Yes. It's worked for organizations I know. I'm not certain a spreadsheet is necessary, because although there may be a number of issues which come from the SWOT, it's going to be pretty obvious which ones need a plan to be worked on. The tracking etc I'd have thought could be achieved through the management review process. All the posts I've seen where risk registers and such like are mentioned, sounds to me as if the whole thing is being approached from the point of view of a risk management professional (aka ISO 31000) which can help make a mountain from small creature hills.