Risk Management Software vs. Spreadsheets

We admit, here at RM Studio, when we started our risk management process towards ISO 27001 certification in 2002, we used in a very popular spreadsheet application. Through trial and many errors, we quickly realized that establishing formulas, double checking cell links and proper formatting and confidently believing human error is not applicable in our audit preparation was a risk in and of itself. The frustrating results became our inspiration to develop an efficient and simpler means of managing information security risk. Risk Management Studio (originally OutGuard) was created to offer a holistic solution to the risk management process and streamline our efforts ensuring sustainable success in risk mitigation and asset protection.

The use of spreadsheet programs for risk management

Spreadsheet programs are an essential aspect of businesses and are utilized for a wide variety of tasks. The adaptability of spreadsheet programs lead to their use without consideration for other solutions. This is often the case when spreadsheet programs are utilized for risk management. Spreadsheets programs offer features and attributes that are beneficial for risk managers, but do come with major limitations.

Positive attributes of spreadsheet programs

The positive attributes and appropriate times for the use of spreadsheet programs include:

• One time risk assessment for smaller organizations
• No purchase if a spreadsheet program is already owned by the organization
• Documents are easily shared and transferable between computers
• Customizable format

One time risk assessment for smaller organizations: When small organizations with limited operations need to complete a single risk assessment, it may prove beneficial to complete the risk assessment utilizing a spreadsheet program. However, if the assessment needs to be repeated, or components of the assessment begin to become numerous, the task may soon become tedious resulting in users managing the spreadsheet as opposed to risks.

No purchase if a spreadsheet program is already owned by an organization: Most organizations have already purchased a spreadsheet program or utilize open source spreadsheet programs.

Documents are easily shared and transferable between computers: When organizations have an enterprise version of a spreadsheet program, risk assessments can easily be emailed, or placed on collaboration software to allow for sharing throughout the organization.

Customizable format: Risk managers using spreadsheet programs have the option of customizing all aspects of the risk assessments, from calculations to aesthetics.

Limitations of spreadsheet programs

The limitations of spreadsheet programs can increase the cost, time and resources needed to complete risk assessment projects. These limitations include:

• Sharing and unprotected documents
• Calculation creation
• Formula errors, human error and cell linking
• Starting with a blank document
• Repeatability
• Multiple worksheets/workbooks

Sharing and Unprotected document: When sharing the risk assessment documents, you run the risk of edits and changes being made without the document owner’s consent. This could lead to an unapproved version making its way to publication, without record of when the changes were made. Further, unauthorized users may gain access to the documents if proper precautions are not taken when sharing the documents on local servers or via email.

Calculation creation: When utilizing spreadsheets for risk assessments, users will need to create or research risk calculations to implement. This can be a daunting task and be very time consuming. Further, when implementing the calculations, the risk of utilizing formulas that are not consistent throughout the scope of the assessment increases.

Formula errors, human error and cell linking: Whether completing financial budgets or risk assessments, when utilizing spreadsheets the danger of formula errors is always present. Simple mistakes such putting a decimal in the wrong spot or a link with an incorrect cell can lead to an erroneous report.

Starting with a blank document: When utilizing spreadsheet programs, users usually need to create all aspects of the risk assessment and analysis. From naming tabs, to formatting columns, this can be a time consuming task, again resulting in users managing the spreadsheet and not the risks.

Reports and formatting: Risk managers are required to create their own reports based of the data contained within the spreadsheet programs. This can cause issues with carrying over the correct, relevant information needed for auditors; formatting issues can occur and can be time consuming to create the documents in an easy to read and understandable format.

Repeatability: Risk assessments are generally completed multiple times throughout the year for many reasons, including auditing purposes (certification renewal) and for continuous improvement. Spreadsheet program risk assessments may not be setup to be easily repeatable. If the risk manager who creates the risk assessment leaves an organization, the process and methodology used may not be clear without proper documentation. If this documentation is not included with the assessment, a new assessment may need to be created.

Multiple worksheets/workbooks: The risk assessment process and documentation can quickly become overwhelming if contained in multiple worksheets and workbooks.

Risk Management Software

In discussing risk management software, it would be easy for us to simply focus on RM Studio. However, we do not intend to use this post as a promotional tool. As such, we will focus on general benefits of risk management software. There are many platforms to choose from, so when looking at risk management solutions, make sure you clearly define your needs and find the solution that meets your needs.

Risk Management Software’s Main Benefits

Risk management software offers an all-in-one solution that assists in managing and addressing risks, controls, and risk treatment objectives in intuitive, simple and easily managed procedures. Risk management software generally provides an overview of the entire risk assessment process, allowing users to quickly see the current risk status. The main benefits of using risk management software are:

• Embedded information such as asset categories and threat library
• Risk Calculations
• Integrated Reporting
• Easily repeatable processes and embedded evaluation/risk calculation templates

Embedded information such as asset categories and threat library: Stellar risk management solutions come with embedded information from experts which can reduce guesswork for the user. Examples include a predefined asset category (asset types) library, embedded controls and a predefined threat library which are interconnected, helping users to identify important and derivative threats. Well-developed risk management solutions will automatically connect vital information within the risk management solution.

Risk Calculations: The risk calculations within risk management software in most cases are developed by experts, and on some occasions approved by organizations such as ISO. The coverage of risk calculation in risk management software is often scalable by the user with little effort when necessary. Risk management software utilizes built-in evaluation criteria to automatically calculate the risk value, simplifying the process for users.

Integrated reporting and exporting options: Risk management software often comes equipped with preformatted reports, available at the click of the button for users to quickly generate and communicate all necessary information.

Easily repeatable processes and embedded evaluation/risk calculation templates: Risk management software come equipped with ready to use evaluation/risk calculation templates that are generally based on industry best practices and are ready to be deployed at the click of a button, ergo simplifying the risk assessment process. Users of risk management software can also implement evaluation criteria based on current needs, allowing for dynamic responses to an ever changing market.

Summary

The risk management process can be a complicated task without the right tools in place. Organizations must actively identify and mitigate risk before they occur to ensure reliable service and maintain the organization’s reputation. Most organizations unfortunately utilize manual methodologies through spreadsheet programs to the complete the risk management process. While spreadsheet programs offer their own advantages, the limitations far outweigh the benefits. By not using an automated, centralized tool, organizations fray to connect and properly assess the risk variables at hand and distinguish the organizations overarching risk position; in the end, spending more time managing the spreadsheet, as opposed to risk.

RM Studio has assisted organizations of all types and sizes on a global scale to establish a competent risk management strategy and comply with the ISO 27001, ISO 9001, and PCI DSS Standards. RM Studio comes complete with GAP Analysis, Risk Assessment and Risk Treatment module, Business Continuity Management module, as well as the Standards ready to deploy and use immediately after installation.