Businesses aren't prepared for spreadsheet risk
More than half of organisations don’t have a robust policy governing the use of spreadsheets, or end-user computing (EUC) tools, and are therefore opening their business up to serious operational risk.
According to a recent poll commissioned by EUCplus of risk professionals, 53% of firms are failing to take control of their EUC applications. That is software, usually spreadsheets, built by non-programmers on a users’ desktop.
This is an alarming figure, especially given that more than 47% of respondents said their organisation used more than 1,000 spreadsheets for day-to-day functioning, and 30% admitted that more than 25% of the spreadsheets used were critical to the running of their organisation.
In the poll, 53% of respondents said their company did not have a robust EUC policy, with 14% saying they don’t even know whether their firm has one. The poll also found that 23% of those questioned don’t even know what percentage of the spreadsheets used in their organisation are critical to the running of the business.
While there is no doubt that spreadsheets are indispensable for many functions, these figures highlight the lack of structure and governance around their use. Spreadsheets are often chosen for financial reporting, ad-hoc analyses, personal data tracking, numerical data recording and many other data-related activities. Because they are flexible, they can be developed quickly and manipulated easily – and therein lies the problem.
Flexibility is a positive when it works well, but also an opportunity for problems when it doesn’t. A raft of large organisations, including JP Morgan, Societe Generale and more recently Canopy Growth and Carillion, have suffered substantial losses, both to their finances and their reputations, at the hands of their spreadsheets. Failing to take control of your spreadsheets and the data within them is, we believe, tantamount to riding a motorcycle without a helmet.
So, what should companies do to avoid falling into the trap of spreadsheet mismanagement? The key is to implement an effective end-user computing framework, formal certification/attestation policy and the correct software to secure them. Such a framework not only helps ensure regulatory compliance but also reduces or prevents fraud, accidental errors or misreporting. It also demonstrates best practice risk management and ultimately provides evidence to the company’s board that the issue is being taken seriously.
For corporates, large and small, spreadsheet risk management is primarily an exercise to ensure the financials are correct. However, for financial services firms, the implementation and preservation of appropriate end-user computing controls is referenced in a raft of relevant regulation, including Sarbanes Oxley, MiFID II, Solvency II and Senior Managers and Certification Regime (SMCR). It is this threat of non-compliance and the ensuing fines, damage to reputation and the inability to conduct business correctly, that has brought end-user computing to the fore for these firms. SMCR, in particular, is making senior managers pay attention, as the responsibility for compliance ultimately lies with them.
Still, being aware of the issue alone is not enough. Firms need to develop a formal certification/attestation policy and then robustly implement the framework and policy to ensure ongoing compliance. This is particularly important given the increased cost pressures and competition at the moment. Staying ahead of the game and on top of all regulatory and reporting requirements has never been more important.
By focusing on this critical area in an efficient and cost-effective way, you are future-proofing your business by providing a clear framework that can be used as a benchmark for future development. It demonstrates that you understand the importance of taking control of your business-sensitive information and preventing mismanagement issues.
After all, who wants to end up in the headlines for understating losses by CA$103m (£58m), as happened to Canada’s Canopy Growth in late February 2019, or to lose US$6b (JP Morgan) or EU4.9bn (Societe Generale) as a result of spreadsheet errors that could have been avoided if the right framework had been in place?
The poll was commissioned by EUCplus and conducted at the Cefpro new generation risk conference in London on 13th March. The respondents were all senior operational risk professionals at director level or above.