Home / Knowledge Base / Tip of the Month: Stop using Excel to perform your Risk Management

Tip of the Month: Stop using Excel to perform your Risk Management

October 08, 2024

When Excel is useful

  1. For initial (once-off) data take on:
    • When performing risk management manually, risk registers are generally captured in Excel. When implementing an automated system, risk registers can be imported as a once-off exercise from Excel into the system, provided the risk data is structured correctly and is ‘clean’. i.e. It is important that the risks in your Excel sheet/s are referenced and categorised correctly and that associated data such as contributing factors (CFs), controls and action plans are split into separate cells so that the system knows where to import them and how they are linked (e.g. which controls belong to which CFs).
    • Don’t forget ‘garbage in = garbage out’. A typical risk register is structured as follows: Objectives>Risks>Contributing Factors (CFs)>Controls>Action Plans.
  2. Documenting newly identified risks
    • Whilst you can use BarnOwl’s workshop module to capture new risks, Excel can also be an effective tool for documenting newly identified risks provided you use a fit-for-purpose Excel template. This enables you to document the risk and all its associated data correctly before capturing and / or importing it into your ERM system. Don’t forget ‘garbage in = garbage out’.
    • BarnOwl has a workshop module, which guides you through capturing your risk register with the appropriate risk structure (Objectives>Risks>Contributing Factors (CFs)> Action Plans. The data is not committed to the database until the workshop is finalised and updated by the administrator.
  3. Data extracts / basic reporting:
    • Excel is a useful tool to view and analyse data extracted / exported from your system. All BarnOwl registers can be exported directly into Excel.
    • Excel, whilst being a useful tool, is still a poor substitute for customised tabular-type reports in SSRS (SQL Server Reporting Services) or for interactive Power BI dashboards.

When not to use Excel

  1. For maintaining your risk registers
    • Once your risk register/s have been imported into the system, they need to be kept up to date in the system, preferably by the risk owner. Risk registers must not be updated via Excel imports as this defeats the object of having an automated ‘living’ system, introduces erroneous data and makes risk management highly ineffective.
    • Once a risk has been captured / imported into your system, the risk must be maintained and kept up to date in the system. This includes all risk related data such as CFs, controls, action plans, key indicators, loss events etc.
  2. For rating your risks and controls
    • Risk and control ratings to be kept up to date in the system, either directly via the BarnOwl registers or via BarnOwl’s risk and control self-assessment functionality. This ensures data period tracking and audit trails etc.
  3. For updating action plans

    • Action Plans (AP) to be updated in the system by the AP owner via BarnOwl’s free web-based (intranet) portal
  4. For capturing key indicator values
    • Key Indicator (KI) values (based on frequency such as monthly, quarterly, twice per annum, annually etc.) to be captured by the Key Indicator owners via BarnOwl’s free web-based (intranet) portal.
  5. For system-wide end-user reporting and consolidated dashboards
    • Excel, whilst being a useful tool, is a poor substitute for customised end-user reports delivered via SSRS (SQL Server Reporting Services) or interactive Power BI dashboards.

Why Excel doesn’t cut it

  • Multiple ‘versions of the truth’ with little or no version control with 100s of spreadsheets floating around the organisation.
  • Unstructured data (inconsistent columns and naming conventions, free text versus drop-downs etc.) limiting the ability to report on data.  
  • Limited data validation (free text versus drop down boxes).
  • Data is not relational (e.g. Controls are lumped together and not linked to the relevant CFs, APs are lumped together and not linked to the relevant object making them too vague to be effective).
  • The quality and completeness of data is compromised.
  • Information is not consolidated in a single repository.
  • Security / Permissions on data is non-existent in most cases.
  • Excel spreadsheets can’t easily be shared / worked on at the same time. Excel is not designed for collaboration.
  • It’s impossible to perform aggregated reporting without exhaustive manual intervention. It’s almost impossible to generate trend reporting.
  • Complex spreadsheets are ‘lost’ when the creator leaves the organisation and are re-invented again and again by a new person, wasting time, money and effort.

Why Excel defeats the object of an automated system

  • Importing risks from Excel into your system on a periodic basis means that you are not embedding and driving ownership of risk management in your organisation. (i.e. not using RCSAs, APs, KIs effectively). It’s important to remember that the risk function is the facilitator of risk and not the owner of risk.
  • It means that risks and controls are not updated regularly enough and too much time is spent by the risk function gathering information rather than analysing and providing decision-making insight to the business.
  • Excel is silo based and ignores interdependencies of risk across business units and functional areas.
  • It means that your risk reporting is always out of date.
  • It means that risk management will never serve as an early warning system. Excel is a static system with no ability to send out automated email notifications, reminders, escalations etc. based on system triggers (e.g. action plan notifications and escalation, risk re-assessment notifications, key indicator breaches, etc.
  • It’s impossible to pull consolidated reports without exhaustive manual intervention. This means that you are wasting huge amounts of time and effort at great cost to your organisation and not adding value. Work out your hourly rate (taking off leave days, sick leave, public holidays, training days etc.) and ask yourself if you would pay someone Rx per hour to spend their time collating and formatting Excel manually to arrive at outdated (and probably erroneous) reports which add little value.

Conclusion

Don’t forget ‘garbage in = garbage out’. Excel is the perfect enabler for ‘garbage in’ through its ability to support non-structured, free-text data in any format.

The risk management function is there to facilitate risk management and not to administer and own the risks, controls, action plans, key indicators on behalf of the owners.

An automated system enables you to embed risk management in your organisation, create a culture of risk awareness, and assign ownership to where it belongs.

Spending your time doing administrative tasks by collating and formatting Excel manually to arrive at outdated (and probably erroneous) reports is not productive and adds little value at huge cost.

Providing up to date insightful reporting at the click of a button is key to effective risk management.

Useful links

IRMSA presentation

https://barnowl.co.za/knowledge-base/tip-of-the-month/tip-of-the-month-getting-the-basics-right/

Download the BarnOwl Risk Register Template here

Risk & Control Self-assessments (RCSAs)

Key Indicators (KIs)

3 simple steps to get the most out of BarnOwl

Reporting – transform your risk, compliance and audit data into visual information facilitating business decision making

About BarnOwl

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 150 blue-chip organisations. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.

Please see www.barnowl.co.za for more information.

arrow up