While spreadsheets are still an excellent tool for data manipulation and one-dimensional analysis, they fall significantly short of delivering the capabilities a risk manager really needs to analyze trends and see the relationships the job entails.
The limitations of spreadsheets verses ERM software are systemic and largely stem from the way they manage data, their inability to easily show relationships, and their general inaccessibility.
Risk management is an iterative process that requires collecting a great deal of information to glean the necessary insights. This often results in dozens of spreadsheets and documents each with multiple versions and revisions.
Not only does this impede the process of combining data into a coherent big picture, it also means any changes to data structure becomes a great undertaking. Dependent on spreadsheets, risk managers will spend countless hours validating data, double-checking formulas, and updating values instead of spending that time on much needed evaluation and mitigation.
Risk analysis is not a static process; it's dynamic and highly strategic. Assessment structure, information, and the people involved evolves over time as management's requirements and priorities change.
Spreadsheets, however, are ridged. With each change to a spreadsheet, links between information are lost making it very difficult to analyze relationships over time. Without these relationships, how will you link risks and their controls to your organization's strategic goals?
What's worse, spreadsheets can actually limit the depth of risk analysis. You can only analyze the relationships your risk tools can uncover. Spreadsheets offer limited access to past and current data, you cannot easily aggregate and dissect information, and they require a high level of technical knowledge to compare data over time.
Simply put, spreadsheets prevent an understanding of the dependencies and consequences between departments, processes, and strategic goals. Without these connections it's impossible to see how multiple risk can come together to create a disaster like the BP oil spill or the Japanese nuclear crisis.
Risk management isn't something that can be done in isolation. The information risk managers collect and analyze needs to be accessible to the rest of the organization. Spreadsheets, however, aren't accessible to business intelligence software, to management, or to other support functions that could benefit from that data.
The result is a risk management function without support from management and an organization with an abundance of duplicate tests, controls, and information. Risk managers need to be able to aggregate and access information across business silos and multiple levels in order to engage the right people with the right information.
Risk management requires dynamic tools that can organize and link data automatically, analyze dependencies and consequences enterprise-wide, and be accessed by decision makers and other silos.
The solution is a robust software platform that can organize risk-information all in one place, link the relationships between data, and be accessible to the rest of the organization. Identify duplicate tests and controls, uncover the complex relationships between risks, and make that information accessible to decision-makers with one shared risk management platform.