Why Spreadsheets Don’t Work for Managing Risk Assessments

Microsoft Excel, Google Sheets, and their equivalent software programs are indispensable, and for good reason. These essential spreadsheet applications usually come programmed onto your computer or are available online for free or at a low cost. They are magical cell edifices that accomplish countless tasks from calculating averages to plotting maps, from writing algorithms to building complex financial models on which critical business decisions are based. Who doesn’t respect the sheer uncanny genius of the Spreadsheet?

But let’s be upfront. Spreadsheets weren’t designed for everything. One of the things that we’d be better off not using spreadsheets for is as a risk analysis tool.

Spreadsheets do provide some nice features that can be beneficial to risk management. But we’ll put it this way: Using spreadsheets as a risk assessment template is a risk in and of itself. It has even been given an official name in the risk management dialect: “spreadsheet risk”.

OK. We said it. Is anybody listening?

Isn’t it surprising that businesses continue to use and rely on spreadsheet risk management? With affordable, agile software and SaaS solutions on the market, why are people still choosing risky spreadsheets as risk assessment tools?

The reality is that just because your spreadsheets are virtually free and so simple to operate doesn’t mean that they don’t come at a very steep cost. Spreadsheets are notorious for errors, which can wreak havoc on critical business processes across an organization in the financial and operational realm.

The true cost of risk assessment resources has to be considered in the long term to determine the cost-effectiveness of the solution vs. sticking with spreadsheet programs and their infamous errors. 

Why Spreadsheets Don’t Work for Managing Risk Assessments

Why are Spreadsheets So Error-Prone?

First of all, spreadsheets involve a process of manual input for both raw data and its relevant processing functions. Needless to say, manual operations are very fertile ground for data inconsistencies.

Secondly, spreadsheets mix data and calculation functions in a dangerous concoction. Anybody who has minimal background in spreadsheet functions knows from experience how easy it is to overwrite a function and replace it with a numeric value. Typing one word in a cell can erase a complex formula that may have taken hours to write.

With a database system, on the other hand, raw data and the execution of functions are two separate areas. As a matter of fact, end users are never allowed to directly touch the database, making it highly unlikely for data to be corrupted. The functions are done by the application and pre-programmed so there is no risk of human error getting introduced unknowingly.

Common Spreadsheet Errors

Most spreadsheet errors fall into these categories:

  • Mechanical errors

Mechanical errors occur from typos, cutting and pasting glitches, or other manual mistakes. At first glance, mechanical errors may seem insignificant. But in truth, bad data input can affect the integrity of an entire system. As the system grows, the errors that are contained within it increase in volume and severity. In the best-case scenario, an error message is generated, and the error is averted.

  • Logic Errors

Logic errors occur when an invalid algorithm is chosen. The resulting flawed calculations affect the entire system as well. These errors are usually not caught by the spreadsheet program because there is nothing inherently wrong with the equation. The error is in the flawed logical calculation you based your formula on. Often, such errors are spotted by an alert user who identifies a result that seems way off the expected result.

  • Omission Errors

Possibly the most common error, these errors are very hard to spot. It is highly likely, in the realm of a large project, that a critical data cell will simply not be filled, and its absence will go unnoticed, skewing the calculation.

In 2020, the UK’s Public Health England (PHE) mistakenly omitted 16,000 positive coronavirus test results due to row limits in Excel. 16,000 people were blissfully ignorant that they had tested positive and continued to expose others to the virus as hospital admissions were increasing sharply. 

Professor Jon Crowcroft from the University of Cambridge commented at the time, “Excel was always meant for people mucking around with a bunch of data for their small company to see what it looked like, And then when you need to do something more serious, you build something bespoke that works – there’s dozens of other things you could do.”

“But you wouldn’t use XLS. Nobody would start with that.”

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start automating your risk management

Spreadsheet Woes

And How They Compare to Risk Management Software


On spreadsheets, risk managers spend hours and days validating data, writing algorithms, and painstakingly updating values.

With software or cloud-based solutions that were built for risk management and assessment, collected data is captured, mapped to leading security standards,  and rendered into real-time reports and conclusions. These platforms also provide actionable insight into security gaps and risk posture.

Security and Accountability

In Excel, errors are hard to trace back to their source, and fraudulent changes that go unnoticed for a long time can be impossible to track, making forensics problematic in case of a cyber incident. With spreadsheets, it’s difficult to know who caused what and what error or why.

In the example of risk assessment spreadsheet software solutions, access is given to authorized users only. A clear audit trail tracks change and stores all activity in a log.


Spreadsheets do not allow for scalability. They are limited in size and become more cumbersome as they grow. Sometimes, as a spreadsheet grows large, it can literally take minutes to add data because the entire spreadsheet is recalculated with each new data byte. 

Risk Management software solutions are usually built with databases that can be indexed, making queries of thousands of records exceedingly quick. 

Risk Visibility

Spreadsheets are not relationship-based and linking relevant information to logically similar cells in a different spreadsheet is nearly impossible. This results in redundant entries of the same information over and over again. 

In addition, risk management involves connecting the dots across a business landscape for a clear view of risk. That’s a high call for a spreadsheet.

In a database risk management solution, relationships can be built in the development. This reduces silos and redundant data entry. All data is compiled and analyzed so you can view your risks individually and understand the cumulative risk they have on your organization.

Migrate From a Spreadsheet to a GRC Integrated Solution 

Excel may have been a great solution for you when your business was just starting. Isn’t it time for a replacement to address and support growing data analytics and business decisions? Centraleyes’ next-gen solution with its centralized database can elevate your risk assessment procedures at all levels of your company.

Learn more about what Centraleyes can do for you.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start building your risk management program
Skip to content