Enterprise Risk Management (ERM) – there are many frameworks and standards that provide tremendous guidelines on implementing and improving ERM. As Albert Sica from ALS Group recently pointed out, one of the key components is to find out what the objectives are and then address risks to those objectives. ISO 31000 provides the most comprehensive guide to establishing an effective ERM process and one of the key mantras is that it all come backs to the risks to objectives.
One of the challenges most organizations face is that ERM is a process, not an event. The use of excel or other spreadsheet approaches can create more problems than they resolve. Although for an initial listing of risks and perhaps some assessments, they are very helpful. But to create an ongoing process, it soon becomes clear that these tools are not up to the task for the long term.
To start with, many people who need to interact with the data do not do this on a daily basis, often much less frequently, and to expect probably >95% of the people who need to provide data and respond to the information, is usually asking too much, even if the spreadsheets have protected cells and drop downs. In addition, the need to make changes to these drop downs and cells creates huge problems in an excel driven environment. For example, the simple process of making a change to a drop down. Easy to do in one spreadsheet, but then there is the requirement for all users to have the same version or the data gathering will become a mess and the information gathered will be flawed.
Also, consider the need to be able to provide evidence to the wide range of stakeholders as to where the data came from – certainly it is possible to see the most current data, but where did that data come from and how has it changed? In an excel environment, this soon becomes meaningless and unsustainable. A secure audit trail is critical to support an ERM process, especially as the integration of risk data from just about every part of an organization is becoming the norm, not the exception.
While there are many other factors that make a spreadsheet supported ERM process impossible to maintain correctly, consider just one other factor: “one source of the truth.” With myriad spreadsheets, key data is often in multiple places and a change in one component will not be reflected in all the aggregated data until, or if, the relevant spreadsheet is even uploaded into some form of mega spreadsheet. How will the user of this data have any hope of knowing this data is current and accurate if using many spreadsheets. Spreadsheets only lead to a false sense of knowledge and accuracy, and inevitably result in poor decisions based on faulty data.