USING SPREADSHEETS FOR RISK ASSESSMENTS – WHY IT IS SUCH A BAD IDEA?

Spreadsheets are user-friendly, inexpensive, and easy to use, which are key attributes. However, they fall short in several key areas when using them to perform Risk Assessments and Security Audits. The temptation for a low-cost quick-fix technology solution using spreadsheets is always there. However, as your business processes mature, requirements become more complex, and the need to scale across multiple users and departments spread around the globe increases, the true cost of using spreadsheets for risk assessments become a significant liability. Here is why…

Spreadsheets Discourage Collaboration And Accountability:

A central requirement of risk assessment is the ability to assign others in your organization to help identify gaps, check and validate safeguards, verify compliance, and manage issue and remediation documentation. Spreadsheets simply are not designed for and do not succeed in supporting multi-user, process-centric distributed environments across the globe. The lack of multi-user capability leads to a proliferation of spreadsheets for each user group, for different purpose in different regions and countries. Collaboration with spreadsheets is a manual task with multiple iterations. Especially when you are trying to conduct organization-wide risk assessments across the globe. They are even worse in encouraging accountability. Most assessments require evidence in form of photographs, videos, documents, etc. while reporting gaps or compliance. Spreadsheets simply are not equipped to handle attachments thus depriving the assessor of one of the most powerful tool “evidence”.

Spreadsheets Are Inherently Unreliable And Lack Security:

Most of the processes in the rows-and-columns grid are overly complex, duplicative and fragmented. With hundreds of rows of questions spread across multiple worksheets they not only become error prone but catching errors is even more difficult. Version control, change management, lack of transparency and integrity are all well-known to most of the managers. Close to 90% of spreadsheet documents contain errors, a 2008 analysis of multiple studies suggests. “Spreadsheets, even after careful development, contain errors in 1% or more of all formula cells,” writes Ray Panko, a professor of IT management at the University of Hawaii and an authority on bad spreadsheet practices. “In large spreadsheets with thousands of formulas, there will be dozens of undetected errors.”.

Spreadsheets Are Not Designed for Organizational Performance Measurement And Lack Transparency:

Spreadsheets are not well suited to monitor system performance or to help improve process improvement. Spreadsheets are capable of documenting and reporting simple relationships, but they are not designed or intended to integrate with other systems, to serve as dashboards or to identify and support organization-wide improvements. Performance measurement analysis and improvement requires organization level consolidation, transparency and the ability to identify and track trends and opportunities. Spreadsheets are unable to support consistent methodologies, consistent consolidation of data or intelligent business analysis. The information they contain, and any user interactions with them, are not always transparent to the rest of the organization.

Spreadsheets Lack Auditing Ability and Compliance Record Retention:

A pervasive standard of compliance programs is strict control over records retention. While the flexible nature of spreadsheets allows users to quickly create and modify data and structure, this flexibility does not lend itself well to compliance records retention. Lack of an audit trail and ability to track changes over a period of time can have serious consequences for the security managers.

Spreadsheet Costs Are Huge – But Hidden:

Using spreadsheets for risk assessments appears to be a very inexpensive option on the surface. Most companies already have enterprise level licenses and they can download templates for little or nothing. The savings is deceptive. That “little spreadsheet model that someone in your department threw together in a few days” will eventually cost you dearly. First, because few companies track the full range of cost including the time consumed by internal staff, the cost of any external consultants in building spreadsheet based risk models. Second, the time wasted in tracking changes and exchanging information across the organization. Third, after companies address ongoing compliance costs – such as the requirements to report on material changes in the security environment, provide updates on progress resolving significant deficiencies and material weaknesses, and quarterly reports on new significant deficiencies and material weaknesses – the real costs and deficiencies of using spreadsheets for documentation begin to emerge.

Risk Assessment Software: A Better Alternative

An alternative to using spreadsheets for risk assessments is to use a purpose- built software with a data base that supports multiple locations, different facility types and variety of threat environments. Leading Risk Assessment solutions provide functionality for organizational wide collaboration, consistent risk models, guidance on how to perform risk assessments, global data base of assets, threats and vulnerabilities, library of safeguards, an organizational wide perspective of compliance and security, ability to drill down and conduct detailed analysis of high-risk locations, management scorecards, mitigation management and risk management. Compared to spreadsheets, these solutions provide greater efficiency, improved collaboration, better transparency, full visibility, and reduce the time and resource costs associated with performing risk and security assessments. In addition, a well-integrated solution provides a common set of functionality for each security process with shared functionality for common activities such as Corporate Security, Physical security, Cyber Security, IP protection, Business continuity, Emergency Management, Crisis Management, Disaster Preparedness and Regulatory Compliance. Leveraging a shared data model, a well architected solution enables the consistent sharing of definitions and terms, organizational reporting structures, and relationships between controls and the associated audit results. Eliminating the redundant efforts saves money by minimizing data entry, improving accuracy and enhancing collaboration, efficiency and consistency.

Conclusion

For a complex growing multi-national organization use of spreadsheets for risk assessments is no longer a viable option and the true costs of spreadsheets become a significant liability. Similar to the evolution of general ledger, accounts payable, and budgeting and planning business processes, Risk management has now reached the maturity stage where investment in purpose-built technology is considered a best practice with a proven ROI.