Why Spreadsheets Are Killing Your GRC Practice

Risk Management Spreadsheets

I once ran a poll on the SimpleRisk website that asked what platforms people were using for risk management.  It ran for over a year and had thousands of responses.  Granted, these users were on our website for a reason, so I'll admit bias in my polling, but the results closely reflected what we see and hear with real-world prospects every day.  Approximately 48% of organizations are using spreadsheets for their risk management with an additional 30% doing nothing at all.  In fact, we frequently half-heartedly joke on calls that Excel is our biggest competitor.  Perhaps you're in that boat, as well, which is what brought you here.

I want to assure you that there's nothing to be ashamed of.  When I ran the Information Security Program at National Instruments, I tried to pitch a GRC tool to my VP for my fledgeling risk management practice and she laughed at me when she saw the price tag (Spoiler Alert....it was over $500k!).  She told me "Your budget is zero dollars, go figure it out."  So what does someone do with a risk management mandate and no budget?  They look to repurpose tools they already own, of course.  That's when I turned to spreadsheet-based risk management, and I'd venture to guess that's why you're using them too.  But like the "Notorious B.I.G." said....."mo spreadsheets, mo problems".  At least, I'm pretty sure that's the line from that song.

Don't get me wrong, I've seen some pretty creative approaches to spreadsheet-based risk management over the years.  I've seen massive tables listing out mappings of hundreds of risks, vulnerabilities, threats and controls.  I've even seen a handful of spreadsheets that create impressive dashboards summarizing their risk data.  But this approach eventually falls down for a number of reasons.

First, spreadsheets don't scale.  A spreadsheet with a dozen risks, for a single team, may be manageable, but one with hundreds or thousands of risks, across multiple teams, becomes unwieldy.  Having multiple people editing the same spreadsheet at the same time is a recipe for disaster.  Worse yet, how do you maintain an enterprise approach to risk management, while ensuring that one team doesn't see another team's risks?

Second, a spreadsheet isn't a database.  Sure, you can do pivot tables in Excel and use some fancy formulas, but joining data from distinct tables is difficult, if not impossible.  In SimpleRisk, database queries can sometimes span a dozen or more tables, which takes a fraction of a second.  There is simply no substitute for the efficiency and scale of a database where joining multiple distinct sets of data is concerned.

Third, spreadsheets require considerable maintenance.  Those who fall into the spreadsheet approach to risk management typically spend just as much time tweaking their spreadsheet and messing with their formulas as they do actually managing risk.  Each new report requires a substantial investment of time to create.  It ends up being a waste of resources that are far better utilized elsewhere in their organization.

It was for these reasons that, eventually, I gave up on my risk management spreadsheet.  I dabbled in a home-grown Lotus Notes risk management database for about a year, but building and maintaining a GRC really wasn't on the priority list for our Lotus Notes Administrators, and it quickly fell into disrepair.  I was truly stuck between a rock and a hard place.  I couldn't afford a real GRC platform and Excel couldn't cut it, so I ended up writing something.

I wrote the first version of SimpleRisk for myself, as a solution to all of the issues outlined above.  It was simple, intuitive and efficient.  I could modify the source code to meet my needs.  Eventually, I figured that if it was useful to me, perhaps others could benefit from it, as well.  That's why, back in March of 2013, I decided to release it free and open source to the world.  It turns out, you and I aren't alone here.  There were thousands of people out there, just like us, who were using spreadsheets because they couldn't afford a GRC platform, and we were all searching for a better way.  SimpleRisk finally gave them the GRC functionality that they needed, in a simple and intuitive  package, that wouldn't break the bank.

SimpleRisk has evolved a lot since it was first released.  Back then, it was essentially three web pages for submitting and managing risks.  Today, we are a fully-featured GRC platform that is frequently replacing the 800 lb gorillas in the space due to our mantra of being simple, effective and affordable.  Our open source "SimpleRisk Core" is freely available for download from our website and contains all of the basic Governance, Risk Management and Compliance capabilities that will immediately replace your spreadsheets.  And for those organizations that need even more features and functionality, we offer a variety of plug-and-play modules, called "Extras", that are still a fraction of the price of the other GRC tools on the market.  Not to mention our rapid provisioning, top notch Support team and expertise that will help you move the needle from zero to GRC in minutes.  We'd love for you to give SimpleRisk a try, today, so we can show you how to make those pesky spreadsheets a thing of the past.

Like what you see? Sign up for the SimpleRisk mailing list to receive more GRC educational content!

 

Related posts: