Digitising Risk Management – Time to ditch the spreadsheet

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

It is a recognised issue in the industry that the most widely-used operational risk software tool is actually provided by Microsoft – and it’s called Excel. And it’s only a partial solution – at best

While tier one financial institutions have been early adopters of large, complex risk management software solutions, due to both sophistication and to regulatory pressures, operational risk managers in smaller organisations have been cobbling together home-grown solutions to manage risk for years.

Using a mix of manual processes, spreadsheets and emails has a certain charm. People like spreadsheets because they are easy to set up, can be chopped and changed, and expanded over time. And therein lies the problem. They are completely unscalable, and very difficult to amalgamate for meaningful analysis, even on a departmental level, never mind enterprise wide.

When applied to risk management, the weaknesses of using spreadsheets as a solution are magnified. One of the biggest dangers of all being that risk owners and senior management think that risks have been managed because the box has been ticked – when in fact the risks are lurking undetected somewhere in the depths of a spreadsheet.

The digitisation of qualitative data enables management to see their full risk profile for the first time. By ignoring risk management’s soft data a big slice of the firm’s risk information is overlooked. And soft data contains management’s view of the risks most likely to impact the firm in the future. Using just numerical data to evaluate the firm’s future expected losses is clearly sub-optimal and may easily lead to the wrong conclusion and decisions.

Spreadsheets Increase Risk Exposure

Every organisation faces increasing risk and the related cost and business impact. To manage risk cost effectively organisations need a solution that reduces manual processes and automates aspects of the GRC processes to ensure that risk management can be delivered at an acceptable cost.

The main reasons that spreadsheets are unsuitable for risk management are:

  • Lack of integrity – Spreadsheets are easily manipulated to present facts in the best light. This could be to make an opportunity look more appealing, cover up a situation after the event, shift blame, mitigate responsibility or simply make it much easier to commit fraud.
  • No Audit trail – Linked to lack of integrity, spreadsheets do not provide an audit trail. Once changes have been made, there is no way to see who has changed what and how situations have developed over time.
  • Deadlines missed – With no workflow or processes built in, deadlines without alerts are easily missed.
  • No Consistency – Everyone has their own version of the truth. With no set structure, each time a spreadsheet is set up the formatting will be different.
  • Difficult to compile and analyse information – Because the formatting is different for each one, it is extremely difficult to combine spreadsheets, especially as risk information can be held across dozens or even hundreds of spreadsheets. Compiling analysis from multiple spreadsheets is also prone to error.

Operational Risk Management is the new differentiator

The major analyst firms agree that Operation Risk Management is a highly significant discipline in the financial services sector, and one which, while relatively new, can be a huge differentiator. Operational risk is the risk of doing business, and as such, risks are incredibly diverse, from employee conduct, third parties, data, business processes, to environment, social and governance (ESG) risk, to technology, cyber risk and operational resilience.

If operational risk is to provide true business benefit, rather than simply aiming to tick the boxes for the regulators, firms need to be able to link events to causes, controls and risks. Firms need to be able to preserve that information and learn from mistakes, and ensure that learning lives on long after the original incident has been forgotten. Risk owners must be part of the process so that risk managers can focus on providing support and resource to the areas of the business that need it, and the salient points of the business’s risk position must be distilled for consumption by senior management.

Operational risk needs to move from simply reporting and advising on controls for risks, to providing expertise to the business on how to manage risk and opportunity. Indeed, two of the ‘Chartis Big Bets 2022’ is the increased requirements for Conduct Risk and Controls recommending a more diversified approach, and the need to integrate Cyber Risk with other risk and compliance disciplines.1

The digital transformation of risk will not only see a transition from monitoring and responding, to a situation where the business can respond immediately to emerging threats, near misses and threats to operational resilience, but it will also enable qualitative GRC information to be quantified.

In its Market Insight, Spotlight on GRC+ Chartis2 states: “Perhaps the most prevalent trend across all aspects of GRC is the rise of GRC quantification and analytics-based frameworks. In response to this trend, Chartis will treat GRC analytics as a separate sub-section of GRC in future. Analysis of GRC analytics focuses on the spectrum of tools and techniques becoming available as novel analytical methodologies permeate the various sub-sections of GRC. One thing to note as we move forward is the variance in implementation rates across GRC sub-sections and techniques. Thanks to the rapid increase in digitalization, previously qualitative GRC information can now be quantified, pushing advanced analytics to the forefront of the GRC discipline.”

None of this is possible when using spreadsheets to manage operational risk, and yet many firms still tackle the complexities of modern Operational Risk Management with manual and disjointed systems.

Digitising Operational Risk Management

A designed-for-purpose Operational Risk Management solution provides the basis on which to build a strong risk aware culture and will enable organisations to plan for the future. It is also key to delivering an effective risk management function at an affordable price for the business. So, what does an operational risk management system provide? Here are some compelling business benefits:

A complete view of the true risk profile – It has always been possible to digitise quantitative data. As noted by Chartis above, now and with the newest and best ORM software, it is possible to digitise qualitative data and combine that with the previously digitised numerical data. Using innovative approaches to this combined data, management can have a complete and clear view of its actual risk profile which was previously unavailable.

One version of the Truth – All risk related information is kept in one platform. Risk practitioners, risk owners and management see the same information, and how risks are interrelated.

Audit trail, History and Organisational Learning – Intelligence is accumulated within the system. Details of investigations, analysis and remediation are associated with incidents. Every change documented can be time and date stamped to the individual user, giving a full audit trail of who did what, when.

Nothing slips through the gaps – With all risk information held in a single system, including incidents, events, with allocated actions documenting responsibility, delivery, deadlines and progress reporting, it is easier to see where there might be gaps. Workflows and alerts ensure deadlines are not missed.

Total Risk Position and Dashboards – The most effective tool for communicating risk to senior management is a dashboard, accompanied by a short, concise report providing additional details or recommendations. With one solution for managing operational risk, risks can be rolled up into an overall summary of risk position, and senior managers can drill down into the detail as required.

Meaningful Assessments – Control of risk is documented and based on empirical evidence and key indicators, rather than a best guess. This can serve as an early warning of control problems arising, which can be invaluable in preventing losses.

Adoption of Risk Culture – Risk and control information is collected automatically from the risk owners within the business. This gives risk owners a responsibility to get it right, fostering a spread of risk and control culture. Regular email alerts with updates when thresholds are breached, for example, ensures that action is taken when required and raises risk-awareness throughout the organisation.

Security – User management involves role based security, ensuring that people only see information for which they have the correct authorisation and privilege.

Meeting Regulatory Requirements – As a regulated industry, financial services is subject to ever more stringent regulatory requirements, and punitive punishments for failure. A central system not only enables firms to meet those requirements more easily and more cost effectively, but also serves to prove that they have done so.

Aligning Risk Position with Risk AppetiteThe value to the business of being able to monetise qualitative data which is based on management’s own view of their own risk profile. This enables the actual current risk appetite to be revealed and enables management to (for the first time) take action to bring their risk profile into line with management’s own expectations.

Operational risk is now more complex than ever, involving hundreds of diverse risk types which require oversight and transparency across most business processes.

Operational risks have increased into new specialisms such as, third party risk, monitoring sales practices, misconduct, product development risk, cyber risk, operational resilience and ESG (environment, social and governance). If the risk department is ever to become a true partner to the business, providing quantifiable value, it needs to manage risk with greater efficiency and support truly integrated business decision making. The first decision should be to ban those spreadsheets – and replace with a built for purpose solution capable of digitising all risk data!

RiskLogix Solutions Limited

RiskLogix has worked with financial services firms around the globe, providing innovative software solutions, training and consultancy services. We provide tangible, actionable advice and guidance to help organisations achieve their strategic goals and deliver true business value.

Global HQ

Eagle House
167 City Road
+44 207 377 2250


1 Chartis Big Bets 2022 https://www.chartis-research.com/chartis-insights/7933561/ chartis-big-bets-2022
2 Market Insight. Spotlight on GRC+ The Chartis view of GRC. https://www.chartis-research.com/grc-and-operational-risk/7945486/ spotlight-on-grc-the-chartis-view-of-grc

Related Posts

Top six characteristics of a great Internal Auditor
In our final blog about independent assurance we discuss what makes a an effective internal auditor. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Given its key role in relation to internal audit, what are the qualities an audit committee chair might look for in a new head …

Top six characteristics of a great Internal Auditor Read More »

How Internal Audit should take a cautionary approach to consulting and investigations
In the seventh in our series of blogs about independent assurance Tony and John explain how Internal Audit can provide valuable consultancy to the firm, but that it should take a cautionary approach, particularly when involved in investigations. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Advice and …

How Internal Audit should take a cautionary approach to consulting and investigations Read More »