Spreadsheets are powerful. But they are also fragile. When I first worked on an ISO 27001-aligned risk register, it looked structured and complete. Assets were listed. Threats were documented. Likelihood and impact were scored. Controls were mapped to Annex A. Everything seemed organised. But something important was missing. Consistency. That’s when I decided to automate the scoring model using Python. Not to replace governance but to strengthen it. The Problem With Manual Risk Scoring Risk registers often rely on manual scoring: Even with good intentions, this introduces: Governance works best when it is defensible and repeatable. Automation helps achieve that. The Model: How the Risk Scoring Worked The goal was simple: Take a structured ISO 27001 risk register and build a consistent, automated scoring engine. The Python-based model: Instead of manually scanning rows, the model produced a prioritised risk list instantly. What changed was not just speed it was clarity. Why Impact Was Calculated Using the Worst-Case CIA Value In ISO 27001 risk assessments, impact is often linked to Confidentiality, Integrity, and Availability. Rather than averaging these values, I calculated impact using the maximum CIA score. Why? Because a severe impact in any one dimension can materially affect the business. For example: Using the maximum value aligns better with real-world risk severity. This small design decision makes the model more conservative and more realistic. From Risk Score to Risk Category After calculating RiskScore, the model categorized risks: This step matters. Leadership rarely responds to raw numbers.They respond to thresholds and priorities. By defining consistent scoring bands, the model ensures: Automation removes ambiguity from categorisation. What the Ranked Output Revealed Once automated and sorted, patterns became clearer. Assets such as: Scored among the highest risks. These are common enterprise risk drivers. The automation did not create new risks.It revealed them clearly. That clarity supports strategic decisions:
From Spreadsheet to Strategy: How Risk Assessments Support Business Decisions
Amara stared at the spreadsheet longer than she expected. Rows of risks.Columns for likelihood, impact, controls, ownership.Numbers that looked simple at first glance. But the more she worked through it, the more she realised something important: This wasn’t just documentation. It was a map of how a business could fail. And more importantly, how it could decide what to protect first. A Risk Assessment Is Not a Compliance Exercise Many people see risk assessments as: But when done properly, a risk assessment forces one hard question: What could hurt this business the most and are we prepared? That question shifts everything. Because risk is not technical first.It is business first. A vulnerability only becomes a risk when it threatens: That’s where strategy begins. When Numbers Turn Into Priorities In the spreadsheet, each risk had: On paper, it looked structured and calm. In reality, those numbers determine: This is where risk assessment becomes strategic. Because leadership does not act on fear.They act on prioritisation. A well-built risk assessment translates technical concerns into business language. The Power of Risk Ownership One column stood out to Amara more than the others: Risk Owner. This is where risk stops being abstract. When ownership is clear: Without ownership, risks sit in spreadsheets. With ownership, they enter conversations. And conversations drive strategy. Risk Appetite: The Silent Decision-Maker Another realisation came while scoring risks. Not all high risks are treated the same. Some are mitigated immediately.Some are monitored.Some are accepted. Why? Because every business has a risk appetite. A startup might accept more risk to move faster.A regulated company may tolerate far less. Risk assessment is not about eliminating all risk.It is about making conscious trade-offs. That’s strategy. Controls Are Investments Each risk in the spreadsheet required a decision: Controls cost time and money. So every mitigation choice is an investment decision. When risk assessments are done well, they help leadership answer: This is how GRC supports business objectives. Why This Matters in Tech Companies Tech companies move fast. New features.New integrations.New markets. Without structured risk visibility, growth creates blind spots. A risk assessment: It allows companies to scale without guessing. That’s not bureaucracy. That’s operational intelligence. From Spreadsheet to Strategy At first glance, a risk assessment looks like rows and formulas. But underneath, it represents: The spreadsheet is only the container. The real value is the thinking behind it. Risk assessments are not about filling templates. They are about helping organisations decide clearly and confidently what matters most. And that is where governance becomes strategy.