When spreadsheets are enough for risk management


Third-party vendors are crucial to a company’s success, but they inherently create risk and require monitoring to ensure their vulnerabilities don’t develop into a bigger problem like a data breach. Responsible companies monitor their third-party risk, and many do it with a combination of manually-updated spreadsheets.

Are spreadsheets enough to manage vendor risk?

Smaller operations may be able to get by with a basic, homegrown system. Risk managers are often familiar with their industry’s regulatory landscape, and can monitor their vendors in a way which works for them. They don’t have to conform to a specific set of rules or force their risk management into rigid GRC software.The spreadsheet’s very simplicity means they can make the process completely their own.

Many factors can be easily tracked in a spreadsheet. Risk managers know not to classify a SaaS provider with access to sensitive data in the same grouping as the vendor hired to clean its offices, and will often review a vendor’s internal policies and procedures before ever signing a contract. It’s also easy to track certifications in a spreadsheet, identifying which vendors have external audit certifications such as SOC1 or SOC2.

However, when medium- and large-sized companies rely on spreadsheets, they can find themselves unable to assess their entire landscape of vendor risks across the entire company. When multiple departments rely on spreadsheets to manage their third-party relationships, it becomes difficult to consolidate fragmented risk data, resulting in information silos. The resulting system becomes overwhelmingly complex, filled with excessive redundancies in some areas and scarily little oversight in others. Ultimately, large companies (or any company with multiple departments working with third-party vendors) set themselves up for failure with a spreadsheet-based system.

Small and large companies alike also leave themselves open to human error when developing a spreadsheet-based system from the ground up. Various studies show 88 percent of all spreadsheets have significant errors, leading to lost company revenue, increased probability of a data breach and, in many cases, the termination of the employee who was responsible for maintaining the spreadsheet. After all, one small typo in the spreadsheet of a large company can cost billions, and can create losses for smaller companies from which they may never be able to fully recover.

It’s time to get rid of the spreadsheet

No matter the size of a company’s vendor landscape, it needs more than an accident-prone spreadsheet-based system that prevents the sharing of information between departments. Especially when departments are potentially dealing with the same sensitive data in different applications or use cases, they need a holistic view of how that information is being shared with all vendors, not just the vendors for which they are responsible.

A centralized vendor risk management system is a must-have for enterprise-level organizations. The bird’s eye view provided by a centralized system removes information silos and removes unnecessary redundancies, allowing each individual within the system to address issues or comments directly related to their area of responsibility. As a result, a business can be more compliant, having a better overview of its entire vendor risk landscape than what would be possible with a spreadsheet-based system.

The Benefits of a Centralized Risk Management System

With a centralized system in place, a company will find itself far more capable of communicating with its vendors in a meaningful way. Anyone in the business with access to the vendor risk management system can take a snapshot of its entire risk landscape, better understanding how best to communicate with specific vendors in the context of risk management. With clarity into  vendor processes, better decision-making will result. By implementing holistic risk management practices, companies will better track their vendor relationships and develop safer, more effective operations.

Good risk management systems allow users to not only track vendor activities, policies, and interactions, but also enable the company to use automated risk scoring as a way to predict how a vendor relationship might result in a vulnerability. By placing quantifiable, accurate scoring on vendor policies and operations, a centralized risk management system will allow a business to stay steps ahead of vulnerabilities, enabling them to close gaps before they ever develop into larger problems.

Regardless of industry, regulatory landscapes are rapidly changing. Unlike a spreadsheet-based system, a centralized application can easily adjust when regulations change and vendor relationships need new variables considered. To stay in compliance at all times, a well-built, flexible system will provide much-needed consistency in industries surrounded by regulatory uncertainty.

For certain smaller companies, a spreadsheet might be enough to track vendor risk. All companies, however, can better track their vendor risk with a system built to provide clear insights, allow safe information sharing and adjust to changing regulations. Even if a spreadsheet is good enough, it’s never the best option. By abandoning the spreadsheet and implementing a centralized vendor risk management system, organizations will save time and safeguard resources.

About Jon Jon is the Co-Founder and Chief Product Officer of LogicGate.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.