By Ralph Baxter, CEO of ClusterSeven
One of the unwritten truths of the modern financial world is the fundamental reliance on spreadsheets for managing business critical data and information. It is unsurprising to find financial institutions such as retail banks, pension funds and insurance firms running hundreds of thousands, millions even, of active spreadsheets – usually Excel – and why? Because they are flexible, easy to use and practical.
However, the ubiquitous nature of spreadsheets means errors creep into data systems all too easily: ‘fat finger’ syndrome, outdated assumptions, poor cut ‘n’ pasting, miscalculations, fraud, corrupted files, erroneous formulae – all these blunders and others mean that data held in spreadsheets can be far from correct.
These significant risks are, unsurprisingly, now being discussed at the very highest levels by key financial regulators such as the Federal Reserve in the US and the Basel Committee on Banking Supervision in Switzerland, among others.In January, for instance, the Basel Committee released the report Principles for Effective Risk Data Aggregation and Risk Reporting – the first time that spreadsheet management has ever been specifically mandated at such a high level.
ClusterSeven has understood this reliance on spreadsheets since the firm was set up back in 2003 specifically to help financial services institutions manage their vast estates of spreadsheets and similar databases. In February of this year, the firm conducted major research on C-level executives and senior managers working in financial services in the UK and found that, despite a profound use of spreadsheets, many people still have poor attitudes to business critical data managed in spreadsheets and similar databases.
Half (51%) of C-level executives said there are either no usage controls at all or poorly applied manual processes over the use of spreadsheets at the firms. Nine in ten (89%) admitted they rely on manual oversight to maintain data integrity, with only one in 10 (11%) saying there was an automated control policy that allows them to fully understand changes between different versions of spreadsheets and see a clear audit trail for data.
Spreadsheet risk rated ‘very serious’
The findings are surprising given that 55% of C-level executives rate spreadsheet risk – the risk of serious financial/reputational loss from poor management of corporate spreadsheets and databases – as either ‘very serious’ or ‘serious’. Moreover, around one in seven (15%) admitted their firm has suffered a ‘significant’ data breach due to poor management of data held in spreadsheets.
In an indication of the significant role spreadsheets play in the modern financial services industry, one in five (19%) C-level executives said that they use spreadsheets to manage values of over £1bn, with the average from all respondents at £350m. Over nine out of 10 (93%) use spreadsheets as much as, or more than any other applications for managing financial data with over half (53%) saying that they either only use spreadsheets or use them more than other applications for managing financial data.
The research by ClusterSeven confirms two things: firstly, that financial services firms, and the senior managers and executives that run them, rely heavily on spreadsheets for much of their business critical processes; and secondly, that spreadsheets remain highly susceptible to errors.
The study also comes in the wake of recent, high-profile losses announced by financial services firms attributed to poor spreadsheet management.These losses are tangible, real-life indications of the dangers and risks firms are exposed to, and it is not surprising that regulators and supervisors such as the Basel Committee are now focusing on spreadsheets as a fundamental carrier of corporate data.Indeed, the research reveals that over half (51%) of C-level executives think that regulators will become more focused on spreadsheets over the next 12 months.
Spreadsheet risk rated ‘very serious’
The good news is that many financial services firms are making steps to better manage their spreadsheets risks.
ClusterSeven, for instance,has developed a range of market-leading software products that provide oversight and transparency of a firm’s databases and spreadsheets, now has a third of the world’s top 30 banks as clients as well as a number of leadings insurers and asset managers, and the firm has noted a clear shift in sentiment. Internal audit and other key functions are beginning to better assess the effectiveness and efficiency of the internal control, risk management and governance systems and provide assurance on these systems.
Nevertheless, many people will be astonished just how reliant firms still are on spreadsheets and similar databases for their day-to-day processes given how many billions of dollars have been invested in standard financial applications, such as ERP and Business Intelligence.
Another key aspect of this debate is time. Senior managers, including C-level executives, are also spending significant amounts of time on spreadsheets and managing spreadsheet risks. Where this manual activity is part of routine processes much of this effort can be easily replaced by automated checks using spreadsheet management technology.
The automation of all the manual checks that employees would otherwise conduct not only saves the time of expensive employees, it can be done far more regularly/consistently. Some checks require no input from the business (e.g. alerting the appearance of cell errors). Other checks require more attention (e.g. that static data has not been changed and that dynamic data – such as foreign exchange values – have changed).
How firms find, control and deal with data errors forms a key part of the focus by regulators on managing business critical risks. While in the past many financial institutions and firms have simply waited until an major event happens before looking more closely at their systems, looking ahead a defence of misunderstanding, ignorance or denial will no longer be deemed acceptable.