Add Spreadsheets to Your Risk Inventory

Lack of Auditability

Can you audit a spreadsheet? One of the key issues in Sarbanes-Oxley Act 404 audit of internal financial controls is a business's reliance on spreadsheets for critical inputs and analysis that produce results that are embedded and material to the financial statements. Here's the problem: Spreadsheets grow to become complex and huge. Over time, they become rambling ranch houses with multiple rooms added on, increasingly harder to understand how the rooms are connected, and how the variables and assumptions interact. They are subject to innocent errors that fundamentally change the outcome, sometimes materially.

A robust ERM technology platform must allow for every single change in a critical risk to be documented and tracked as changes are made to this risk, who made it, and why. Otherwise, it must not be a critical risk! It will make both your internal and external auditors very happy if you have an auditable system for your risks and risk actions.

Sometimes Low Cost Leads to Higher Costs

Spreadsheets are cheap; already paid for sitting right there on your PC. Why not leverage this useful "Swiss army knife"? It's the hidden costs that kill you. Yes, you can start with a simple ERM risk inventory in a spreadsheet, but as your risks grow, and the desire to understand them in more detail, monitor, measure, mitigate and communicate them, you have to duplicate more and more spreadsheet work into other programs (like PowerPoint, access, statistical modeling, project management, etc.) to accomplish the outcomes you need to drive your ERM efforts. Not to mention keeping track of versions of spreadsheets you have to send around to get even some "online" collaboration going. All of these are hidden costs of productivity and forgone effectiveness. Starting out with the right tool for the job saves you a lot of re-work down the road.

No Visualization of Critical Risk Relationships

"A picture speaks a thousand words." The Emperor of the Xia Dynasty in China got it right about 4,000 years ago. Being able to communicate risks and the interrelationships between them is one of the key tenants of ERM. It's not only important to understand the risks to the organization, but to be able to communicate the interrelationships of risks, and their cumulative impacts that may destroy the organization. You hit a wall with pivot tables in spreadsheets versus very easy-to-understand dynamic visualizations of risk through color-coded risk profiles and heat maps.

Lack of Security

Is there more sensitive information in or around your organization than board-level information around risk identification and management of that risk? It is very difficult to prevent unauthorized changes in a spreadsheet and almost impossible to eliminate version control issues and concerns over passing spreadsheets back and forth—oftentimes through unsecure email systems. Human nature tells us to protect our own stuff, yet we have overcome this innate emotion with our money. We don't hear of too many educated executives who keep their net worth in cash under their mattress or buried in the backyard with an "X" marking the spot.

It may be difficult to cross that hurdle of letting someone else secure the organization's data, but I am convinced a good software as a service model (SaaS) cannot only better protect your data and provide the best security for your information, but can also provide cost savings and efficiencies among employees who can access information and files from anywhere. The model can also better serve customers in terms of web-enabled capabilities, access, and mobile capabilities.

Lack of Consistent Data Management and Communication

All animals communicate with each other in some form or another, and we humans have developed the highest form of it (although I'm having a hard time explaining the usefulness of "Twitter"). We have all experienced the challenge of communicating with someone who speaks a different language. Simple things can be communicated, but it doesn't take long before you have no idea what the other is saying or needing.

Data management also requires agreement on a common nomenclature and taxonomy. We work in an interconnected world. You can set definitions for your organization. They may hold together within one unit or group, but it is very difficult in a spreadsheet environment when you are emailing hundreds or thousands of spreadsheets across a large global organization to standardize, agree, and enforce a common risk language. A central repository for risk is the solution to this challenge and significantly reduces the risk of the risk of spreadsheet misunderstandings.

Ease of Familiarity Constrains Progress

I can create a spreadsheet in minutes. Give me a few more minutes, and it will have intricate pivot tables, colored frames, and all kinds of formulas. I love my spreadsheets, which may skew my thinking that what I've created must be true (which is a risk in and of itself). I am as comfortable with a spreadsheet as I am breathing—it's second nature. But technology changes, and we change with it—for good reason.

When the Blackberry came to market, I was convinced not to stick with a cell phone with no text messaging, no email, no voicemail, no contact records, and no synchronization because it yielded a better productivity outcome. While we are all so comfortable with our spreadsheets, new technology for identifying, assessing, and managing risks should be easy to use as well. Yes, there is a learning curve, but progress only happens when the creative tension of the need to expand our understanding crashes into the brick walls of our set ways and routine.

I discovered how to work differently, and expand my understanding of business and the world around me, and my productivity soared when I went from graph paper to Lotus 1-2-3, from the landline phone to the pager, from the pager to the cell, and the cell to the Blackberry (and other PDAs). If the technology you are considering for managing your risks does not evolve over time, you may be looking at the wrong solution and missing the opportunity to become more productive and gain more insights into your risks.

Do your research. Check references of vendors to make sure your selection can grow your risk intelligence and is easy to implement and easy to use.

Lack of Accountability

Accountability is one of the major keys to attaining desired results. Lack of clarity around a project, responsibilities, or goals often leads to inadequate communication, inefficient results, and unmet goals. Accountability involves assigning clear responsibilities and ownership around all parts of a project or risk, not just at the senior executive level, but also pushed down through the business unit, the business process or the function, to the risk owner. This level of granularity is difficult to see, understand, and manage within the confines of spreadsheets.

When employees can clearly see the project, the tasks involved, and what responsibilities are owned by each, they gain a more complete understanding of the expected results and how they will be measured. ERM technology should facilitate this process by enabling participation, gaining buy-in from employees, and measuring results through inherent risk levels, historical risk levels, target risk levels, and other measures to help all involved move forward to the next benchmarks and milestones.

Difficult Knowledge Collection and Difficult Knowledge Transfer

Any risk management technology platform should fundamentally do two things:

1. Radiate enhanced risk understanding, or risk intelligence, outward to others in the organization that will use this information for better "risk adjusted" decision-making, and
2. Draw these same influencers and subject matter experts into the process of identifying, prioritizing, and responding to risks.

Spreadsheets don't create a community of risk intelligence to be shared, and spreadsheets don't draw others into the process.

For example, one of the examples of effective use of risk technology systems to communicate and transfer knowledge is the ability to have online and near instantaneous feedback from across the organization via surveys. One Fortune 100 company I know well has a risk inventory of several hundred key risks, and uses an online survey to track the movements of these risks as perceived by its top 300 managers. These folks are on the frontline and really know what's going on. The same survey "watches" the top 60-80 risks every quarter and rotates in the rest of the risks twice a year, along with providing an opportunity for these managers to introduce new ones to consider.

This data is fed back to the managers in its composite form across the organization, by line of business and by geography. This virtuous circle of input, review, and output communicates to the core leadership the top risks in the company and what is to be done about them. That's powerful, actionable information. You're not going to get that easily with a spreadsheet.

No Help Garnering Your Risk Culture throughout the Organization

Risk culture is certainly a significant part of an effective ERM process and program, and a very difficult thing to define and understand. Yet, we can all agree on things that would certainly hurt an effort to spread the appropriate risk culture throughout the organization and things that would positively affect your risk culture. It's pretty clear. Technology should help you involve the people within the organization.

Chrysler involved people at all levels of its organization as it entered a final peak period years ago. According to one report:

In 4 years, Chrysler solicited 4,600 ideas from suppliers; 60 percent were used, saving over $235 million. Customers were also called in during "virtually every stage" of the development of new models to provide suggestions (rather than just ratings of what they liked).

Spreadsheets don't have the capacity to deal with input from the people. ERM technology should. To spread the desired risk culture, you should also involve people in setting goals and in setting objectives. Spreadsheets have no capacity for dealing with numerous users, their level of input, views, and ideas. Again, ERM technology should.

To help spread the desired risk culture, you should involve the people within the organization in learning from successes and mistakes and changes that need to be made. Spreadsheets don't even come close. ERM technology should certainly allow for risk levels, goals, and tracking of mitigation activities and efforts that had both a positive and negative impact.

Doesn't Enhance Communication with Leadership

Effective ERM technology delivers dashboards of risks that matter to each executive, as well as summary level rollups to the C-Suite and board. It provides tracking and movement of risk profiles over time. Are risks increasing or decreasing? Is our response improving likely outcomes? Are we losing ground?

It provides drill-down capabilities to look at underlying risks and relationships between them. It shows what risk owners have in their area of responsibility and if they are tracking to completion of mitigation and control activities. At best, spreadsheets can deliver suboptimal snapshots of most of the above, but only after tremendous investment of time and effort, which must be reinvested time and time again.