Still Using Spreadsheets for Managing Risks? – Switch to Risk Management Software

March 10th, 2021 by dayat No comments »

Managing risk is essential in every organization to accomplish its key objectives effectively. Risk management not only requires a reliable process to capture risks, but also needs a mechanism to document and administer the organization’s response.

An appropriate risk management tool always helps the risk managers to identify, assess, and prioritize the risks which can be prevented. Here, we will discuss about spreadsheets – commonly used risk management tools and their true costs. We will also know about the best tool to replace spreadsheets for effective risk management.

Spreadsheets are commonly used management tools because they are
• Convenient to use: Many people believe that spreadsheets are convenient to collect, code, sort and analyze data. Yes, they are better than paper based management systems, but they are risky.

• Flexible to enter data: With some basic encoding, spreadsheets offer flexible arrangements of rows and columns to enter data. They allow the user to configure and enter information in a way that suits his unique needs. But risk management involves analysis of various factors and a spreadsheet may not be helpful.

• Low cost or free option: Spreadsheets are either available as freeware or at low-cost. That is why organizations use them extensively. But they fail to understand the fact that the true cost of a tool should be defined by the operational costs that affect the business on long-run; not by the initial cost of the tool.

Are they really beneficial?
Many business owners and risk managers today are using spreadsheets as risk management tools unaware of the risks involved (however some are aware). Here are the risks involved:

• Inability to process huge amounts of data: Although spreadsheets are a good solution for small volumes of data, the processing and calculation will become complicated with the continual growth.

• Time consuming: Risk management requires collecting great deal of information, which often results in huge number of spreadsheets interlinked to each other. A little change to the data structure becomes a great task. This makes risk managers spend countless hours validating data, double checking formulas, and updating values, which is as a time-consuming process.

• Complex to find mistakes: It is quite difficult to find mistakes in a spreadsheet with lot of data. It is often time consuming process to find where exactly the mistakes have occurred.

• Limits the depth of risk analysis: With each change made to a spreadsheet, links between the information are lost making it difficult to analyze relationships over time. Without these links, it becomes tough to link risks and their controls. Also they offer limited access to past and current data making it difficult to compare data overtime.

• Intensive labor: The process of risk management involves continuous updating of data and it increases day by day. Updating data and using spreadsheets effectively requires lot of time and effort. So intensive labor with good knowledge of using the shortcuts and formulas is compulsory.

• Lacks security: A user can accidentally or intentionally delete vast amounts of critical information. Spreadsheets are highly vulnerable to virus attacks, hard disk crashes, and other unexpected disasters.

Underlying costs of using spreadsheets
In general, people think that spreadsheets are free, but they never calculate the underlying costs that can impact the business. Following are the true costs of using them.

• Labor costs: As discussed earlier, it takes lot of effort to create, maintain, organize, and report using spreadsheets. However, the fact that these things require labor, which in turn results in huge costs to the company, is often ignored.

• Opportunity costs: Spreadsheets consume lot of your time and effort, which you can productively use for adding value to the organization. Many business owners, in fact, lose many opportunities hanging around with spreadsheets.

• Risk and non-compliance costs: Spreadsheets lack in company wide visibility, accountability, security and control which results in increased costs in terms of failed audits, unforeseen events, increased insurance costs and so on.

• Scalability costs: A small company can manage and use one spreadsheet to track all records. But as the business grows, the effort of maintaining and consolidating these records increases exponentially. At one point this process fails and negatively impacts the business.

• Human error costs: Spreadsheets are vulnerable to manipulation, which can dramatically impact the company. Moreover, with the increasing chances of human errors, it is difficult to consider that the data is valid and reliable. These human errors can cost a lot to the company.

Effective tool to replace spreadsheet – Risk Management Software
After seeing all the risks and costs involved with spreadsheets, one would certainly ask for a better tool to manage risks and here is the solution – the Risk Management Software. It can effectively replace spreadsheets in the risk management process. Following are the benefits of using risk management software.

• Effective control over GRC processes: Risk management software helps in the effective control over the GRC (governance, risk management, and compliance) processes with proper documentation and work flow. They also help managers in risk assessment and analysis, visualization and reporting.

• Data security: User can limit the availability of data by creating passwords. He can also give full access to all the data to a particular group of people within the organization. This feature eliminates the risk of manipulation of data.

• Real time recording: Recording and updating information regarding risks is easy using this software. You need not spend hours to update the data.

• Reliable audits: This software offers full protection to all the data in the system with fully automated backups. This allows auditors to extract robust and reliable audit trails without unnecessary effort and thus it helps them in identification of risks, and creation of risk management strategies.

• Automated risk reporting: It provides the user with clear information on their objectives and risks associated. It also informs about the required actions and scheduled dates to implement them to prevent risks.

• Clear and consistent reports: A unique feature of this software is that it provides clear and consistent reports making it easy for managers to view the risks in real-time.

How to choose effective risk management software
With growing demand of the risk management software, many companies offering this software evolved in the market. Therefore it is important to choose the effective one to reap the maximum benefits. Following are some tips to choose a good one.

• Reputed vendor: A well established and experienced vendor definitely offers standard products as he fully understands risk management standards.

• Maximum features: Before buying the product, make sure that it has all features to help you in managing the risks properly.

• Customer service and tech support: As this product is new for the organization, it is important to choose a company that offers 24/7 tech support and timely customer service. Moreover, as risk environment demands a constant change of compliance, make sure that the vendor is offering regular product updates and maintenance releases.

An upgrade in the existing technology never says that the existing product is of no use, instead offers the user with more useful features. Upgrading to latest tools like risk management software enhances the organization’s capabilities in managing risk.

Risk Management on Projects

March 10th, 2021 by dayat No comments »

Project Risk Management

How does project risk management differ from any other type of risk management? Well in most regards it doesn’t. However, as this is a project focused activity it helps simplify the overall focus by looking only at the core project fundamentals of scope – which are cost, quality and time. Remember that, I may test you later!

There are a number of good training videos available on YouTube that cover this principal. I’ve added a couple below to help bring home the point of this article. I find watching a presentation often easier to take in than reading some else’s thoughts.

Project Risk Management

So what is project Risk Management is all about? In an earlier article I talk about what risk and risk management are about. If you are still confused about what risks are and what risk management is about then read this article, it should bring you into the picture. On projects we talk about risk as any event that could cause an unplanned change to the projects scope – i.e. impact the project costs, timeline or quality of the deliverables, or any combination of the three.

What isn’t always obvious when talking about project risk management is that we also need to consider the positive impact a risk may have on a project – i.e. reduce costs, decrease the time line or increase the quality of deliverables. In reality it’s not very often that project risks present positive opportunities. Never the less, as project managers we have a responsibility to recognize and act on these risks positive or negative. That’s Project Risk Management.

David Hinde wrote a good article back in 2009 about using the Prince 2 Risk Management technique. Without getting imbedded in any particular methodology, the general approach to project risk management should follow a similar framework and this is as good as any for the purpose of this article:

David talks through a Seven Step process,

Step 1: Having a Risk Management Strategy

This means setting up a process and procedure and getting full buy-in from stake holders in how the organization will manage risk management for the project.

Step 2: Risk Management Identification Techniques

Where do you start in the identification of risks around a project? There are many risk management techniques and David suggests a few which are excellent. However, I like to take a step back and make a list of all the critical elements of a project on the basis of “if this task doesn’t happen will it be a show stopper?”. This helps be build a prioritized list of critical tasks against which I can then consider the risks – what could go wrong to impact this task.

Here’s my thought process on risk identification outlined:

List out critical deliverables
List out, against each deliverable, dependent tasks
List out against all dependent tasks and critical deliverables “any” potential event that could delay or stop the delivery to plan.
Grab a template risk analysis matrix and complete the first pass of assessment – probability v impact for each risk.
Take it to a project meeting and use it as the baseline for brainstorming.
Step 3: Risk Management Early Warning Indicators

Don’t rely on basic performance of the project as an indicator that everything is going well. Status reports showing a steady completion of tasks could be hiding a potential risk.

In risk management a number of other factors need to be on the project managers radar on daily basis. Things that I always look for are delivery dates from vendors – how confirmed are they, is there a movement in delivery dates (you’ll only see this if you regularly ask for confirmation updates from the vendor), resource issues – key individuals taking sick leave or personal leave more often than normal.

Delays in getting certain approvals signed-off by the steering committee or other governance bodies – will this impact orders going out or decisions being made on critical tasks? Getting qualified people in for inspections and certification (new buildings for example require a lot of local regulatory inspections). These are just a few of the daily challenges a Project Manager will face and all can be indicators of trouble to come.

As you gain more experience in risk management you start to instinctively recognize the early warning signs and challenge the culprits earlier in the process. You’ll also finds the a good project manager will build-in mitigation for the common project ailments at the very start, sometimes seeing the tell-tale signs when selecting vendors or suppliers will be enough to select better alternatives and this is what I call dynamic risk management at work.

Also keep an eye on the world around you – economic or geological events elsewhere can have a dramatic impact on local suppliers and supplies of key project materials. For example, flooding in Thailand has impacted the delivery of various computer components that are manufactured there, causing impact in both supply lines and pricing. (Yes, I work in Asia so see this type of impact first hand..)

Step 4: Assessing the Overall Risk Exposure in Risk Management

Taken directly from David’s article as he says this quite clearly – “PRINCE2 2009 gives an approach to show the overall risk situation of a project. Each risk is given a likelihood in percentage terms and an impact should it occur in monetary terms. By multiplying one by the other an expected value can be calculated. Totaling the expected values of all the risks gives a monetary figure that easily shows the exposure of the whole project to risk.”

There are many similar ways I’ve seen risk calculated in organizations variations on risk management. Â As long as there is a common approach for showing all risks, prioritization and impact on a project then risk management will work and add value in protecting the investment in the project. Each project and each organization will have their own requirements in terms of how they want to see risks analysed and presented. By and large it doesn’t matter how this is done, as long as it IS doesn’t and it makes sense in the context of the project and organization. There are risk management tools to help organise and manage this.

In another article I’ll talk more about the Risk Management matrix and show a few examples. In my mind the only wrong way to do this is to not do it at all.

Step 5: Considering the Effect of Time on a Risk and Risk Management

The effect of time when analyzing risks is that the more imminent a risk the higher priority it may take. I say “may” as it may be that a very low priority risk with low impact may be about to happen where as a higher priority risk may be weeks or months away. How do you manage this?

Common sense (of which there is no such thing) would suggest that if the higher priority risks are still a long time away then the imminent lower priority risks should be dealt with first, as a higher priority..? Perhaps?

You’ll have to take a pragmatic view on this, every situation needs to be taken on its merits and in risk management, not being an exact science, you’ll be expected to make judgment calls and discuss options with your client and project board or steering committee. After all, the governance board of a project has a responsibility to steer such decisions so the role of a good project manager should be to collate the facts and present the data with recommendations. Let the higher paid guys make the big decisions.

Step 6: Giving a Clearer Approach to Help Define Risks in Risk Management

David gives an example in his article which I’m struggling to relate to the world of projects as I know them. I think essentially what this focuses on is the “mechanics” of the risks in such a way as to help us understand and look at the cause and effect of scenarios that could lead to the risk happening.

In this way we can focus on the lowest common denominator(s) that will generate the risk and mitigate those items. Is that a little confusing? The principal is, I believe to nip the problem in the bud by recognizing what or where the bud is. Don’t get hung up on this, I would say this is something you’d tend to do naturally as you gain experience in reviewing risks and dealing with risk mitigation (prevention).

Step 7: Focus on Opportunities in Risk Management

Finally – and last but not least, where can we make or recognize risks as opportunities. An example David talks about suggests that, for example, a new release of a software product that would offer major benefits if included in the project would be a possible “positive” risk.

This I can relate to more, with the experience of being asked to change the specification on a traders dealing system half way through a major project because the manufacturer had released a major systems improvement, a completely new model, that the bank saw as a strategic advantage.

The analysis of this risk covered the obvious change in costs, the new system was more expensive, the implementation was zero impact compared to the older system however there was a large element of re-training the trading staff and proving the system for the bank before go live. This became the biggest challenge once the cost differential had been signed-off by the project board.

The additional training time required was squeezed into evenings and weekends so the final project delivery schedule was not impacted – but getting vendor and project resources to support the additional work and making sure the system was fully functional and supported operationally when the new facility went live, added cost and stress that hadn’t been anticipated. This is where risk management and change management overlap – a topic for another article.

The client was happy with the result and additional investment made. Simple risk management gets the job done.

Project Risk Management
Here are those Risk Management Training videos I mentioned at the start. Enjoy!

Risk Management Fundamentals