By Diane Robinette, CEO of Incisive Software
Today’s corporations expose themselves to financial and reputational risk by overlooking spreadsheet vulnerabilities, according to a custom study conducted by Forrester Consulting and commissioned by Incisive Software. The Forrester Opportunity Snapshot study reveals that spreadsheet risk carries real implications for not only organizations, but customers and shareholders as well.Most frontline workers recognize the risks, but ignore them,since risk mitigation isn’t in their purview. Meanwhile, C-level executives make decisions based on data assumed to be accurate—but can contain errors.
The study also confirmed that spreadsheets remain the dominant medium for business-critical tasks.Almost a third of respondents noted that their organizations use more than 10,000 spreadsheets on a regular basis. Eight-eight percent reported using more than 100 complex and customized spreadsheets to support their critical business processes. And while there is a very high level of concern with the inherent risk associated with spreadsheets, fewer than 20 percent feel empowered or ready to tackle the problem. For banking and financial institutions where spreadsheets are widely used, this is concerning news. (If it isn’t, it should be).
The power of Excel
Successful banking and financial institutions are built on a foundation of accurate data. Confidence in the results they generate from complex models is key to making shrewd business decisions, like determining the value of a potential acquisition or investment, budgeting and forecasting, analyzing profitability, and determining risk.More often than not, these critical business decisions rely on data imbedded in complex and highly-specialized spreadsheets.
Spreadsheets are frequently used for analyzing and providing evidentiary support for key business decisions.For complex calculations where data is continuously changing, and those that require the use of cell functions, Excel is often the go-to tool to get the job done.There is no waiting for IT to make changes to systems, no workarounds necessary and no compromises.
Excel is a powerful and invaluable tool. However, spreadsheets alone are not perfect. By themselves, they provide little-to-no protection against data corruption, no way to validate numbers or error checking, nor do they offer the transparency financial institutions require in today’s complex regulatory environment.
As noted in the Forrester study, hidden within every spreadsheet is inherent risk. Risk that formulas are not repopulating correctly, risk that coworkers are using different versions of a saved spreadsheet, and risk that information is hidden behind formatting. Despite being flexible and convenient, spreadsheet-enabled processes are manually driven and prone to errors—accidental or intentional.
While the challenges of working within spreadsheets are well known, many do not know how to mitigate risk, therefore they turn a blind eye. With heighted scrutiny on the banking industry, simply ignoring spreadsheet risk will no longer cut it.
Reigning in risk
Regulations such as the Sarbanes-Oxley Act, Basel III, Solvency II, Dodd-Frank Act Stress Testing(DFAST), etc.have forced banks and financial institutions to address spreadsheet risk. However, too often the controls put in place by risk management teams are limited to design review and a loose set of input/output, access and retention controls.They also lack the ability to perform independent reviews that challenge spreadsheet data beyond manual validation processes. While Microsoft Excel has a tool to assist with validation, it is difficult to use and its capabilities are limited. For example, because the Excel tool lacks interactive components (i.e., the ability to click on a particular finding and then be directed to the corresponding cell), users must manually go through each cell to see why formulas are not calculating correctly or working as expected.
A single Excel worksheet can have over one million rows and more than 16,000 columns.Manual validation can take days.Similarly, the sheer volume of spreadsheets, which are not limited to finance departments, makes it impossible to manage each spreadsheet with a high level of scrutiny. This is particularly true for large global banks and financial institutions with multiple subsidiaries.
Without the proper controls in place,spreadsheet data will continue to be used to make strategic business decisions under the assumption that data is accurate, putting customers, revenue and brand at risk. Fortunately, advances in technology enable organizations to overcome many of the aforementioned spreadsheet issues. Automated risk and analysis solutions provide the much-needed insight into potential risk and errors that may be hiding in spreadsheets. However,most banks and financial institutions don’t utilize spreadsheet management solutions simply because they are unaware this technology exists.
Modernizing spreadsheet risk management
Financial institutions must be agile to remain competitive. Business decisions need to be made quickly and must be informed by accurate, timely and consistent information. A requirement for success is to put controls and technology in place to ensure that the data from which executives base their analysis is accurate and complete.
Given the sheer volume of spreadsheets within financial organizations, it is impossible to manage each one with any level of scrutiny. High-risk spreadsheets should be given a heavier focus and reviewed more frequently than those with lower risk profiles. This requires the identification of spreadsheets that are most critical to the institution (i.e., those used for external reporting and high-level business decisions). To speed the process, employ technology that locates all feeder spreadsheet, regardless of where they reside on a network,and risk ranks them. Next,a policy should be put in place, supported by technology, to ensure a consistent model risk review.
Spreadsheet risk management systems provide the necessary visibility into who is working on the files, how many people are working on them, when something changes, what changed, and who made those changes. Monitoring and tracking this (workflow) information over a period of time provides valuable insight into whether policy compliance is being met. At the same time, it’s significantly easier to identify potential risk. Documenting this information enables financial institutions to demonstrate they are complying with policies and procedures, and that they have the right checks and balances in place.
Automation capabilities that test for accuracy in both formulas and calculations reduce time-consuming, error-prone manual processes. Interactive capabilities provide an easy way to drill down into cells to see why formulas are not calculating correctly or working as expected. Spreadsheet management technology also identifies a lack of audit controls, access authority and other critical oversight mechanisms so changes can be made to repair those gaps. The result is consistent risk management oversight across all spreadsheets.
Maintaining the integrity of spreadsheet data is an arduous task. While many organizations believe they are doing enough to manage data integrity and spreadsheet risk, the Forrester study reveals otherwise. Visibility and transparency into spreadsheets aren’t simply a nice to have, they are absolutely necessary. Implementing controls to manage risk associated with business-critical spreadsheets will help prevent more companies from becoming the subject of embarrassing or devastating headlines.
Read the Forrester Opportunity Snapshot to learn how to begin mitigating spreadsheet risk.