This post first appeared on Risk Management Magazine. Read the original article.
Alongside corporate IT systems, companies and employees often make extensive use of spreadsheets to implement, augment and enhance business processes. While the vast majority of these spreadsheets are only valuable to the specific user, others contain critical data, such as pricing information, foreign exchange information, technical specifications, and business and financial models that are central to the business. Unfortunately, however, the lack of effective management and change controls in these spreadsheets means that user errors, stale data or flawed results can pose concrete risks to the business.
Recent cases illustrate the very real risk posed by improper spreadsheet management. This year, for example, Citibank settled charges with the SEC and paid a $5.75 million fine for unauthorized trading. The problem stemmed from a trader using spreadsheets to engage in unauthorized transactions and manage his trading book, rather than using a tightly-controlled corporate IT application.
This is not an isolated incident. Earlier this year, U.K.-based Conviviality, owner of the off-license Bargain Booze chain, collapsed after an error in a manually updated spreadsheet reported weaker than expected earnings, causing the company to lose 60% of its stock market value in a week. Carillion Plc, a 20,000 employee, multi-million-dollar business also went bust when, in the absence of adequate IT systems, multiple versions of spreadsheets were used simultaneously by various offices to manage its subcontractor and employee workload, compromising management’s ability to run the business effectively.
In 2016, major U.K. retailer Marks & Spencer inadvertently issued inaccurate company results due to a “double-counting” error in a spreadsheet that led them to report sales had risen by 1.3% in a three-month period, when they had actually fallen by 0.4%. A similar spreadsheet error led Goldman Sachs, which was advising Vista Equity Partners on the acquisition of Tibco Software, to inadvertently value the latter at 18 times the company’s adjusted earnings before interest, taxes, depreciation and amortization (EBITDA) when it should have been 17.6 times EBITDA. The discrepancy may sound minor, but it equated to $100 million.
The common thread in all these events is the combination of human error and a lack of effective spreadsheet management and control. With widespread spreadsheet use for all manner of critical business processes, it is not hard to see why such problems occur. The utility and flexibility of spreadsheets means people will continue to use them, but the lack of control means that doing so can sometimes undermine the operational, commercial and reputational position of the business.
Overcoming Regulatory Compliance Challenges
Effective spreadsheet risk management can also help companies overcome regulatory compliance challenges like the upcoming Current Expected Credit Loss (CECL) framework for banks or Sarbanes-Oxley (SOX), as the need to control non-standard policies becomes more apparent. With banks and CECL, the challenge is aligning multiple data sources, models, calculations and reports to provide accurate, timely and cost-effective expected credit loss reports to management, shareholders and regulators alike.
Whether used as a data source, model or report, banks need to be able to control, audit and report on the accuracy and quality of data in their key CECL spreadsheets. Therefore, a spreadsheet risk management framework is essential, both to successfully implement CECL and to allow the business to make use of the information with the confidence that the data is both accurate and up-to-date.
There has also been a steady uptick in the effort, resource and cost of SOX compliance in recent years. This is partly thanks to a renewed focus on spreadsheets in the SOX process as management, auditors and the Public Company Accounting Oversight Board (PCAOB) fully grasp the scale and significance of the pervasive use of spreadsheets for key business applications and processes.
While spreadsheet risk might be a new focus of SOX, its key principles remain unchanged. The quarterly and annual results reported by U.S.-based companies must be a fair reflection of the underlying business, and senior management must be willing to attest to that. This means that the same level of management control, transparency and auditability needs to be applied to the spreadsheet environment as are applied to the corporate IT structure that underpins other SOX compliance requirements.
Managing Spreadsheet Risk
The risks posed by the spreadsheets and other end-user computing (EUCs) solutions that power business-critical processes require a robust management policy, supported by appropriate technology. To that end, companies should:
Go slowly. Do not try to solve all of the organization’s spreadsheet-related challenges at once. Focus on the high-value models first and look to build technology safeguards for them. Then, go down the pecking order based on value of the applications and business priorities.
Locate the data. Spreadsheets fall in the remit of unstructured data, and typically sit outside of enterprise systems. Understand where the business-critical, high-value spreadsheets reside aside from being a good practice in EUC management, this is also essential to ensure confidentiality of data.
Identify the significant spreadsheets. Focus on criticality to identify the most significant spreadsheet models and applications based on the business processes involved. The more business-critical the process, the higher the criticality of the spreadsheet. Also, define significance: Does the spreadsheet carry reputational, financial or operational value? For example, if a particular spreadsheet found on a stolen laptop is published, could it cause reputation damage?
Implement training and awareness programs. Do not underestimate the value of educating employees about the business rationale for EUC policies. Offer computer-based training and use the marketing team to roll-out an effective awareness campaign—the more visible the issue, the more effective EUC management will be.
Oversee the effectiveness of policy. Given how quickly new spreadsheets are created, a manual attempt at ensuring compliance with the EUC usage policy is not only impractical, but impossible. Use technology to facilitate control of EUC and spreadsheet management processes.
Redefine policy ownership. Organizations often make the mistake of giving the IT manager the responsibility for the governance of business-critical spreadsheets. This almost never works as these key files sit within the business units and the IT manager is not empowered to drive the activities and governance defined within the policy. Relevant business/department managers are best suited to own EUC usage and management policy.
Self-attestation of controls. In the organization’s policy for EUC management, ensure that it stipulates self-attestation by employees for the most critical, high-value spreadsheets and that they are implementing the controls outlined in the company’s spreadsheet management policy. This will ensure that they take responsibility for the accuracy and integrity of spreadsheets.
Integrated approach to risk. Integrate spreadsheet risk-related processes into the business’s wider risk management strategy. This will provide transparency around spreadsheet management and ensure that wider governance structures are appropriately incorporated into EUC processes as well.