Creating a Successful ERM Program: Why Ditching Spreadsheets Isn’t Enough

Technology is often the first thing risk managers turn to when seeking to enhance enterprise risk management (ERM) programs. The appeal of leaving behind a jumble of spreadsheets and manual processes for a single, dedicated ERM workhorse is undeniable. Yet, without the right context to shape the selection process, a new technology solution may not help at all. In fact, it could even make matters worse.

The curse of the spreadsheet

As we have covered in previous posts, managing risk management functions via a patchwork of complicated spreadsheets is a recipe for disaster. Mirek Pijanowski states in Six reasons to avoid spreadsheets in GRC, “Excel and other spreadsheet software are excellent for handling certain data, calculations and organizing information, but constructing critical business processes based on such limited tools is a sure way of wasting your business’ resources.”

Those still chained to spreadsheets are familiar with the limitations. Inconsistent data structures, multiple ‘versions of the truth,’ limited security control, and lack of integration with other systems are just a few of the drawbacks. Two functions especially critical to ERM that are difficult manage through spreadsheets are aggregating data across business units and generating trend reporting. Without integrated communication tools, pushing out the insights and actionable intelligence buried in complex spreadsheets becomes time-consuming and inefficient.

Moving beyond spreadsheets

It is little wonder, then, that the Excel skills once prized by CFOs have rapidly fallen out of favor. According to the recent Accounting Today article Excel on the way out?, “Two years ago, 78 percent of CFOs rated Excel proficiency as the most important skill within their finance team, and that percentage has dropped starkly to 5 percent this year, according to surveys conducted by Adaptive Insights.”

ERM technology is the next logical step for organizations trying to create a successful program. “Manual methods and spreadsheet solutions have become the high-risk option for managing risks and are no longer up to the job. Only a true enterprise risk management solution will capture consistent data, provide a single version of the truth, allow access to real-time, trustworthy information and provide the reports required to proactively manage risk and opportunities,” states SC Media magazine.

Why ditching spreadsheets is not enough

While it is clear that spreadsheet-based manual processes ultimately place a hard cap on how successful any ERM program can be, technology itself may not be the cure-all many are seeking. In our interview with Michael Yip, Vice President, Risk Management DFW International Airport, he makes it clear that before looking at frameworks or technology one should first start looking inward. “Everything begins with the current state assessment,” he says.

Yip argues that without understanding how each stakeholder is pursuing their own specific objectives, and then aligning the ERM program to help reach those goals, no amount of technology will make the program viable and sustainable in the long term. As he puts it, you should be able to confidently state to stakeholders that this transition is “going to provide a system that will holistically gather the data for us, and then we are going to all speak the same terminology, all work towards the same material thresholds, and all go after the organization’s objectives.”

Without this context, understanding how ERM will add value to each stakeholder’s day-to-day activities, automation and technology won’t matter. A bad process paired with automation technology only yields a fully-automated bad process. New technology can even make matters worse by raising expectations. Budget increases, technology rollouts, and procedural changes made to accommodate a new system all focus the spotlight on ERM. If the organization doesn’t see the value returned from this new investment, not only is the entire ERM program at risk, but the value of risk management, in general, can be seriously undermined.

A better way to look at ERM technology

Yip notes that successful ERM programs start with an exclusive focus on stakeholders and organizational objectives. Some key questions to ask are:

  • Who are those most affected?
  • Which organizational priorities are most easily impacted by the ERM program?
  • What is the type of information that can lead directly to actionable decisions?
  • How can all this be measured and reported?

Armed with that context, the selection of technology becomes a far more focused process. The ERM platform needs to support providing actionable information to stakeholders. Risk registers and heat maps are not the end goals. It only matters if those things move the organization towards its objectives in a measurable way. As far as stakeholders are concerned, ERM technology is essentially a vehicle for producing intelligence that shapes decisions.

Flexibility, the real silver bullet for successful ERM

When moving beyond a manual, spreadsheet-based process, automation often becomes the driving goal. However, what gets automated should be an equal concern. With a long list of stakeholders, each with their own objectives and communications preferences, one-size-fits-all approaches are likely to miss the mark. Flexible automation, which can be tailored for each stakeholder, is a far stronger solution.

Some stakeholders will want dashboards for real-time monitoring of KPIs, while others may prefer event-driven alerts or periodic reports. Additionally, as we covered in a previous post, automated PowerPoint generation can be highly effective when dealing with executive reports. When evaluating what technology will best support your ERM program, look for flexibility in how you automate communication with your stakeholders. Can it be tailored to balance individual preferences with the need to streamline the overall process?

Similarly, system flexibility is also tied to the long-term viability of the ERM program. If you are delivering actionable intelligence and genuinely helping units within the organization make better decisions, the requests for providing even more types of information are inevitable. Having a system that accommodates these requests means that the ERM program stays relevant and pivots as organizational needs change. Whether this means adding risk factors not on today’s radar, such as AI or IoT, or changing the organizational structure through merger or acquisition, your ERM program tomorrow may look significantly different than it does today. Without the flexibility to adjust to these types of changes in real-time, the system can become stale and non-responsive.

Putting it all together

Technology choices are a critical component when considering how to build a successful ERM program. However, relying on technology alone, without first considering exactly the results your organization needs to achieve, is likely to lead to increased scrutiny and unmet expectations.

Instead, evaluating how a successful RMIS platform supports the goal of helping stakeholders reach their goals allows you to focus on the aspects that lead directly to the viability and sustainability of the ERM program.

  • Will the system help gain buy-in and engage stakeholders?
  • Can it measure success in these efforts?
  • How responsive will it be when tailoring information flows?

Identifying a solution that answers these questions can be the difference between an ERM program embraced by the organization as a value-add and one merely seen as an academic exercise.

Long term, the flexibility of the system is directly related to how well it adjusts to the unexpected changes of tomorrow. From the adoption of different ERM frameworks, to changes in departmental objectives or personnel, to major shifts in the organizational structure, absorbing these types of events is far easier with a flexible system than a rigid one.

This perspective prioritizes solutions that will provide the added value stakeholders demand in a faster, easier, and more consistent manner. The right technology can put your ERM program on the path to success, but only if viewed as a part of the solution and not the end goal itself.


Get in touch with us to learn more

Contact us to find out more about moving from spreadsheets to an ERM program.