Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.



411 University St, Seattle, USA

+1 -800-456-478-23

Third-Party Risk Management
Spreadsheets Anonymous

Problems with using Spreadsheets to Measure Vendor Risk

Vendor Risk Management Accuracy is all that Matters!

Many organizations utilize spreadsheets to measure their internal security posture and vendor risk.  We get it – spreadsheets are simple, convenient, and it comes with the office suite that you have on your computer.  Unfortunately, it does not scale and gets out of hand quickly.

Let’s look at the internal side first.  Many people have exported security frameworks and regulations to Excel and other spreadsheet applications.  You can easily add a column to state whether or not your organization has a control in place.  Once your organization starts using the document more, things start falling apart. 

Measuring vendor risk with spreadsheet questionnaires is not any better. 

Here are the top five issues:

  1. Point in Time Review – It’s tough to show improvements over time with the spreadsheet unless you get very creative.  Generally, the spreadsheet shows the security posture at only a single point in time.
  2. Updates – When the frameworks, regulations, or vendor questionnaires change, a new spreadsheet must be developed and the work redone.
  3. Multiple Users – Sharing the file amongst multiple people may be difficult with concerns over individuals making changes at the same time, version control, and storage of the file.
  4. Macros – Many of the complex spreadsheets use macros which can lead to security issues as malware often utilize macros to execute.
  5. Scale – The spreadsheets may work well for keeping track of a few risk items, but not your entire security posture or all of your vendors.  It quickly becomes difficult to manage, annoying to share, upkeep is tedious, and it cannot show trends and improvements.

We’ve all been through the pains of using spreadsheets to measure vendor risk and that is one of the reasons why we built Velocity (https://www.velocitysec.com).  To highlight these spreadsheet inefficiencies, we also created a “Spreadsheet Anonymous” support group video.  Everyone that has been in this spreadsheet nightmare will enjoy this humorous video :-).

For a look at how Velocity helps companies manage their security posture and vendor risk:

Book a Demo of Velocity to Learn about Vendor Risk Management Accuracy


Jon Sternstein