
provide the best security for your information, but can also provide
cost savings and efficiencies among employees who can access information
and files from anywhere. The model can also better serve customers
in terms of web-enabled capabilities, access, and mobile capabilities.
All animals communicate with each other in some form or another,
and we humans have developed the highest form of it (although I'm
having a hard time explaining the usefulness of "Twitter"). We have
all experienced the challenge of communicating with someone who
speaks a different language. Simple things can be communicated,
but it doesn't take long before you have no idea what the other
is saying or needing.
Data management also requires agreement on a common nomenclature
and taxonomy. We work in an interconnected world. You can set definitions
for your organization. They may hold together within one unit or
group, but it is very difficult in a spreadsheet environment when
you are emailing hundreds or thousands of spreadsheets across a
large global organization to standardize, agree, and enforce a common
risk language. A central repository for risk is the solution to
this challenge and significantly reduces the risk of the risk of
I can create a spreadsheet in minutes. Give me a few more minutes,
and it will have intricate pivot tables, colored frames, and all
kinds of formulas. I love my spreadsheets, which may skew my thinking
that what I've created must be true (which is a risk in and of itself).
I am as comfortable with a spreadsheet as I am breathing—it's second
nature. But technology changes, and we change with it—for good reason.
When the Blackberry came to market, I was convinced not to stick
with a cell phone with no text messaging, no e-mail, no voicemail,
no contact records, and no synchronization because it yielded a
better productivity outcome. While we are all so comfortable with
our spreadsheets, new technology for identifying, assessing, and
managing risks should be easy to use as well. Yes, there is a learning
curve, but progress only happens when the creative tension of the
need to expand our understanding crashes into the brick walls of
our set ways and routine.
I discovered how to work differently, and expand my understanding
of business and the world around me, and my productivity soared
when I went from graph paper to Lotus 1-2-3, from the landline phone
to the pager, from the pager to the cell, and the cell to the Blackberry
(and other PDAs). If the technology you are considering for managing
your risks does not evolve over time, you may be looking at the
wrong solution and missing the opportunity to become more productive
and gain more insights into your risks.
Do your research. Check references of vendors to make sure your
selection can grow your risk intelligence
and is easy to implement and
easy to use.
Accountability is one of the major keys to attaining desired
results. Lack of clarity around a project, responsibilities, or
goals often leads to inadequate communication, inefficient results,
and unmet goals. Accountability involves assigning clear responsibilities
and ownership around all parts of a project or risk, not just at
the senior executive level, but also pushed down through the business
unit, the business process or the function, to the risk owner. This
level of granularity is difficult to see, understand, and manage
within the confines of spreadsheets.
When employees can clearly see the project, the tasks involved,
and what responsibilities are owned by each, they gain a more complete
understanding of the expected results and how they will be measured.
ERM technology should facilitate this process by enabling participation,
gaining buy-in from employees, and measuring results through inherent
risk levels, historical risk levels, target risk levels, and other
measures to help all involved move forward to the next benchmarks
Any risk management technology platform should fundamentally
do two things:
Spreadsheets don't create a community of risk intelligence to
be shared, and spreadsheets don't draw others into the process.
For example, one of the examples of effective use of risk technology
systems to communicate and transfer knowledge is the ability to
have online and near instantaneous feedback from across the organization
via surveys. One Fortune 100 company I know well has a risk inventory
of several hundred key risks, and uses an online survey to track
the movements of these risks as perceived by its top 300 managers.
These folks are on the frontline and really know what's going on.
The same survey "watches" the top 60-80 risks every quarter and
rotates in the rest of the risks twice a year, along with providing
an opportunity for these managers to introduce new ones to consider.
This data is fed back to the managers in its composite form across
the organization, by line of business and by geography. This virtuous
circle of input, review, and output communicates to the core leadership
the top risks in the company and what is to be done about them.
That's powerful, actionable information. You're not going to get
that easily with a spreadsheet.
Risk culture is certainly a significant part of an effective
ERM process and program, and a very difficult thing to define and
understand. Yet, we can all agree on things that would certainly
hurt an effort to spread the appropriate risk culture throughout
the organization and things that would positively affect your risk
culture. It's pretty clear. Technology should help you involve the
people within the organization.
Chrysler involved people at all levels of its organization as
it entered a final peak period years ago. According to one report:
In 4 years, Chrysler solicited 4,600 ideas from
suppliers; 60 percent were used, saving over $235
million. Customers were also called in during "virtually
every stage" of the development of new models to
provide suggestions (rather than just ratings of
what they liked).
Spreadsheets don't have the capacity to deal with input from
the people. ERM technology should. To spread the desired risk culture,
you should also involve people in setting goals and in setting objectives.
Spreadsheets have no capacity for dealing with numerous users, their
level of input, views, and ideas. Again, ERM technology should.
To help spread the desired risk culture, you should involve the
people within the organization in learning from successes and mistakes
and changes that need to be made. Spreadsheets don't even come close.
ERM technology should certainly allow for risk levels, goals, and
tracking of mitigation activities and efforts that had both a positive
and negative impact.
Effective ERM technology delivers dashboards of risks that matter
to each executive, as well as summary level rollups to the C-Suite
and board. It provides tracking and movement of risk profiles over
time. Are risks increasing or decreasing? Is our response improving
likely outcomes? Are we losing ground?
It provides drill-down capabilities to look at underlying risks
and relationships between them. It shows what risk owners have in
their area of responsibility and if they are tracking to completion
of mitigation and control activities. At best, spreadsheets can
deliver suboptimal snapshots of most of the above, but only after
tremendous investment of time and effort, which must be reinvested
time and time again.
Fortunately, the ERM technology industry continues to evolve,
with various players delivering new advances to the market almost
on a monthly basis. Cutting-edge technology providing the ability
to visualize risks and risk relationships is increasingly common
in the marketplace, as newcomers force entrenched technology companies
to respond. The advent of "cloud computing" is bringing the SaaS
model to the forefront of technology delivery, changing the cost
model of application development and services to the industry. Companies
are moving beyond simple heat maps and into risk relationships,
and mitigation tracking.
The lines between risk management information systems, ERM, business
continuity planning/crisis response are blurring as companies increasingly
realize that these management areas, while perhaps specialized in
their own right, are fundamentally connected to the companies' ability
to survive and thrive. Spreadsheets won't get there—a great sharpened
rock if a rock is all you need, but if you want to use spreadsheets
beyond that, the shortcomings become a risk in and of themselves.
feel comfortable communicating deadly drug interactions across thousands
of pills without the complex interactions well known and mapped?
Of course not!
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.
Please use the print button on the IRMI toolbar to print/preview this page.
© 2000-2014 International Risk Management Institute, Inc. (IRMI). All rights reserved.