The Workaround IS the Workflow Finding Risk in Post-it Notes and Unofficial Spreadsheets

Published on: Sat Jun 28 2025 by Ivar Strand

The Workaround IS the Workflow: Finding Risk in Post-it Notes and Unofficial Spreadsheets

There is a fundamental truth in any organization: when the official, approved process is more cumbersome than it is useful, staff will invariably invent their own informal methods to get their work done.

For an auditor or an independent monitor, these informal workarounds are not minor deviations from policy. They are a critical signal that the de facto workflow—the way things are actually done—has diverged from the formal de jure process. In many cases, we find that the workaround has become the real workflow, and it is here that unmanaged risks accumulate.

Workarounds as Organisational “Desire Paths”

In landscape architecture, the term “desire path” refers to the worn-down tracks of earth that appear across a grassy field, marking the most direct route that people take despite the existence of paved, right-angled walkways. These paths are empirical evidence of the gap between the official design and actual human behavior.

Unofficial spreadsheets, shared password lists on Post-it notes, and financial approvals conducted via WhatsApp are the “desire paths” of an organization. They are not typically born of malicious intent. They are rational adaptations created by staff to compensate for a formal process or a technology platform that is inefficient, poorly designed, or ill-suited to the practical demands of their work.

The Unmanaged Risks of “Shadow IT”

While often created to improve local efficiency, these informal systems constitute a form of “Shadow IT” that operates entirely outside the organization’s formal control environment. This creates significant vulnerabilities.

• Data managed in unofficial spreadsheets is not subject to the security, access control, and backup protocols of a corporate system.
• Shared passwords, often used to bypass restrictive or clumsy permission structures, destroy the principle of individual accountability.
• Approvals and key decisions made over informal messaging channels leave no auditable trail, making forensic reconstruction impossible.

The controls documented in the official manual become irrelevant if the real work is happening in a parallel, uncontrolled ecosystem.

How to Identify the Signs of Systemic Workarounds

An experienced monitor does not just audit the formal system; they look for the tell-tale signs of these desire paths. The existence of a systemic workaround is often a more important finding than a minor deviation within the official process, as it points to a more fundamental design failure.

Here are some common indicators we look for:

1. The Proliferation of “Tracker” Spreadsheets. When teams maintain their own complex spreadsheets to track the status of procurements, payments, or approvals—items that are supposedly managed by the official enterprise system—it is a clear sign that the formal system is not providing them with the timely or accessible information they need.

2. Physical Evidence of Shared Credentials. A Post-it note with a password, or a list of logins taped to a desk, is direct evidence that the official process for accessing systems is too cumbersome. It often indicates that staff are sharing credentials to cover for colleagues or to bypass a restrictive permissions model.

3. Heavy Reliance on Informal Communication for Approvals. If managers are regularly being asked to provide approvals via email or a messaging app, it indicates that the formal notification and approval queues within the main system are inefficient, unreliable, or not trusted by the staff.

4. Routine Data Exports for Manual Manipulation. A clear sign of a failing system is a business process that starts with “First, I export the data to Excel…” If staff must regularly extract data for manual cleaning, reformatting, and analysis, it means the system’s own reporting capabilities are not fit for purpose. The real analytical work is happening in the workaround.

Conclusion

Workarounds should not be seen merely as a compliance issue on the part of staff. They should be seen as a critical source of intelligence about the failures and friction points of the official, de jure process.

Effective independent monitoring must be attuned to these signals. The discovery of a systemic workaround is a finding of the highest order. It provides a clear mandate not just to correct a deviation, but to address the root cause and redesign a formal process that is not only compliant, but also practical for the people who must use it every day.