Spreadsheets and Risk Management

Spreadsheets are no longer fit for the purpose of Risk Management.

One of the most popular computer applications used in the workplace is Excel. Its growth in popularity over the last 30 years has made in an indispensable application for most businesses. It is used in many scenarios from simple lists of tasks to do in a project to complex financial models on which many business decisions are made. It is useful for collecting data, quickly turning that data into graphical images and distributing the information to a wide audience.

But its proliferation has also given rise to the expression “spreadsheet risk”. Indeed, many regulators around the world have expressed concern about the reliance on data that stems from spreadsheets because of the “manual process” involved and the ease with which data can be simply incorrect or fraudulently entered. One of the more high-profile examples of this was an enforcement action (fine) issued by the CBI on an insurance company in December 2018. In its report, the CBI stated:

The Central Bank’s investigation found that a large number of manually maintained spreadsheets were used in the financial reporting process which increased the risk of errors, omissions and manipulation of figures being reported by the Finance function.

The Problems with Spreadsheets

While spreadsheets have enabled many processes and the construction of many models there are many issues that one needs to be cognizant of when using them:

Errors: There may be errors in the formulae, there may be errors in the data itself. Who can see?

Consistency: One spreadsheet sent to 10 people can quickly become 10 different spreadsheets.

Control: The ability to limit who can modify what cells (data) is inadequate in spreadsheets.

Integrity: What is the latest version? Where is it stored? Is it backed up?

Confidentiality: With multiple versions of spreadsheets stored in multiple locations, it’s difficult to maintain confidentiality of the information therein.

Process: Involving more than one person in the completion of data input into a form can become cumbersome and difficult to control.

Accountability: Lack of ability to see who completed / changed what data makes it impossible to enforce accountability.

Relationships: Spreadsheets are not relational-databases and so it becomes extremely burdensome to link relative information in a logical fashion, often requiring repeated entry of the same information.

 

Spreadsheets and Risk Management

One of the popular uses of spreadsheets is in the management of risk. Assessment forms can be created and formulas entered to calculate the level of risk. Sending these forms out to the “users” and getting them to fill in the answers/details serves to collect much data on the risks and controls that are present in each department.  Advocates of spreadsheets for risk management will quote the inexpensive cost of the application and the ubiquity of skills in using them. However, to ignore the time required to construct the forms, formulas, reports and gather the information and aggregate the collected information into one single data repository is to underestimate a significant (time) cost in the spreadsheet-based risk management process.

The Solution for Risk Management

Managing risk in an organisation is everybody’s responsibility. Everybody engaged in an activity that requires decisions is assessing and managing risk on a continuous basis, often subconsciously. When an organisation has a desire or obligation to formally manage the risks that threaten the achievement of their objectives it is important that the complete picture of all risks is captured and available to the Senior Management Team. In order to facilitate this holistic approach an application that can support the collection, collation and reporting of all risks in all areas is highly desirable.

Specifically, the use of a database-driven solution will ensure that the problems associated with spreadsheets can be mitigated:

Errors: Formulae are hard-wired and have been subjected to a rigorous verification process. Data entered is validated at the point of entry and rejected if out of bounds.

Consistency: Forms and data fields are embedded in the application; users cannot change these.

Control: Database-driven applications have in-built access control rights functionality that can enable the tailoring of assess rights with the needs of individuals.

Integrity: Risk Management applications that are installed on controlled servers are subject to the same stringent controls as, say, an email server. Data can only be changed through the application by duly authorised individuals.

Confidentiality: The risk management application and associated data is stored in a single location and protected by the firewalls and access controls (username & password), thereby restricting who has access to what.

Process: Applications are designed for multiple-user use and through a combination of access rights and user roles the ability to add or modify records is strictly controlled. In addition, automated actions can be programmed to happen when certain conditions are met. This semi-automation of processes greatly simplifies the process and reduces human intervention.

Accountability: In database-driven applications, the access to records can be controlled as well as the ownership defined. Changes to records can be tracked and associated with individuals.

Relationships: A key advantage of a (relational) database is the ability to enter information once and be able to link it to many other records. For example, a Risk Owner may be linked to many records, the Risk Owner’s details are only in the system once. Several tasks may be associated with a risk (risk Mitigation Plan), in database terms the risk is linked to “many” tasks. Those tasks in turn could be linked to different individuals. Results of ongoing control verification/effectiveness audits and compliance monitoring can be linked to individual risks. Risks can be linked to objectives, processes, departments, etc. What all of these relational links means is that, when it comes to reporting, it is easier to “dice and slice” the data to create different views/insights into the state of risk management in the organisation.

Conclusion

You can manage risks using a spreadsheet, but with significant risks to the whole process. Using a database-driven solution will be more efficient and more acceptable to the Board, Auditors and the Regulator.

For details on how CalQRisk can benefit your organisation, contact us today.

Recent News

CalQRisk Wins Best RegTech Solution at National Fintech Awards

CalQRisk, a leading provider of Governance, Risk & Compliance solutions has won the ‘Best Regtech Solution Award’ at ...
Read More

CalQRisk shortlisted in National Fintech Awards

The CalQRisk solution is shortlisted for ‘Best Regtech Solution Award’ at the inaugural National Fintech Awards. The National ...
Read More

CalQRisk shortlisted in 2023 CIR Risk Awards

Having won ‘Risk Management Product of the Year’ at the 2022 CIR Risk Management Awards, CalQRisk is now ...
Read More

From Risk Capacity to Risk Appetite

Risk Capacity is the maximum amount of risk that an organisation is technically able to assume before breaching ...
Read More

SMT automates their approach to Risk Management with CalQRisk

SuMi TRUST Global Asset Services (“SMT”), a subsidiary of Sumitomo Mitsui Trust Bank Limited, one of the largest ...
Read More

Digital Operational Resilience for the Financial Sector Act (DORA)

The Digital Operational Resilience Act (DORA) entered into force on 16th  January 2023. It outlines EU regulations for information ...
Read More
Database

8 Things to Consider in a Data Breach Response

A data breach can lead to reputational damage, financial losses and much more. By effectively preventing and investigating ...
Read More

The Golden Thread – Governance, Risk & Compliance

A joined-up approach to governance, risk and compliance (GRC) is something all GRC practitioners aspire to – but, ...
Read More

Dark Patterns, Hidden in Plain Sight

If you’ve spent any time on the internet, chances are you will have experienced ‘Dark Patterns’ and may ...
Read More

Over 100 Credit Unions Now Using CalQRisk

CalQRisk now has over 100 credit unions actively using their Governance, Risk Management and Compliance solution across the ...
Read More