This series of articles will give you an overview of how to manage spreadsheet risk. These articles are written by Myles Arnott from Excel Audit
- Part 1: An Introduction to managing spreadsheet risk
- Part 2: How companies can manage their spreadsheet risk
- Part 3: Excel’s auditing functions
- Part 4: Using external software packages to manage your spreadsheet risk
In the first article in this series we highlighted the risks that poorly managed spreadsheet solutions can introduce to a business. In this article we will demonstrate how companies can manage this risk.
A formal governance framework
The first, and arguably most important step is to ensure that the senior management team buy into the need for a robust spreadsheet risk management framework, and that they define and effectively communicate their spreadsheet risk management policy.
Spreadsheets identified and catalogued
It is impossible to know the level of spreadsheet risk in an organization without first identifying and then risk assessing all of the spreadsheets. It is therefore necessary to create a catalog of all of the spreadsheets and then to gather the key information about each spreadsheet to enable a risk assessment to be carried out.
The two key factors for determining the spreadsheet risk are the probability of there being an error and the impact that that error could have.
Risk = Probability of an error X impact if an error were to occur
The probability of error is related to the complexity of the spreadsheet. Complexity attributes differ across companies but include:
- Spreadsheet size (Mbs)
- Spreadsheet design (hard coded numbers in formulae, poor model structuring etc)
- The number of users
- The use of complex formulae (particularly array formulae, nested formulae etc)
- The number of cells populated
- The number of internal and external links
- The use of VBA
The impact of the error is related to how critical the spreadsheet is within the business. Each company will have a slightly different definition of the impact levels of spreadsheets, but generally:
- A spreadsheet is low impact if it is not used as part of a critical business process and an error would not have a material impact on the business.
- A spreadsheet is medium impact if it contains confidential information and an error could have a material impact on the business.
- A spreadsheet is high impact if it contains highly confidential information and an error would have a significant impact on the business. Spreadsheets used within processes that fall under external regulation (such as Sarbanes-Oxley and Solvency II) are deemed to be of high impact.
Finally, the spreadsheets should be placed in order of risk. Those identified as business critical and high risk should be prioritized for detailed review and placed under control.
This is clearly an on-going process. As new spreadsheets are developed they will need to pass through the risk assessment process as defined by the company’s spreadsheet risk management policy. A periodic review should also be carried out to ensure that all spreadsheets have been correctly categorized.
A best practice standard
The company should define its own best practice spreadsheet development standard that is applied to spreadsheets deemed to be medium or high impact. The standard should clearly outline the standards and conventions to which a spreadsheet should be built. New developments can then be reviewed to ensure that they adhere to the standard.
We advocate the use of the Excel Best Practice Standard from the Spreadsheet Standards Review Board (‘SSRB’).
We also recommend that tailored schedules are added to the standard to reflect your specific design standards. For example this could be a specific color scheme, use of logo or the use of specific text within the header or footer (e.g. document security levels).
Testing
A fundamental, but often overlooked step in the Excel model development cycle is testing. All spreadsheets (but especially business critical spreadsheets) need to be first peer reviewed and then rigorously tested.
It helps to consider the steps that an IT department would take to ensure that something they deliver is correct. It will pass through stages of unit and system testing prior to quality assurance and finally user acceptance testing. So why should a spreadsheet being used for a critical process be any different?
The fact is that no matter how hard we try, humans make errors. The purpose of testing is to identify them and get them resolved before the model goes into the live environment.
Remember that in the first article we highlighted the fact that 94% of spreadsheets and 5% of all formulae within spreadsheets contain errors.
Here is Scott Adams’ view on spreadsheet testing in Dilbert
Training
All staff should be trained so that they have sufficient Excel knowledge for their role and to use the spreadsheets that they are responsible for. As part of the induction process all staff should also be taught the company’s best practice standard.
Whilst this sounds obvious, research has shown that few companies prioritize investment in spreadsheet training.
Documentation
A key risk with spreadsheets is that they are often built and used by one individual within a team (often referred to as a “key man dependency”). If this person is ill or leaves unexpectedly the other members are totally reliant on the documentation left behind. From experience this rarely exists.
Each spreadsheet that is used within a process should as a bare minimum have documentation stating:
- the purpose of the spreadsheet;
- how the spreadsheet fits within the process;
- the source of all inputs for the spreadsheet;
- all key assumptions and drivers;
- key calculations;
- distribution list for outputs.
Spreadsheets that are part of as critical business process should have detailed documentation. This should include a technical specification and user notes.
Security
All business critical and confidential spreadsheets should be subject to access control. Security controls can be implemented across three levels:
- Directory level: Only specific individuals have access to key directories
- File level: Confidential and critical spreadsheets should be password protected to restrict access
- Cell level: Non-input cells should be password protected
Change control, backups and archives
To minimize the risk of losing the current version of a spreadsheet and ensuring that the correct version is being used at all times, all business critical spreadsheets should be backed up, archived and subject to change control procedures.
So, in summary..,
the characteristics of a well-managed environment are:
- a formal governance framework, sponsored by the senior management team, is in place for all spreadsheet development;
- a catalog of spreadsheets is maintained and prioritized by risk profile;
- a best practice standard is applied to the development of all new spreadsheets;
- all new spreadsheets pass through a formal risk assessment, are peer reviewed and formally tested;
- staff are provided with sufficient training to carry out their roles;
- all spreadsheets and their associated processes are well documented;
- access to critical spreadsheets is subject to security controls;
- spreadsheets are subject to change control and are regularly backed up and archived.
What next?
In the next article we will look at the built in Excel functions that can help you to manage spreadsheet risk.
What about you?
How do you (or your company) manage spreadsheet risk? What best practices & guidelines you follow? Please share using comments.
Thank you Myles
Many thanks to Myles for writing this series. Your experience in this area is invaluable. If you enjoy this series, drop a note of thanks to Myles thru comments. You can also reach him at Excel Audit or his linkedin profile.
24 Responses to “Free Excel Risk Map Template”
Why didn't you include the mitigation or risk IDs in the chart?
You can easily add such detail by modifying the TEXTJOIN function. Another way to use them is to add a slicer to highlight all risks that have a specific mitigation strategy or team member assigned to them. I left out those bits fto keep the article short.
I tried adding a slicer filter for the mitigation step but the TEXTJOIN is not affected by it. I added a helper column called "Visible" using the AGGREGATE function but I am unable to think of a method to pass that on to the map.
Could you please help, Chandoo?
Thanks
Never mind. I got it working. 🙂
Apologies, I didn't thank you for the file to begin with.
Great concept. thanks!
Awesome.. good to hear that Rajesh and of course you are welcome 🙂
Hello everyone,
Another amazing tutorial, great content and tips! My question is about slicers. How do you add slicers to this matrix? I've added 2 columns in my workbook table (Work Stream and Project Name) and I want to be able to filter (slice) the matrix on Project Name, but having some trouble with this. The slicer works fine in the data table, but how do I connect it to the risk matrix, so that only risk titles show up for the selected project?
Many thanks in advance for your guidance,
MyvJ
Can you create a sheet in live stock market data price change with profit and loss graph with time. which could indicate live profit and loss in each time frame 5minute, 10 minute, 15 minute, 30minute, hourly with some modifications
Hi
I've tried to get your formula to work, but likelihood / impact 1/1 does not seem to work.
Hi Chandoo
Awesome instructions! Thank you so much, this really helped me.
I was wondering if it would be possible to list the Risk ID number along with the Risk Title with a dash in between, rather than a bullet point? I have had a try at this but I keep getting a #VALUE error. I can see it's wrong but can't figure out what it should be instead. If you have time do you mind letting me know what I'm doing wrong?
{=" - " & TEXTJOIN(CHAR(10)&" - ",TRUE,
IF(RiskRegister[Likelihood]=$A17,IF(RiskRegister[Consequence]=F$3,CONCAT(RiskRegister[ID],RiskRegister[Risk Title]),""),""))}
Thank you!
Sally
Hey Sally, You are welcome.
I think the CONCAT inside TEXTJOIN is the culprit. Try this and hopefully you should see the ID too.
{=" - " & TEXTJOIN(CHAR(10)&" - ",TRUE,
IF(RiskRegister[Likelihood]=$A17,IF(RiskRegister[Consequence]=F$3,RiskRegister[ID]&RiskRegister[Risk Title],""),""))}
Hi Chandoo
You're a legend! Thank you so much! I had to make a minor tweak but otherwise it worked perfectly. Here is the tweaked version in case it helps anyone else:
=TEXTJOIN(CHAR(10),TRUE,
IF(RiskRegister[Likelihood]=$A8,IF(RiskRegister[Consequence]=C$3,RiskRegister[ID]&" - "&RiskRegister[Risk Title],""),""))
Thank you again!
Hi, Im not able to change the formula when trying to add risk Id instead of bullet point.
trying this: ="• "&TEXTJOIN(CHAR(10)&"• ";TRUE;IF(risks[Probability of Occurance *]=$C5;IF(risks[Severity of potential Impact *]=H$8;risks[Risk ID]&". "[Title *];"");""))
Cant see any solution on this.
thankful for help
Hi Chandoo,
This is perfect - One quick question, How can I add a hyperlink to the risks - So that I can click on the particular risk and it takes me to the actual row of that item.
Many thanks in advance.
HI Chandoo,
Is there a way to only display filtered item. Once the list gets big, it's hard to see all risk.
Kind regards,
SinYen
Hi Chandoo,
Quick question
1) Is there a way to remove duplicates within each risk block?
2) Is there a way to have the results in the chart update based on a filter or slicer?
Thanks a lot
Hi Chandoo,
The risk map is a brilliant tool, and I wanted to the risk map to only show Open risks. How can I do that?
Just found this today as I am making a risk matrix as well. I got the formula to work with this, where a risk score is above 30. Risk score = probability*impact*modifier.
So this works flawlessly, ="- "&TEXTJOIN(CHAR(10)&"- ",TRUE,IF('Risk tracker'!G4:G27>=30,IF(Table1[Urgency]="Now",'Risk tracker'!A4:A27,""),""))
I am trying to find a range now. Risk score in between 21-29. I tried using the AND function, but I couldnt get it to work. Is there anyway to get this formula to work with a range as mentioned above?
Thanks Eric.
You can't use AND() as it is not able to return arrays. You can try below formula.
="- "&TEXTJOIN(CHAR(10)&"- ",TRUE,IF(('Risk tracker'!G4:G27>=21)*('Risk tracker'!G4:G27<=29),IF(Table1[Urgency]="Now",'Risk tracker'!A4:A27,""),""))
Hello, this template is nice, thank you but im facing a problem when I need to find a range of impact. I cant figure out how..
My actual form is "="• "&TEXTJOIN(CHAR(10)&"• ";TRUE;IF(Table1[Impact]=A8;Table1[Title];"");"")"
Where A8 is number "1" so this formula finds everything with impact 1 and shows the titles.
What I need to get is a range so,
A8 is "1" and A9 is "2" and I need the formula to find all titles which impact is between 1 and 2.
I tried the AND function and so on, nothing worked..
Can you help me please?
i tried everything in your video in the end i only get the bullet... please guide me through
Sorted it... i was flash filling the other cells and it took other columns...
i do have another question though... how can i use slicers to filter the content of the matrix, so that it'll show only the departments i select?
slicer is working fine with the table, but the matrix still shows all the results
Just want to thank you for this.
It is awesome.
Hello everyone,
I think I accidentally nested my question in another thread. Apologies!
This is another amazing Excel tutorial, with great content and tips! My question is about slicers. How do you add slicers to this matrix? I've added 2 columns in my workbook table (Work Stream and Project Name) and I want to be able to filter (slice) the matrix on Project Name, but having some trouble with this. The slicer works fine for the data table, but how do I connect it to the risk matrix, so that only risk titles show up for the selected project?
Many thanks in advance for your guidance,
MyvJ
This is another amazing Excel tutorial! My question is about slicers. How do you add slicers to this matrix? Please advise