Are your Risk Registers too risky?

Are your Risk Registers too risky?


August 20, 2020

Approximately twenty years ago, during a pitch meeting to sell a very early enterprise risk software application, a senior banker told me they used spreadsheets for most of their risk management processes. He concluded this meeting with the statement "the city runs on spreadsheets, and that won't change soon".

As I look around me today, my iPhone has replaced my much-loved Palm Pilot and Nokia 3310. Connecting to the internet is seamless and no longer accomplished by the once-familiar sound of a dial-up modem. And rather than starting my day running across the city, going from meeting to meeting, I am productively Zooming and Teaming from home, overlooking the green and sunny Hampshire countryside.

But as I get off another TEAMS meeting, with another capital markets firm discussing their approach to enterprise risk management, including their widespread use of spreadsheets, I realise one thing.

Despite all the technology change around me, one thing has not changed; spreadsheets are still the most widely used risk management technology today.

Surprisingly, boards and executive teams continue to accept the widespread use of spreadsheets as the underlying technology of many vital risk management processes? Perhaps they don't realise it's happening?

This is particularly pertinent when you consider the long history and numerous examples of significant errors in decision-making which resulted from errors in spreadsheets.

Additionally, various research reports have found large spreadsheets (typically those with more than 10,000 cells) contain material errors. The European Spreadsheet Risks Interest Group ( has found that more than 90% of spreadsheets contain errors. They also found that 50% of spreadsheet models used operationally in large firms contain material defects.

In a previous blog, I talked about the concept of grey rhino risks (

Grey Rhino entered the risk management lexicon via Michele Wucker and her book; THE GRAY RHINO: How to Recognise and Act on the Obvious Dangers We Ignore. (

Wucker characterised a Gray Rhino as a highly probable, high impact yet neglected threat.

Based on this definition, the long history of poor decision-making based on error-prone spreadsheets and the research cited above, I will conclude with two points;

1)    The use of spreadsheets to support enterprise risk management processes is a Gray Rhino risk. Should this risk crystallise, it could be very damaging, from a financial, operational and reputational perspective.

2)    Using spreadsheets to manage your risk register, other risk processes and risk data is paradoxically very risky.

It is time to act. Boards and executive teams should grasp the nettle and challenge their teams to eliminate spreadsheets in risk management and tame this particular Gray Rhino.