Implementing Double Materiality
Double materiality is a foundational principle in successful ESG programs.
The right ERM software is faster to set up, easier to maintain and easier to adapt.
Sounds crazy, right? How can ERM software be less expensive than spreadsheets?
The idea seems counterintuitive. And yet, it is true that in most cases, using the right ERM software will cost less than using spreadsheets. The right ERM software tool will also be faster to set up, easier to maintain, easier to adapt, and will lead to happier stakeholders and better outcomes overall.
These points are discussed in a 3-article series. This first article summarizes why ERM programs often start on spreadsheets and why those spreadsheets end up costing more and being less effective than modern ERM software tools.
A second companion article discusses 12 ways in which ERM software saves money and provides benefits that spreadsheets cannot match. The third article also discusses an ERM startup approach and methodology that is ideal for risk managers seeking to quickly and inexpensively (e.g. for free) build risk registers, create risk bow tie diagrams, experiment with new ERM designs, build an ERM business case for senior management, and more.
These are some of the main reasons that ERM managers share when asked why they started their ERM programs with spreadsheets.
Together, these points seem to make a pretty compelling case for spreadsheets. There is, however, another side to the story.
1. No out-of-pocket costs. This one is obvious. There is no immediate cash outlay needed to start a spreadsheet. Once you have a spreadsheet tool, you are good to go.
2. Design flexibility. Spreadsheets are flexible and can be used to model just about anything. This allows risk managers to design ERM programs that are tailored to their organization’s unique needs.
3. Changing / evolving programs. New ERM programs will change and evolve as risk processes and risk cultures mature within an organization. As a result, the standard risk consulting approach is to focus first on people, process, and culture. The idea is to start with flexible spreadsheets and presentation files, and to delay spending any time and money setting up ERM software until later, when the ERM program has stopped evolving so quickly (and perhaps when a business case has been established).
4. No budgets or approvals required. Related to the points above, probably the biggest reason that spreadsheets are used in ERM programs is that risk managers do not need management approval or a budget to get started. A program can be quietly modelled without much attention and then brought forward to management for approval once a working showcase example has been completed. This is a larger factor with new ERM programs, where they may not be a pre-existing budget or clear executive mandate for investment.
Together, these points seem to make a pretty compelling case for spreadsheets. There is, however, another side to the story.
In reality, many of the perceived benefits of spreadsheets end up contributing to their higher costs and lower effectiveness when compared to modern ERM software systems.
Here are some of the main reasons why.
1. Extra manual effort. It takes much more manual effort to set up and maintain an ERM program in spreadsheets than it does in a modern ERM tool that is preconfigured to implement standard risk frameworks (e.g. ISO 31000 and COSO) and that includes automation and productivity features - such as dynamic risk registers, risk libraries, interactive risk bow tie builders, automated workflows (e.g. action plan reminders, risk voting, risk assessments, KRI data collection), automated reporting and analysis, and more.
Even if your goal is to quickly set up a simple risk register, the right ERM software tool will always save time and effort. And we are not just talking about the manual effort of risk managers. The right ERM software tool can be set up in minutes and will save effort for everyone involved in the ERM process. Across the organization, that can quickly amount to many hundreds of hours saved for your valuable staff and executives.
2. Delayed benefits. The right ERM software tool can be configured and launched in minutes and can be a useful catalyst to help model, demonstrate, and evolve an ERM program much faster than is possible with spreadsheets. Organizations who choose to go slower by using spreadsheets pay extra hidden costs in the form of delayed (or missing) ERM benefits and in opportunity costs for those involved. Instead of trying to reinvent the ERM wheel with spreadsheets, what else could risk managers, end users, and executives be doing with their valuable time to help the organization?
3. Deviations from best practice. Speaking of reinventing the wheel, organizations using spreadsheets run a greater risk of building programs that do not conform with best practice standards and frameworks like ISO 31000 and COSO. In contrast, the right ERM software tool will be preconfigured to automatically align with best practices. Users of modern ERM tools do not need to be risk experts - if they follow the system flow, they will be conducting best practice ERM processes, whether they realize it or not.
The cost of deviating from best practices shows up in the form of poor user acceptance, lack of follow through, delayed or completely missed benefits, and program failure and reboot costs (discussed more in the points below).
4. Poor user acceptance. Most ERM managers will tell you that one of their biggest challenges with spreadsheets is maintaining user engagement. Users do not like filling in spreadsheets at the best of times. ERM spreadsheets are typically complicated grids that can be daunting for infrequent users and non-experts. ERM spreadsheets may have initial success, driven by novelty, executive support, and high effort from risk managers, but they often quickly devolve into check-box activities that become a struggle to maintain. The organization pays the price in terms of missed ERM benefits, extra manual effort, program reboot costs, and outright program failure.
4. Stale data, poor follow-through. Related to the previous points, it is very difficult to keep users engaged to update spreadsheets regularly. Spreadsheets also lack automated features for reminders, change tracking, and data collection. All of these tasks tend to fall on the risk manager’s shoulders, as they spend their time sending reminders and chasing updates on risks and action plans. Without clear visibility and accountability, follow through on action plans becomes weaker. Once again, the organization pays the hidden costs of missed ERM benefits, stalled programs, and the opportunity costs of turning valuable resources into data entry clerks.
5. Centralization & failure to build an effective risk culture. Spreadsheets tend to force tight central control over ERM tasks, undermining risk managers’ attempts to roll out ERM processes into business units and to build a positive risk culture throughout an organization.
Spreadsheets are poor multi-user tools. Unlike ERM software, spreadsheets lack automated controls and change tracking capabilities. When ERM spreadsheets are rolled out to different end user groups,they quickly break down into multiple versions with changes and conflicts. As a result, ERM managers using spreadsheets are forced to spend a large portion of their time manually collating or entering information on their users’ behalf, in an attempt to keep the program current and to manage conflicts between different spreadsheet versions.
This phenomenon can have a profound negative effect on risk culture in an organization. The true power of ERM is realized when business unit leadership takes ownership of ERM and builds it into their planning and management processes. This alignment and embedding of ERM practices contributes to a healthy risk culture, in which risk management is seen as a best practice to help business managers improve decision making and achieve their objectives more consistently. This process is undermined and never achieved when the limitations of spreadsheets force a central risk manager to do all of the updating and maintenance work on behalf of the users. If business users don’t do the work, they won’t own the process. Business users will be more likely to view centralized ERM as merely a compliance and oversight function. When this happens, a healthy risk culture never properly takes hold.
6. Staff turnover. As detailed above, spreadsheets force ERM managers to spend a tremendous amount of time updating data, collating data, managing data conflicts, following up with end users, updating manual reports, attempting manual analysis and more. This high effort approach can work for a while, but is difficult to maintain over the long term, especially as key staff members change roles. Furthermore these manual activities are stressful and do not provide rewarding work. Manual data entry activities are far cry from the value-added advisory services that most ERM managers had hoped to provide. All of this together leads to a higher rate of turnover in ERM staff positions - and a greater chance that ERM processes will stall through the transitions.
7. Unnecessary complexity. Within ERM programs, the 80:20 rule absolutely applies, meaning that most of the benefits of the program will come from a small core set of best practice activities. While it may be tempting to think that every organization needs a highly tailored ERM program, in our experience across hundreds of ERM programs in dozens of sectors, there is an extremely high degree of commonality across best practice ERM programs. Legitimate variations exist within unique reporting requirements, but these are easily handled (and greatly simplified) within modern ERM software tools that provide automated reporting and analysis capabilities.
This is an area where the flexibility of spreadsheets can become a curse. It is common for organizations using spreadsheets to design highly customized ERM frameworks, when such variation is not truly required. This creates additional unneeded complexity, further reducing user engagement and hastening the stagnation that plagues spreadsheet-based ERM programs.
8. Less flexibility. Contrary to popular belief, in practice, spreadsheet-based ERM programs are less flexible than programs supported by modern ERM software. While spreadsheets themselves are flexible, the ERM programs that are built with them are not. Once an ERM spreadsheet has been created and populated with user data, reconfiguring and remodeling the ERM program becomes extremely labor intensive. Many ERM programs quickly become impractical to update, given the manual effort required. And forget about trying to model new “what if'' scenarios in a spreadsheet. In contrast, new configurations can be tested in seconds in modern ERM systems, with databases and automated routines handling the data updates, remapping, and new report views.
9. Weak data security. Spreadsheets are very difficult to control, especially when risk managers attempt to roll out risk management processes beyond a centralized risk team. Sensitive risk registers end up getting sent broadly through clear text emails that can be easily intercepted or misused. Unlike modern ERM software, spreadsheets have minimal user access controls preventing role-based access and effective change tracking. This ends up forcing risk managers into creating multiple spreadsheet sub versions and/or tightly centralizing control over risk data (see earlier points 6 and 7).
10. Lost insights. Because of the manual effort involved, most ERM managers using spreadsheets never progress beyond basic reporting. They miss out on the valuable insights and benefits that can be realized through more advanced data analysis, such as root cause analysis, control analysis, consequence analysis, scenario modeling, bow tie analysis, risk appetite analysis and more. In contrast, modern ERM software will be designed with many automated analysis routines that run automatically and provide useful feedback to users and ERM managers in real-time as they complete their work in the tool. Modern ERM software also provides automated reporting, built in analysis capabilities, and the ability to export data into third party analytics platforms such as Power BI, Tableau and more.
11. Failed programs. Finally, as described in many previous points, the ultimate pain of using spreadsheets for ERM comes in the cost of higher rates of program stagnation and ultimate program failure. When done properly, ERM programs can provide important strategic benefits, improving decision making and optimizing the achievement of strategic objectives. The cost of watering down or missing those benefits with a failed ERM program can be enormous.