Yes, a spreadsheet seems more accessible and familiar. Yes, a project management system gives you plenty of cool animations. Both could get you into a world of trouble you might not be ready for.
Risk management is not a checklist. No matter how many checklists a control regimen or compliance framework may provide you with, the temptation to try to mosaic all these lists together like tiles on a floor of a Roman bath, is dangerous. If you’re serious about reducing risk in your organization, you should avoid creating a risk center that itself becomes a center of risk.
Perhaps you’ve seen, or even downloaded, one of those free risk management or risk register templates for Excel. Soon after you opened it, it may have looked something like this. It seems friendly enough. It does have some conditional formatting built-in, and appears to have a column for everything you’d imagine yourself thinking about when getting into the daily grind of risk assessment. Maybe you’re not certain yet what distinguishes a “9” from a “7” with respect to “Severity level,” but it’s just a 10-point scale, you think to yourself, and you’ll figure it out along the way. As you enter several more risks ranked an “8” or “9” along with plenty of others that are just “2” or “3”, soon the average ends up right around a “5,” and you feel reasonably comforted.
The beauty of a spreadsheet (let’s face it, there is a beauty to the thing) is that it responds instantly to each function you add to it. You build value into its results incrementally, step-by-step, in a controlled and deliberate fashion. Suppose each row in a spreadsheet represents one risk to your organization. Elements of data that share a row may represent the parameters of that risk. To calculate the assessment values in a risk analysis, you use formulas as simple as risk = likelihood × impact. Applying a formula as simple as this to all of these actions in sequence produces a tangible result, which to the spreadsheet looks like a grand total but to the user may as well be a statistical risk gauge. Its cell should be colored yellow, and it’ll probably never become greenish, but as long as it doesn’t get reddish, you’re fine.
The typical argument you read from the publisher of one of these do-it-yourself templates is that basic risk management should be a “no-brainer.” You do the actions called for by the controls, you check them off by typing “X” in their designated cells, and if there are values attached to these actions, your risk score pops up automatically. Sure, there are more detailed and involved risk management platforms out there, the argument goes on. But if you already know how to use a spreadsheet, where’s the risk in that compared to having to learn an entirely new software system?
If managing risk were as simple as typing “X” into cell I3, then typing “X” into cell I4, and then I5 but not yet I6 because you haven’t finished with the control in row 6 yet, then there would be no GRC software platform industry. There wouldn’t have to be.
Model risk
Maybe you see the risk factor here already. History is already replete with examples of what can happen, whenever perfectly good spreadsheet software is trusted as the sole system of accounts for a business. In the record of human events, it’s usually the catastrophes that seem to linger.
There is an equally impactful threat to the organization when a spreadsheet, or any insufficiently secured software, is used as a principal security tool. This danger has become very clear to practitioners of the emerging art of model risk management (MRM). It’s the science of how an organization’s business model is structured, either intentionally or organically, through the systems people employ to help them manage it. You model your business, either with intent or by default, through the systems and software you use to conduct and record transactions. If your business relies upon spreadsheets, then those files constitute the business model. Anything that threatens their integrity or even existence, threatens the business as a whole.
A recent report from the UK’s Institute of Risk Management [PDF] frames the entire endeavor of risk assessment in the context of protecting the business model. Writes IRM:
A risk assessment of the components of the business model will enable any organisation to evaluate the robustness of the existing business model and identify the events that could impact the efficient and effective delivery of the customer offering.
To the extent that the software upon which a business’ activities are based is incomplete, susceptible to human error, or otherwise inappropriate to the task, the business itself is jeopardized. This is the conclusion the US Dept. of Treasury reached in its August 2021 report from the Office of the Comptroller of the Currency on MRM [PDF]. That report did concentrate on the banking industry, but its warnings apply everywhere, including the following:
Model use can affect risk in all eight categories of risk [strategic, operational, reputational, compliance, credit, liquidity, interest rate, and price]. The use of models can increase or decrease risk in each risk category depending on the models’ purpose, use, and the effectiveness of any relevant model risk management. Conceptually, model risk is a distinct risk that can influence aggregate risk across all risk categories. Model risk can increase due to interactions and dependencies among models, such as reliance on common assumptions, inputs, data, or methodologies.
Suppose you heed these institutions’ advice and consider model risk as a quantifiable, applicable risk to your organization. Even if you’re using one of those downloadable Excel templates, at some point you’ll need to create at least one entry that quantifies model risk. At that time, the question will arise: Which risks to the organization must be accounted for with respect to the continued use of that very template to assess risk? Are you as confident of the resilience of your spreadsheet as the poor fellow whose Excel rounding error blew up his entire financial institution?
The system of record
A huge part of the job of governance (the “G” in GRC) is to ensure that all records critical to the proper and regular function of a business are managed through a single, secure, uncontestably authoritative source. Both the NIST CSF 2.0 and ISO 27001 frameworks define controls for the management of an authoritative data system, all of which meet the criteria for what both accounting and cybersecurity professionals consider a system of record (SoR).
A GRC platform is necessary for any organization that manages risk and that oversees governance and compliance operations, because the act of managing security requires maximum security. Bringing risk under control within an organization by using a GRC platform such as SimpleRisk, reduces risk. Exposing risk to undue or outside influence or manipulation by using any software not designed to treat GRC as a security procedure, introduces risk. The reason there are controls in a cybersecurity framework is to protect information systems whose integrity would be compromised by using the very class of software that promises to make GRC easier for you without a platform.
In the fields of computer science and data management, an SoR is the master of the information in its domain. Unlike a spreadsheet or a database or even a project management SaaS service, an SoR does the following:
- Serves as a single source of truth for all data related to risk management, governance, and compliance activities
- Provides full auditability against multiple data sources to ensure accuracy and enable errors to be easily spotted and corrected
- Safeguards access to data to authorized parties only, by facilitating strong authentication measures and role-based access control (RBAC), providing secure and compliant accessibility without resorting to data silos and compartmentalization
- Enforces its own data standards for itself, particularly with regard to personally identifiable information (PII) and other protected information related to the business or its clients
- Enables change management giving an organization the tools it needs to implement new and improved methods without having to rewrite and recompile existing data
- Dedicates itself to the sole task of safeguarding data in its domain, which is a virtue for a risk management platform that isn’t simultaneously serving as a to-do list, a budgeting system, a project manager for a marketing campaign, and a recipe book
- Meets all the requirements of cybersecurity frameworks for data integrity, non-repudiability, and authoritativeness, which should be a baseline requirement for any risk management system to begin with
You may have recently seen some popular SaaS-based project management software platforms such as Monday.com and Asana advertise themselves as risk management or GRC tools — even as “systems of record” — just by downloading a few free templates. They offer colorful graphics, automatic charts, and instantaneous dashboards with bouncy and swingy animations. Yes, project management apps are better adapted to their tasks than spreadsheets. They do offer password-based access control. And their service providers may have been ISO 27001-certified. What they are not, and cannot be, are systems of record.
No SaaS platform is immune from cyberattack, and project management platforms are no exception. This fact doesn’t mean they’re not perfectly suitable for project management tasks, given a reasonable degree of oversight from customers’ cybersecurity teams. There are standalone tools and platforms that purport to conduct “SaaS security audits” for organizations that use SaaS platforms, including for project management. As these very tools may make you aware, the use of SaaS to host critical business data carries risk. When risk becomes an issue of contention, is trust something you can reliably outsource to your SaaS provider?
The SimpleRisk commitment
SimpleRisk is trusted because it serves as organizations’ risk management systems of record without introducing any more difficulty than the act of adopting cybersecurity frameworks already entails. It’s straightforward, giving you not just the clarity you need to understand what you’re doing, but the guidance to make it all make better sense — guidance that neither Excel nor Asana can provide.
You’re not implementing governance, risk management, and compliance processes in your organization just to be ticking boxes and filling in forms. You’re doing it to bring some sanity and sensibility to your cybersecurity activities. You won’t find authority, sensibility, practicality, or for that matter, even security in a free downloadable template for an all-purpose productivity app.
SimpleRisk can serve as your risk management system of record. When it comes time to assess and record the risk involved with using risk management software, you won’t need a cell that lights up green to feel confident.
