Spreadsheets to manage risk is risky business

Richard Wilson June 3, 2019

When organizations choose Excel/Word and/or Sharepoint to manage their risk processes, they ultimately lose their ability to manage consistently, at scale, across their real estate. Using Excel in ways that are ill-suited for its purpose positions organizations on a path to constant frustration, failure and potential disaster. Not to mention, further inhibiting their ability to cost-effectively manage enterprise risk. It’s time for organizations to undergo a transformative change that enhances the effectiveness of all their risk management processes.

Despite the availability of modern Risk Management platforms like AuditComply, many organizations still choose to use manual processes to evaluate their risk culture. While spreadsheets do have a number of benefits, when people use them for risk mitigation and operational strategy, they become a risk in their own right. If you are hanging on to spreadsheets thinking they are doing a good job, chances are they aren’t. Here are a few ways spreadsheets may be hurting, instead of helping, your organization.

Spreadsheets are full of errors

Research suggests that nearly 90% of corporate spreadsheets contain errors. Errors can evolve from data misinterpretation, leading to a false sense of knowledge and complete data distrust. Even the most competent employee can make an error when entering data or generating formulas. This issue becomes greater when this misinformation is carried across a network of spreadsheets. Invalid data or an incorrect value from one compliance cycle can easily slip by undetected, leaving a lasting impact particularly if a decision is based on it.

As we know, risk management is an iterative process that requires collecting a great deal of information to glean the necessary insights. This often results in dozens of spreadsheets and documents each with multiple versions and revisions. Not only do spreadsheets impede the process of combining this data into a coherent big picture, it also means any changes to a data structure can become a significant undertaking, costing time and resources.

If you search for spreadsheet errors, you’ll find some stories.

-Hiding cells, instead of deleting them, cost Barclay’s Bank millions during the 2008 meltdown.

-A cut and paste error cost TransAlta $24 million.

-Another cut and paste error cost JPMorgan $6 billion when a Value at Risk model was miscalculated.

Errors are so common that there’s even a 17-year-old spreadsheet risks interest group!

Lack of automation

Risk managers will spend countless hours validating data, double-checking formulas, and updating values instead of spending that time on much-needed evaluation and mitigation. When you’ve got compliance data and evidence being submitted from every possible channel, you will always struggle to manage this manually. The AuditComply team have witnessed countless Audit teams setting aside days, if not weeks, to make sure all the data is inputted correctly and new versions are accurately linked with other risk processes. How much time do you think you’re currently spending just to keep track of documentation during the compliance cycle?  Worse, after all the data gathering efforts, you still need to build out your reporting, which has to be generated manually. So once you’ve sorted through all the submitted evidence, you still have more work to do just to share your compliance status with your colleagues.

In this regard, AuditComply’s customers experience the benefits from live visibility of captured data with real-time detailed reporting. Ensure tasks are actioned on time with automated alerts and reminders, emailing to relevant staff instantly if required. Automatic report generation and built-in analytics let you use data to determine best practice and help streamline risk processes. Live visibility of captured data and real-time detailed reporting, AuditComply can provide vital insight into root-cause and trend analysis.

AuditComply has recently integrated a daily digest email, reminding users with assigned roles what they have to do and when they have to do it, providing full accountability and building a more streamlined communication stack.

Hidden Data Dangers & No Accountability

While you can password protect particular spreadsheet files, organizations lack the ability to assign different users different roles and permissions. How do you differentiate between a CAPA user and an Admin role? How do you track who opened and saved a spreadsheet? How do you know changes have been made and by whom? Innocent mistakes or sabotage can go undetected for some time, and when they finally do figure out the problem, there is no way to trace who was responsible or when it occurred, there is simply no accountability.

On a larger scale, spreadsheets can be manipulated to cover up compliance issues or risks that can threaten a companies brand image or operations. Cells are typically merged to make a spreadsheet easier to read and to eliminate clutter. A user may also merge cells to hide irrelevant or sensitive data. One of the most high-profile examples of the dangers associated with spreadsheets is the Lehman Brothers Holdings/Barclays Capital case, the largest bankruptcy case in U.S. history. Contracts that had been marked as “hidden” in the spreadsheet when received by the law firm were added to the purchase offer during the formatting process. Those contracts weren’t supposed to be part of the deal. While this instance was a case of human error, it clearly demonstrates the data risks associated with spreadsheets.

Lack of collaboration with no version control

Risk analysis is not a static process; it’s dynamic and highly strategic. Assessment structure, information, and the people involved evolves over time as management’s requirements and priorities change. Spreadsheets, however, are rigid. With each change to a spreadsheet, links between information are lost, making it very difficult to analyze relationships over time. Without these relationships, how will you link risks and their controls to your organization’s strategic goals?

With AuditComply there is no restriction to how many stakeholders you want to be involved in the process. The AuditComply platform deals with the challenges of managing risk data in one giant spreadsheet, with only one person to edit the document at one time. If your data is spread across multiple documents (the more likely scenario), any changes made to one document by one user needs to be coordinated with all of the other users and duplicated in all of the other documents. This is a recipe for data loss, errors, important operational and financial decisions being made based on faulty or incomplete data – and being found out of compliance and at risk.

Data Analysis Capabilities Are Very Limited

Due to the inherent limitations of spreadsheets, including the lack of referential integrity and the inability to create relationships between data in different files, gleaning meaningful business and risk management insights from your data is difficult or impossible.

AuditComply gives users actionable intelligence that can be used to improve operational processes, implement strategy and boost performance. Our risk analysis dashboard and reports are designed to provide users with a comprehensive view of their organizational risk profile. Easy to consume charts and graphs enable users to track submitted, pending, in-progress and overdue/outstanding assessments. Providing stakeholders with key information in real-time. Reports can even be exported as a PDF document/CSV file for further analysis and presentation. All charts and images (Evidence) are also exportable. Our comprehensive platform provides enterprises with a complete non-conformance management workflow for suppliers, ensuring issues are actioned and verified in a timely manner. This allows non-conformances to be captured, assigned and tracked to completion within the platform.

If not Excel, what?

Don’t resign yourself to the stress of updating spreadsheets and risk data manually. The AuditComply Risk & Performance platform provides the most intuitive and seamless Audit workflow, providing greater visibility and protection against disruption and potentially catastrophic events. Enabling you to have all your risk data centralized and updated, there will be more trust in the data and greater certainty when reporting to stakeholders.

If we haven’t convinced you to leave those spreadsheets behind, why not talk to some of our current customers. Find out how AuditComply has helped mitigate risk and drive performance.

You may also like:

Combining VDA 6.3 With AuditComply

AuditComply Named Among UK RegTech StartUps to Watch

Buried in Paper? Go paperless. Go Digital

Similar Articles