Research: Do Spreadsheets Undermine Risk Management? -

Despite having a governance, risk and compliance solution in place, nearly half of organizations rely on spreadsheets as their go-to IT risk management tool, a new study found.

More than half completely shun using a GRC solution to manage their IT risk, despite advances in risk management technologies and the involvement of senior management, MetricStream said in its new IT Risk and Compliance Survey. Nearly 70 percent of organizations do not quantitatively manage their IT risk, the San Jose, California-based governance, risk and compliance specialist said.

Here are five key findings from the study:

1. On risks/threats.

Organizations rated denial-of-service attacks as their top risk/threat during the past two years, followed by compliance violations/regulatory actions and social media spoofing.

2. On C-suite visibility.

70%: Senior management and leadership help establish the strategic direction of the IT risk management program.

29%: IT risk program involves the chief information security officer (CISO).

3. On IT risk program maturity.

69%: Organizations are not quantitatively managing their IT risk program.

31%: Conduct IT risk assessment reviews quarterly.

15% : Conduct monthly reviews.

4. On IT risk management tools.

45%: Use spreadsheets even if they have an IT GRC solution in place.

54%: Don’t use any IT GRC solution to manage IT risks.

5. On 2021 top priorities:

38%: Plan to increase IT risk management spend.

Investment priorities: IT security solution, compliance with federal and government regulations, IT security data aggregation and reporting.

“Despite breakthrough advancements in artificial intelligence, machine learning and other advanced risk management technologies, the weakest links, spreadsheets, underpin a majority of enterprise risk management programs,” said Gaurav Kapoor, MetricStream chief operating officer.