Spreadsheets vs Risk Management Software

As organisations increasingly recognised the need to proactively manage risk, questions arose about the most effective approach to actually doing it. The majority of organisations understood the need for a mechanism or process capable of capturing risk information from across the organisation, and the requirement to document and distil captured information in order to facilitate an effective response.

For most organisations, this saw the emergence of a paper based risk management system, combining an extensive set of meetings, forms, and written reports to capture risk from across the organisation, escalate it, and allow the organisation to coordinate its risk management response.

With the rise of personal computing, spreadsheets increasingly came into play, eventually becoming the key tool for recording and analysing risks data. Risk management spreadsheets, combined with some basic coding evolved to do more and more, including neat little features like changing cell colours in response to risk scores to produce a Red, Amber, Green (RAG) status. They also allowed risk data to be filtered and analysed. However this step forward, didn’t resolve the broader challenges of risk management.

Where an emerging risk was identified, the paper based approach normally required a form to be filled out and sent to or e-mailed to the risk manager (or member of management). Often, a meeting would take place to discuss the risk and determine its validity and what response should take place. This may then include further meetings to escalate a risk. The spreadsheet approach held similar challenges. The organisation’s risk spreadsheet usually needed to be carefully guarded by an owner, as any incorrectly input data could cause data corruption, or worse, the loss of all risk data. Therefore capturing risks onto the spreadsheet could rarely be collaborative. Personnel from across the organisation couldn’t directly input risk data into the spreadsheet, instead the process typically required a process such as e-mailing the risk to the risk manager, or combining a paper based system for reporting and then manually loading the risk data onto the spreadsheet. Both approaches left the organisation unresponsive, and unable to meet the challenge of emerging risks in real time.

Risk Management increasingly gained the reputation of being a labour intensive, bureaucratic activity, which cast its benefits into doubt. Personnel increasingly viewed risk management as a burden rather than a vital means by which to improve the organisation’s resilience, overcome organisational challenges, and exploit opportunities.

Post 2000, spreadsheets took a major step forward with the introduction of Microsoft SharePoint. Risk managers were now able to place a risk management spreadsheet onto a centralised data storage point allowing broader access for the organisation’s personnel. This meant that users from across the organisation could now directly access the risk management data. However, users were still faced with opening and working with an often intimidating looking spreadsheet. SharePoint enabled greater user access; however, owing to the nature and layout of spreadsheets SharePoint could not prevent major errors occurring that could jeopardise the risk data (such as a user accidentally deleting vast amounts of critical information or accidentally saving over information on the spreadsheet). Whilst SharePoint offered roll back capabilities, the weakness was not with SharePoint, but the fact that most risk spreadsheets tended to lay out the organisations entire collection of risk data in a single workbook. This made it too easy for users to create input errors or deletions in the wrong parts of the spreadsheet – impacting the work of other users.

Still, this was a real step forward for risk management, and proved to be a further improvement over the early paper based approaches. For large number of risk management programmes across the globe, this is still about as far as they have evolved.

There were always going to be organisations that invested heavily in developing bespoke spreadsheet programmes or their own databases, bringing in software developers to help improve the capabilities of their approach. However, the cost and complexity of doing this often placed this out of reach of the vast majority of organisation. For most organisations, the best they could afford to realise was an evolved spreadsheet approach, where the risk manager (or another individual with advanced spreadsheet skills) customised and improved functional beyond that of a basic spreadsheet. For most organisations this is still largely accepted as the approach to managing risk and storing risk data, with the organisation simply accepting its limitations and constraints.

In parallel to the rise of spreadsheets and SharePoint came the early evolutions of risk management software. Various risk management software programmes came onto the market, with most evolving out of a focus on a specific area of expertise, such as health and safety risk, operational risk, or project risk. The early systems offered some big steps forward, but few were really capable of driving tangible improvements in enterprise risk management. Many of these were expensive, unproven, and required adopting an inflexible process developed for another organisation. Further, buying in a suitable risk management software solution could be more cost effective than developing your own, so long as it met your need.

Things have come a long way over the last decade. Today there are only a few true enterprise risk management software solutions on the market. Some are still very expensive whilst others are very cost effective and will actually reduce the costs of your risk management programme. A big price tag in no way relates to the capability or benefits the particular solution offers, and is more a reflection of the vendors need to cover their operating costs. Some risk professionals are slower than others to examine the solutions on the market, but just as word processors replaced typewriters, risk management is migrating away from the spreadsheet.

So how does the spreadsheet approach compare to the best of risk management software and is it worth the money?

In 2004, a new enterprise risk management software solution called ‘Risk Network’ was launched in the UK. This risk management software solution had been developed by leading risk managers (drawn from both the public and private sector) with full enterprise risk management experience, working with software development experts. Their aims were to deliver a risk management software solution that would enable organisations to optimise risk, enable personnel to participate in the risk management process, and make the whole process more responsive and more effective, simplifying where possible. This saw the first release of a risk management software solution where the process was defined by risk managers yet the interfaces were shaped by experts enabling them to be simplified, made more intuitive, and more user friendly. Risk Network grew quietly over the next 6 years, building up an extensive client base across the UK simply by word of mouth recommendation. Combined with extensive client feedback, Risk Network was improved year on year, with major new functions added. Today, Risk Network is the UK’s number 1 ranked risk management software.

Compared to the most evolved spreadsheet approach, Risk Network can do the following and yet cost a fraction of the comparative license cost of a spreadsheet such as Microsoft Excel:

Structured: Risk Network captures the organisations structure – creating a virtual model of the organisation.

Clarity: Capture all of the organisation’s objectives, from key strategic objectives right down to ground floor tier operating objectives, so that you can see where these objectives sat in the organisation.

Strategic Alignment: Align organisational activities, so strategic objectives are translated down through the organisation, supporting their realisation.

Simplify: Provide an easy to use on screen process to capture risk information, with the flexibility to capture information in a concise form or in extensive detail depending on the approach that best suited the organisation.

Real Time: Do this in real time, recording risk information and updating risk information as it happens, with this information becoming available to the organisation immediately.

Collaboration: Engage in collaborative risk management, with risk data being shared, risk owners identified, and other personnel associated to the risk in order to define the personnel engaged in responding to the risk.

Risk Management Actions: Define actions required to respond to a risk, who is taking them, when, and what the anticipated impact will be – all of which is captured, with alerts and reminders for participants.

Robust Platform: Allowing users to see their data, input data, protect all of the data in the system with full automatic back-ups, full change tracking, and the ability to roll back data if required.

Permissions Based: Users require passwords to access and use the system, with some given full access to all data, others limited to viewing data at the level of their seniority within the organisation or below, or within vertical/departmental boundaries, or simply as a read only user (able to view data but not amend data). Meaning that information is made available in a manner that suits the organisation’s needs, factors in requirements for confidentiality on some sensitive issues, and understands that not every person within the organisation needs to input risk data, but may only need to view risk data to remain informed.

Comprehensive Risk: No matter what the risk data, or the source (Strategic, Operational, Project, etc) Risk Network captures it, places it within the context of the organisation, so you can see where it sits and what it impacts.

Reporting: An onscreen dashboard provides each user with clearly and professionally laid out top line information on their objectives, risks associated to them, or risks within their area of responsibility. It informs users of their required actions and scheduled dates for those actions. For risk professionals or senior managers, Risk Network offers a highly effective overview of the organisation, being able to view organisational risk from top to bottom in real time. Risk reporting is fully automated, so professional looking reports can be pulled together simply by selecting the key data you want to show. These reports can then be saved in template format, so an updated version of the same report can then be produced at the click of a button.

Cost: A user licence for Risk Network costs a fraction of the cost of a license for Microsoft Excel.

A large number of major organisations in the UK still use spreadsheets for managing their risk. If your organisation is still using a paper based, or spreadsheet based system for managing risk, you are probably generating additional costs through the administration of the programme – yet without realising anything like the same level of capability and benefits. Whether we like it or not, risk management has evolved from paper to spreadsheets, and now into risk management software. Risk professionals are increasingly adopting the tools and technology required to upgrade the capabilities of their organisation’s approach to risk management.