Five pitfalls to watch out for when you conduct a risk assessment with Excel

The risk assessment is one of the most important parts of rolling out an information security management system (ISMS). That’s because the risk assessment provides the foundations for treating and managing identified risks.

Get it right and the findings will make a significant difference to your organisation’s information security strategy. Get it wrong and you may find yourself without a job very quickly.

The risk assessment is quite complicated and multi-dimensional. It needs to take into account many elements, such as assets, threats, vulnerabilities and controls, the likelihood and impact values of those risks, as well as reporting and analysis.

But Excel is trusted by millions…

Companies often use Excel when tackling the risk assessment because they see it as a cost-effective and stable tool to help them get the results they need.

What they don’t consider is that Excel was built for accountants, and despite being trusted by business professionals for more than twenty years, it wasn’t designed to deliver a risk assessment.

If you’re still using Excel for risk assessments, let me tell you why I think you should probably reconsider.

For one, the task of setting up a fool-proof risk assessment framework in Excel is a demanding one, and it takes a lot of skill to get it to ask the questions required to get accurate and thorough results.

Here are a few other reasons an Excel-based risk assessment can leave you wanting:

  1. Excel is unyielding

Building a robust risk assessment in Excel will leave you with several hundred rows of data (at least), making risk analysis and reporting difficult and cumbersome.

Moreover, assigning actions to the hundreds of rows of data can leave even the most seasoned risk assessor the worse for wear.

vsRisk’s simple and user-friendly interface, combined with a new dashboard and multiple types of reports, enable you to view the data and actions required in different formats without being overwhelmed.

  1. Excel does not include databases

Without a prepopulated list of threats and vulnerabilities it is easy to overlook certain severe risks, which can be detrimental to even the best of information security plans.

vsRisk includes several databases that will help you identify threats and vulnerabilities separately or combined as a total risk, enabling you to have greater visibility of all of the potential risks.

  1. Excel is prone to input errors

Anyone who has used Excel will know that it’s easy to make serious errors at a cellular level because of the many variables that need to be calculated.

In fact, even experienced Excel users can testify that Excel can go from being elegantly simple to increasingly difficult as data is refreshed, new data is added or changes are made.

  1. Excel doesn’t deliver one version of the truth

For a risk assessment to be completely representative, it needs input from key individuals across the business. Maintaining one version of the truth with input from multiple departments can be problematic when you’re using Excel.

Even with tools like SharePoint, there is a lot of room for misinterpretation when using spreadsheets.

With vsRisk, the lead risk assessor has administrative rights, enabling full control over the outputs, and the monitoring of changes through an audit trail. The Network and Multi-user versions of vsRisk also provide a robust back-up functionality.

  1. Excel is open to misinterpretation

If you are using the risk assessment for audit purposes, then the results you produce should be consistent, valid, comparable and repeatable, year after year. With Excel, these elements can easily be compromised when the risk assessment changes hands as a result of regular developments such as staff turnover.

With a software solution like vsRisk, the risk assessment results will remain consistent because the risk criteria are pre-configured by the organisation, ensuring that consistent results are produced every year.

Spreadsheet-based assessments take time to complete and analyse, and the risk of getting it wrong is pretty big. It’s probably not worth all that time and effort when it’s so easy to make a mistake.

Free whitepaper download: 5 Critical Steps to Successful Risk Assessments

Get the low-down on how to successfully conduct a risk assessment by downloading this free whitepaper now.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.