Enterprise risk management (ERM) programs are hard to implement in any
business, and our understanding of the scope, complexity, and interrelationships between an
organization's critical risks is continuously evolving. However, our ability to advance our
understanding and our ERM evolution to "higher" forms of ERM success can be limited by the
tools we use.
Just like our distant ancestors were perfectly happy with a sharpened
rock for hunting and protection for thousands of years, it wasn't until someone invented
metals to go on spears and arrows that our ability to expand our ability of
self-preservation and calorie collection gained momentum.
So what's our modern-day ERM metal-covered rock? The spreadsheet—that
wonderful, two dimensional, rows and cells, everybody in the world knows how to use it,
comfortable "Swiss army knife" of data manipulation and analysis. The spreadsheet changed
the business world forever! It empowered us, much like the ancient metal-dipped sharpened
rock, to expand our understanding of the business world and our impact on it; it
democratized business by extending into the masses a multipurpose tool of business
planning, analysis, what-if scenarios, along with a world of fonts, colors, lines, boxes,
and shadings to make the ugliest profit and loss statement look beautiful.
Spreadsheets remind me of the famous line from Saturday Night Live
character, Fernando (Billy Crystal), "Darling, and you know who you are, it's more
important to look good than to feel good." Spreadsheets are indeed "absolutely marvelous,"
but it's not the right tool for increasingly complex ERM needs! One major risk facing all
businesses today is we are almost exclusively dependent on the spreadsheet, and dare I say,
the ever-present sound bite driven PowerPoint "deck," as the basis of most management
decision-making. Okay, so we have two sharpened rocks …
Before you think that I'm a business technology Luddite, I use both
spreadsheets and PowerPoint every day. Can't get by without either of them, and if you take
away my Blackberry, the third god of the unholy business technology trinity, my
productivity comes to a screeching halt, and I start sucking my thumb as withdrawal
symptoms ensue.
But when it comes to something serious like identifying the critical
risks of the modern organization across functions, business lines, geographies—both
quantifiable and subjective—establishing the relationship and interactions between these
risks,1 tracking how these risks change and evolve over time,
keeping up with the ever-evolving mitigation efforts, plans, documentations and analyses
for these critical risks (and who's on point and responsible for them), all the while
trying to communicate a synthesized version of this to senior management and your board to
improve decision-making, you quickly find using a spreadsheet is like using a rock in a gun
fight. You might bruise the other guy a bit, but you'll truly understand your need for more
firepower in a real and personal way!
What Risks Do Spreadsheets Pose?
I tell business students to not get too enamored with spreadsheets,
that in fact they are a risk in and of themselves. Here are my top 10 reasons why
spreadsheets are a risk to add to your ERM inventory:
Lack of Auditability
Sometimes Low Cost Leads to Higher Cost
No Visualization of Critical Risk Relationships
Lack of Data Security
Lack of Consistent Data Management
Ease of Use
Limited Accountability
Difficult Knowledge Collection and Knowledge Transfer
No Help Growing Your Risk Culture
Doesn't Optimize Communications with Leadership
These are discussed in more detail below.
Lack of
Auditability
Can you audit a spreadsheet? One of the key issues in
Sarbanes-Oxley Act 404 audit of internal financial controls is a business's reliance
on spreadsheets for critical inputs and analysis that produce results that are
embedded and material to the financial statements. Here's the problem: Spreadsheets
grow to become complex and huge. Over time, they become rambling ranch houses with
multiple rooms added on, increasingly harder to understand how the rooms are
connected, and how the variables and assumptions interact. They are subject to
innocent errors that fundamentally change the outcome, sometimes materially.
A robust ERM technology platform must allow for every single
change in a critical risk to be documented and tracked as changes are made to this
risk, who made it, and why. Otherwise, it must not be a critical risk! It will make
both your internal and external auditors very happy if you have an auditable system
for your risks and risk actions.
Sometimes Low Cost Leads to
Higher Costs
Spreadsheets are cheap; already paid for sitting right there on
your PC. Why not leverage this useful "Swiss army knife"? It's the hidden costs that
kill you. Yes, you can start with a simple ERM risk inventory in a spreadsheet, but
as your risks grow, and the desire to understand them in more detail, monitor,
measure, mitigate and communicate them, you have to duplicate more and more
spreadsheet work into other programs (like PowerPoint, access, statistical modeling,
project management, etc.) to accomplish the outcomes you need to drive your ERM
efforts. Not to mention keeping track of versions of spreadsheets you have to send
around to get even some "online" collaboration going. All of these are hidden costs
of productivity and forgone effectiveness. Starting out with the right tool for the
job saves you a lot of re-work down the road.
No Visualization of Critical
Risk Relationships
"A picture speaks a thousand words." The Emperor of the Xia
Dynasty in China got it right about 4,000 years ago. Being able to communicate risks
and the interrelationships between them is one of the key tenants of ERM. It's not
only important to understand the risks to the organization, but to be able to
communicate the interrelationships of risks, and their cumulative impacts that may
destroy the organization. You hit a wall with pivot tables in spreadsheets versus
very easy-to-understand dynamic visualizations of risk through color-coded risk
profiles and heat maps.
Lack of Security
Is there more sensitive information in or around your organization
than board-level information around risk identification and management of that risk?
It is very difficult to prevent unauthorized changes in a spreadsheet and almost
impossible to eliminate version control issues and concerns over passing spreadsheets
back and forth—oftentimes through unsecure email systems. Human nature tells us to
protect our own stuff, yet we have overcome this innate emotion with our money. We
don't hear of too many educated executives who keep their net worth in cash under
their mattress or buried in the backyard with an "X" marking the spot.
It may be difficult to cross that hurdle of letting someone else
secure the organization's data, but I am convinced a good software as a service model
(SaaS) cannot only better protect your data and provide the best security for your
information, but can also provide cost savings and efficiencies among employees who
can access information and files from anywhere. The model can also better serve
customers in terms of web-enabled capabilities, access, and mobile capabilities.
Lack of Consistent Data
Management and Communication
All animals communicate with each other in some form or another,
and we humans have developed the highest form of it (although I'm having a hard time
explaining the usefulness of "Twitter"). We have all experienced the challenge of
communicating with someone who speaks a different language. Simple things can be
communicated, but it doesn't take long before you have no idea what the other is
saying or needing.
Data management also requires agreement on a common nomenclature
and taxonomy. We work in an interconnected world. You can set definitions for your
organization. They may hold together within one unit or group, but it is very
difficult in a spreadsheet environment when you are emailing hundreds or thousands of
spreadsheets across a large global organization to standardize, agree, and enforce a
common risk language. A central repository for risk is the solution to this challenge
and significantly reduces the risk of the risk of spreadsheet misunderstandings.
Ease of Familiarity Constrains
Progress
I can create a spreadsheet in minutes. Give me a few more minutes,
and it will have intricate pivot tables, colored frames, and all kinds of formulas. I
love my spreadsheets, which may skew my thinking that what I've created must be true
(which is a risk in and of itself). I am as comfortable with a spreadsheet as I am
breathing—it's second nature. But technology changes, and we change with it—for good
reason.
When the Blackberry came to market, I was convinced not to stick
with a cell phone with no text messaging, no email, no voicemail, no contact records,
and no synchronization because it yielded a better productivity outcome. While we are
all so comfortable with our spreadsheets, new technology for identifying, assessing,
and managing risks should be easy to use as well. Yes, there is a learning curve, but
progress only happens when the creative tension of the need to expand our
understanding crashes into the brick walls of our set ways and routine.
I discovered how to work differently, and expand my understanding
of business and the world around me, and my productivity soared when I went from
graph paper to Lotus 1-2-3, from the landline phone to the pager, from the pager to
the cell, and the cell to the Blackberry (and other PDAs). If the technology you are
considering for managing your risks does not evolve over time, you may be looking at
the wrong solution and missing the opportunity to become more productive and gain
more insights into your risks.
Do your research. Check references of vendors to make sure your
selection can grow your risk intelligence and is
easy to implement and easy to use.
Lack of
Accountability
Accountability is one of the major keys to attaining desired
results. Lack of clarity around a project, responsibilities, or goals often leads to
inadequate communication, inefficient results, and unmet goals. Accountability
involves assigning clear responsibilities and ownership around all parts of a project
or risk, not just at the senior executive level, but also pushed down through the
business unit, the business process or the function, to the risk owner. This level of
granularity is difficult to see, understand, and manage within the confines of
spreadsheets.
When employees can clearly see the project, the tasks involved,
and what responsibilities are owned by each, they gain a more complete understanding
of the expected results and how they will be measured. ERM technology should
facilitate this process by enabling participation, gaining buy-in from employees, and
measuring results through inherent risk levels, historical risk levels, target risk
levels, and other measures to help all involved move forward to the next benchmarks
and milestones.
Difficult Knowledge Collection
and Difficult Knowledge Transfer
Any risk management technology platform should fundamentally do
two things:
Radiate enhanced risk understanding, or risk intelligence,
outward to others in the organization that will use this information for better
"risk adjusted" decision-making, and
Draw these same influencers and subject matter experts into
the process of identifying, prioritizing, and responding to risks.
Spreadsheets don't create a community of risk intelligence to be
shared, and spreadsheets don't draw others into the process.
For example, one of the examples of effective use of risk
technology systems to communicate and transfer knowledge is the ability to have
online and near instantaneous feedback from across the organization via surveys. One
Fortune 100 company I know well has a risk inventory of several hundred key risks,
and uses an online survey to track the movements of these risks as perceived by its
top 300 managers. These folks are on the frontline and really know what's going on.
The same survey "watches" the top 60-80 risks every quarter and rotates in the rest
of the risks twice a year, along with providing an opportunity for these managers to
introduce new ones to consider.
This data is fed back to the managers in its composite form across
the organization, by line of business and by geography. This virtuous circle of
input, review, and output communicates to the core leadership the top risks in the
company and what is to be done about them. That's powerful, actionable information.
You're not going to get that easily with a spreadsheet.
No Help Garnering Your Risk
Culture throughout the Organization
Risk culture is certainly a significant part of an effective ERM
process and program, and a very difficult thing to define and understand. Yet, we can
all agree on things that would certainly hurt an effort to spread the appropriate
risk culture throughout the organization and things that would positively affect your
risk culture. It's pretty clear. Technology should help you involve the people within
the organization.
Chrysler involved people at all levels of its organization as it
entered a final peak period years ago. According to one report:
In 4 years, Chrysler solicited 4,600 ideas from suppliers; 60
percent were used, saving over $235 million. Customers were also called in during
"virtually every stage" of the development of new models to provide suggestions
(rather than just ratings of what they liked).
Spreadsheets don't have the capacity to deal with input from the
people. ERM technology should. To spread the desired risk culture, you should also
involve people in setting goals and in setting objectives. Spreadsheets have no
capacity for dealing with numerous users, their level of input, views, and ideas.
Again, ERM technology should.
To help spread the desired risk culture, you should involve the
people within the organization in learning from successes and mistakes and changes
that need to be made. Spreadsheets don't even come close. ERM technology should
certainly allow for risk levels, goals, and tracking of mitigation activities and
efforts that had both a positive and negative impact.
Doesn't Enhance Communication
with Leadership
Effective ERM technology delivers dashboards of risks that matter
to each executive, as well as summary level rollups to the C-Suite and board. It
provides tracking and movement of risk profiles over time. Are risks increasing or
decreasing? Is our response improving likely outcomes? Are we losing ground?
It provides drill-down capabilities to look at underlying risks
and relationships between them. It shows what risk owners have in their area of
responsibility and if they are tracking to completion of mitigation and control
activities. At best, spreadsheets can deliver suboptimal snapshots of most of the
above, but only after tremendous investment of time and effort, which must be
reinvested time and time again.
Conclusion
Fortunately, the ERM technology industry continues to evolve, with
various players delivering new advances to the market almost on a monthly basis.
Cutting-edge technology providing the ability to visualize risks and risk relationships
is increasingly common in the marketplace, as newcomers force entrenched technology
companies to respond. The advent of "cloud computing" is bringing the SaaS model to the
forefront of technology delivery, changing the cost model of application development and
services to the industry. Companies are moving beyond simple heat maps and into risk
relationships, and mitigation tracking.
The lines between risk management information systems, ERM, business
continuity planning/crisis response are blurring as companies increasingly realize that
these management areas, while perhaps specialized in their own right, are fundamentally
connected to the companies' ability to survive and thrive. Spreadsheets won't get
there—a great sharpened rock if a rock is all you need, but if you want to use
spreadsheets beyond that, the shortcomings become a risk in and of themselves.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes
1 Would you feel comfortable communicating deadly drug
interactions across thousands of pills without the complex interactions well known and
mapped? Of course not!
Enterprise risk management (ERM) programs are hard to implement in any business, and our understanding of the scope, complexity, and interrelationships between an organization's critical risks is continuously evolving. However, our ability to advance our understanding and our ERM evolution to "higher" forms of ERM success can be limited by the tools we use.
Just like our distant ancestors were perfectly happy with a sharpened rock for hunting and protection for thousands of years, it wasn't until someone invented metals to go on spears and arrows that our ability to expand our ability of self-preservation and calorie collection gained momentum.
So what's our modern-day ERM metal-covered rock? The spreadsheet—that wonderful, two dimensional, rows and cells, everybody in the world knows how to use it, comfortable "Swiss army knife" of data manipulation and analysis. The spreadsheet changed the business world forever! It empowered us, much like the ancient metal-dipped sharpened rock, to expand our understanding of the business world and our impact on it; it democratized business by extending into the masses a multipurpose tool of business planning, analysis, what-if scenarios, along with a world of fonts, colors, lines, boxes, and shadings to make the ugliest profit and loss statement look beautiful.
Spreadsheets remind me of the famous line from Saturday Night Live character, Fernando (Billy Crystal), "Darling, and you know who you are, it's more important to look good than to feel good." Spreadsheets are indeed "absolutely marvelous," but it's not the right tool for increasingly complex ERM needs! One major risk facing all businesses today is we are almost exclusively dependent on the spreadsheet, and dare I say, the ever-present sound bite driven PowerPoint "deck," as the basis of most management decision-making. Okay, so we have two sharpened rocks …
Before you think that I'm a business technology Luddite, I use both spreadsheets and PowerPoint every day. Can't get by without either of them, and if you take away my Blackberry, the third god of the unholy business technology trinity, my productivity comes to a screeching halt, and I start sucking my thumb as withdrawal symptoms ensue.
But when it comes to something serious like identifying the critical risks of the modern organization across functions, business lines, geographies—both quantifiable and subjective—establishing the relationship and interactions between these risks, 1 tracking how these risks change and evolve over time, keeping up with the ever-evolving mitigation efforts, plans, documentations and analyses for these critical risks (and who's on point and responsible for them), all the while trying to communicate a synthesized version of this to senior management and your board to improve decision-making, you quickly find using a spreadsheet is like using a rock in a gun fight. You might bruise the other guy a bit, but you'll truly understand your need for more firepower in a real and personal way!
What Risks Do Spreadsheets Pose?
I tell business students to not get too enamored with spreadsheets, that in fact they are a risk in and of themselves. Here are my top 10 reasons why spreadsheets are a risk to add to your ERM inventory:
These are discussed in more detail below.
Lack of Auditability
Can you audit a spreadsheet? One of the key issues in Sarbanes-Oxley Act 404 audit of internal financial controls is a business's reliance on spreadsheets for critical inputs and analysis that produce results that are embedded and material to the financial statements. Here's the problem: Spreadsheets grow to become complex and huge. Over time, they become rambling ranch houses with multiple rooms added on, increasingly harder to understand how the rooms are connected, and how the variables and assumptions interact. They are subject to innocent errors that fundamentally change the outcome, sometimes materially.
A robust ERM technology platform must allow for every single change in a critical risk to be documented and tracked as changes are made to this risk, who made it, and why. Otherwise, it must not be a critical risk! It will make both your internal and external auditors very happy if you have an auditable system for your risks and risk actions.
Sometimes Low Cost Leads to Higher Costs
Spreadsheets are cheap; already paid for sitting right there on your PC. Why not leverage this useful "Swiss army knife"? It's the hidden costs that kill you. Yes, you can start with a simple ERM risk inventory in a spreadsheet, but as your risks grow, and the desire to understand them in more detail, monitor, measure, mitigate and communicate them, you have to duplicate more and more spreadsheet work into other programs (like PowerPoint, access, statistical modeling, project management, etc.) to accomplish the outcomes you need to drive your ERM efforts. Not to mention keeping track of versions of spreadsheets you have to send around to get even some "online" collaboration going. All of these are hidden costs of productivity and forgone effectiveness. Starting out with the right tool for the job saves you a lot of re-work down the road.
No Visualization of Critical Risk Relationships
"A picture speaks a thousand words." The Emperor of the Xia Dynasty in China got it right about 4,000 years ago. Being able to communicate risks and the interrelationships between them is one of the key tenants of ERM. It's not only important to understand the risks to the organization, but to be able to communicate the interrelationships of risks, and their cumulative impacts that may destroy the organization. You hit a wall with pivot tables in spreadsheets versus very easy-to-understand dynamic visualizations of risk through color-coded risk profiles and heat maps.
Lack of Security
Is there more sensitive information in or around your organization than board-level information around risk identification and management of that risk? It is very difficult to prevent unauthorized changes in a spreadsheet and almost impossible to eliminate version control issues and concerns over passing spreadsheets back and forth—oftentimes through unsecure email systems. Human nature tells us to protect our own stuff, yet we have overcome this innate emotion with our money. We don't hear of too many educated executives who keep their net worth in cash under their mattress or buried in the backyard with an "X" marking the spot.
It may be difficult to cross that hurdle of letting someone else secure the organization's data, but I am convinced a good software as a service model (SaaS) cannot only better protect your data and provide the best security for your information, but can also provide cost savings and efficiencies among employees who can access information and files from anywhere. The model can also better serve customers in terms of web-enabled capabilities, access, and mobile capabilities.
Lack of Consistent Data Management and Communication
All animals communicate with each other in some form or another, and we humans have developed the highest form of it (although I'm having a hard time explaining the usefulness of "Twitter"). We have all experienced the challenge of communicating with someone who speaks a different language. Simple things can be communicated, but it doesn't take long before you have no idea what the other is saying or needing.
Data management also requires agreement on a common nomenclature and taxonomy. We work in an interconnected world. You can set definitions for your organization. They may hold together within one unit or group, but it is very difficult in a spreadsheet environment when you are emailing hundreds or thousands of spreadsheets across a large global organization to standardize, agree, and enforce a common risk language. A central repository for risk is the solution to this challenge and significantly reduces the risk of the risk of spreadsheet misunderstandings.
Ease of Familiarity Constrains Progress
I can create a spreadsheet in minutes. Give me a few more minutes, and it will have intricate pivot tables, colored frames, and all kinds of formulas. I love my spreadsheets, which may skew my thinking that what I've created must be true (which is a risk in and of itself). I am as comfortable with a spreadsheet as I am breathing—it's second nature. But technology changes, and we change with it—for good reason.
When the Blackberry came to market, I was convinced not to stick with a cell phone with no text messaging, no email, no voicemail, no contact records, and no synchronization because it yielded a better productivity outcome. While we are all so comfortable with our spreadsheets, new technology for identifying, assessing, and managing risks should be easy to use as well. Yes, there is a learning curve, but progress only happens when the creative tension of the need to expand our understanding crashes into the brick walls of our set ways and routine.
I discovered how to work differently, and expand my understanding of business and the world around me, and my productivity soared when I went from graph paper to Lotus 1-2-3, from the landline phone to the pager, from the pager to the cell, and the cell to the Blackberry (and other PDAs). If the technology you are considering for managing your risks does not evolve over time, you may be looking at the wrong solution and missing the opportunity to become more productive and gain more insights into your risks.
Do your research. Check references of vendors to make sure your selection can grow your risk intelligence and is easy to implement and easy to use.
Lack of Accountability
Accountability is one of the major keys to attaining desired results. Lack of clarity around a project, responsibilities, or goals often leads to inadequate communication, inefficient results, and unmet goals. Accountability involves assigning clear responsibilities and ownership around all parts of a project or risk, not just at the senior executive level, but also pushed down through the business unit, the business process or the function, to the risk owner. This level of granularity is difficult to see, understand, and manage within the confines of spreadsheets.
When employees can clearly see the project, the tasks involved, and what responsibilities are owned by each, they gain a more complete understanding of the expected results and how they will be measured. ERM technology should facilitate this process by enabling participation, gaining buy-in from employees, and measuring results through inherent risk levels, historical risk levels, target risk levels, and other measures to help all involved move forward to the next benchmarks and milestones.
Difficult Knowledge Collection and Difficult Knowledge Transfer
Any risk management technology platform should fundamentally do two things:
Spreadsheets don't create a community of risk intelligence to be shared, and spreadsheets don't draw others into the process.
For example, one of the examples of effective use of risk technology systems to communicate and transfer knowledge is the ability to have online and near instantaneous feedback from across the organization via surveys. One Fortune 100 company I know well has a risk inventory of several hundred key risks, and uses an online survey to track the movements of these risks as perceived by its top 300 managers. These folks are on the frontline and really know what's going on. The same survey "watches" the top 60-80 risks every quarter and rotates in the rest of the risks twice a year, along with providing an opportunity for these managers to introduce new ones to consider.
This data is fed back to the managers in its composite form across the organization, by line of business and by geography. This virtuous circle of input, review, and output communicates to the core leadership the top risks in the company and what is to be done about them. That's powerful, actionable information. You're not going to get that easily with a spreadsheet.
No Help Garnering Your Risk Culture throughout the Organization
Risk culture is certainly a significant part of an effective ERM process and program, and a very difficult thing to define and understand. Yet, we can all agree on things that would certainly hurt an effort to spread the appropriate risk culture throughout the organization and things that would positively affect your risk culture. It's pretty clear. Technology should help you involve the people within the organization.
Chrysler involved people at all levels of its organization as it entered a final peak period years ago. According to one report:
Spreadsheets don't have the capacity to deal with input from the people. ERM technology should. To spread the desired risk culture, you should also involve people in setting goals and in setting objectives. Spreadsheets have no capacity for dealing with numerous users, their level of input, views, and ideas. Again, ERM technology should.
To help spread the desired risk culture, you should involve the people within the organization in learning from successes and mistakes and changes that need to be made. Spreadsheets don't even come close. ERM technology should certainly allow for risk levels, goals, and tracking of mitigation activities and efforts that had both a positive and negative impact.
Doesn't Enhance Communication with Leadership
Effective ERM technology delivers dashboards of risks that matter to each executive, as well as summary level rollups to the C-Suite and board. It provides tracking and movement of risk profiles over time. Are risks increasing or decreasing? Is our response improving likely outcomes? Are we losing ground?
It provides drill-down capabilities to look at underlying risks and relationships between them. It shows what risk owners have in their area of responsibility and if they are tracking to completion of mitigation and control activities. At best, spreadsheets can deliver suboptimal snapshots of most of the above, but only after tremendous investment of time and effort, which must be reinvested time and time again.
Conclusion
Fortunately, the ERM technology industry continues to evolve, with various players delivering new advances to the market almost on a monthly basis. Cutting-edge technology providing the ability to visualize risks and risk relationships is increasingly common in the marketplace, as newcomers force entrenched technology companies to respond. The advent of "cloud computing" is bringing the SaaS model to the forefront of technology delivery, changing the cost model of application development and services to the industry. Companies are moving beyond simple heat maps and into risk relationships, and mitigation tracking.
The lines between risk management information systems, ERM, business continuity planning/crisis response are blurring as companies increasingly realize that these management areas, while perhaps specialized in their own right, are fundamentally connected to the companies' ability to survive and thrive. Spreadsheets won't get there—a great sharpened rock if a rock is all you need, but if you want to use spreadsheets beyond that, the shortcomings become a risk in and of themselves.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.