Ask The Expert: Should I Use A Spreadsheet To Track Risk?

You’ve probably considered using a spreadsheet to track your company’s risk. You may have even done this. You document a list of threats or hazards, like faulty cameras or out-of-date fire extinguishers, or use the spreadsheet as a checklist then you work to keep track of repairs and remediations of your deficiencies.

But if you’ve used a spreadsheet to track risk, you know it can get overly complicated. If you haven’t, you may want to skip the spreadsheet and explore another remediation tool.

This might seem counterintuitive — Excel and similar software are traditionally used to create checklists — but there’s good reason to find an alternative.

The role of spreadsheets in traditional risk assessments

Spreadsheets have traditionally been used to lend structure and to aggregate narrative security assessments.

This is because traditional assessments are unstructured. They are completely based on the assessor’s experience, observations, and belief system. The assessor uses their expertise to tell a story about what they saw during their assessment: they take notes and use the notes to write that story. However, their findings are very subjective, which then creates recommendations that aren't easily actionable.

To reduce subjectivity and to provide a better means to compare one assessment to another, assessors turn to the checklist. A checklist can be created to identify a baseline or be used for a gap analysis, and might provide a better tool to help track deficiencies and track remediations. This has been used to build newer narrative reports. Reports that can be used to understand results in a spreadsheet without having to flip through the whole report.

While this system may work for a company with one location, this style of assessment doesn’t scale well. Mature organizations with tens, hundreds, or thousands of sites need to go beyond a narrative report. They need to make decisions organization-wide, comparing risk and compliance at various sites so they can prioritize mitigations.

Spreadsheets may seem like the answer to this problem—a spreadsheet can list several sites in one document—but we’ve found that there are limitations to this approach.

Why not use a spreadsheet to track remediations?

Excel and similar software is simply not equipped to act as a risk database for your company. While most people understand the basics of Excel, creating an advanced, complex database is quite challenging. Being able to filter and sort complex data is even harder.

Even when spreadsheets are used well, they’re static documents that need to be managed. For example, if your organization is using a spreadsheet to manage remediations, someone needs to track down the people responsible for each remediation, find out what’s been done, and make changes to the spreadsheet.

If an entire organization has access to the spreadsheet, that comes with its own challenges; spreadsheets are vulnerable to errors; colleagues have inadvertently changed formulas and affected the entire organization with a single mistake. The more people who have access to the spreadsheet, the greater the likelihood of a mistake.

Another issue around spreadsheets include versions; what happens if a team member makes another version of the spreadsheet? Which version is correct or do both versions contain their own information? Who will combine multiple versions back into a single document? The logistics around managing the spreadsheet can turn into a nightmare.

What is the alternative to spreadsheets?

You wouldn’t send an important document using a fax machine. Nor would you send an urgent message through the mail. In the same way, it’s time to move on to newer, more effective ways of assessing and tracking risk.

Circadian Risk’s digital platform enables assessors to evaluate your site on a tablet as they walk your facility, taking pictures and notes synced to your site’s floor plan or map. Rather than writing up a report, the assessor’s data is then immediately turned into a checklist for remediation. This checklist is a living document, reflecting remediations as soon as they are made, and it is also the single source of truth — there is just one version, securely stored on the cloud.

By creating a digital tool, we allow our clients to spend the majority of their time on remediation, not on assessment, enabling a more proactive security strategy that should be part of the culture of every organization.

To learn more about creating a proactive risk culture, read the CSO Risk Council’s whitepaper about creating cultural change in your security organization.

About the Author

Daniel Young

Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.