Spreadsheets and Risk Management

Spreadsheets are no longer fit for the purpose of Risk Management.

For an updated version of this article, click here.

One of the most popular computer applications used in the workplace is Microsoft Excel. Its growth in popularity over the last 30 years has made in an indispensable application for many businesses. It is used in many scenarios from simple lists of tasks to do in a project, to complex financial models on which many business decisions are made. It is useful for collecting data, quickly turning that data into graphical images and distributing the information to a wide audience.

But, its proliferation has also given rise to the expression “spreadsheet risk”. Indeed, many regulators around the world have expressed concern about the reliance on data that stems from spreadsheets because of the “manual process” involved and the ease with which data can be simply incorrect or fraudulently manipulated.

Some Examples of the disadvantages of spreadsheets:

An input error in a spreadsheet led to 10,000 tickets being oversold for a swimming event at the London Olympics in 2012. A member of staff made the simple keystroke mistake and entered 20,000 tickets instead of 10,000 remaining tickets. The error was only discovered when the Organising Committee began reconciling the number of tickets sold against the final layouts for venues.

One of the more high-profile examples of this was a finding in a JPMorgan Chase Task Force report Jan 2013 where they found that “specifically, after subtracting the old rate from the new rate, the spreadsheet divided by their sum instead of their average, as the modeler had intended. This error likely had the effect of muting volatility by a factor of two and of lowering the VaR”.

The Problems with Spreadsheets

While spreadsheets have enabled / enhanced many processes and the construction of many models, there are many issues that one needs to be cognisant of when using them:

Errors: There may be errors in the formulae, there may be errors in the data itself. Who can see?

Consistency: One spreadsheet sent to 10 people can quickly become 10 different spreadsheets.

Control: The ability to limit who can modify what cells (data) is inadequate in spreadsheets.

Integrity: What is the latest version? Where is it stored? Is it backed up?

Confidentiality: With multiple versions of spreadsheets stored in multiple locations, it’s difficult to maintain confidentiality of the information therein.

Process: Involving more than one person in the completion of data input into a form can become cumbersome and difficult to control.

Accountability: Lack of ability to see who completed / changed what data makes it impossible to enforce accountability.

Relationships: Spreadsheets are not relational-databases and so it becomes extremely burdensome to link all relative information, often requiring repeated entry of the same information.

Spreadsheets and Risk Management

One of the popular uses of spreadsheets is in the management of risk. Assessment forms can be created and formulas entered to calculate the level of risk. Sending these forms out to the “users” and getting to fill in the answers / details serves to collect much data on the risks and controls that are present in each department. Advocates of spreadsheets for risk management will quote the inexpensive cost of the application and the ubiquity of skills in using them. However, to ignore the time required to construct the forms, formulas, reports and gather the information and aggregate the collected information into one single data repository is to underestimate a significant (time) cost in the risk management process.

Specifically, the use of a database-driven solution will ensure that the problems associated with spreadsheets can be eliminated:

Errors: Formulae are hard-wired and have been subjected to a rigorous verification process. Data entered is validated at the point of entry and rejected if out of bounds.

Consistency: Forms and data fields are embedded in the application; users cannot change these.

Control: Database-driven applications have in-built access control rights functionality that can enable the tailoring of access rights with the needs of individuals.

Integrity: Risk Management applications that are installed on controlled servers are subject to the same stringent controls as, say, an email server. Data can only be changed through the application by duly authorised individuals.

Confidentiality: The risk management application and associated data is stored in a single location and protected by the firewalls and access controls that protect all other IT assets.

Process: Applications are designed for multiple-user use and through a combination of access rights and user roles, the ability to add or modify records is strictly controlled. In addition, automated actions can be programmed to happen when certain conditions are met. This semi-automation of processes greatly simplifies the activity and reduces time and inaccuracies from human intervention.

Accountability: In database-driven applications the access to records can be controlled as well as the ownership defined. Changes to records can be tracked and associated with individuals.

Relationships: A key advantage of a (relational) database is the ability to enter information once and be able to link it to many other records. E.g. a Risk Owner may be linked to many records, the Risk Owner’s details are only in the system once. Several tasks may be associated with a risk (risk Mitigation Plan), in database terms the risk is linked to “many” tasks. Those tasks in turn could be linked to different individuals. Risks can be linked to objectives, processes, departments, etc. What all of this relational linkages means is that when it comes to reporting it is easier to “dice and slice” the data to create different views / insights into the state of risk management in the organisation.

Recent News

Volunteer Succession Planning – ‘Tomorrow’ has arrived.

Strong succession planning is critical for the viability of all businesses but can be particularly challenging for volunteer-led ...
Read More

What is CSRD?

The Corporate Sustainability Reporting Directive (CSRD) is a framework for non-financial reporting which is mandatory for large companies ...
Read More

CalQRisk Triumphs at the 2024 FS Awards, Winning Compliance and RegTech Award

At a distinguished ceremony held at the iconic Mansion House, CalQRisk emerged as the proud recipient of the ...
Read More

NoFrixion Selects CalQRisk for its DORA Compliance Efforts

NoFrixion, the Embedded Banking company based in Dublin, Ireland, has announced its partnership with CalQRisk to ensure compliance ...
Read More

CalQRisk is a finalist in the FS Awards

CalQRisk has been named as a finalist in the competitive and prestigious FS Awards for the Compliance and ...
Read More

CalQRisk Customer Support Manager wins Rising Star at Irish Early Career Awards 2024

Congratulations to our Customer Support Manager, Eimear Farrell, who was named as a Rising Star in the Fintech ...
Read More

CalQRisk wins Pitch Competition at ESCO Cyber Solution Days Event, Kilkenny, September 2024

The Cyber Ireland (CI) CISO Forum and ESCO Cyber Solution Days event took place in the Lyrath Hotel, ...
Read More
Table Tennis Ireland Logo

Table Tennis Ireland Chooses CalQRisk to Optimise their Governance Strategy

Table Tennis Ireland have onboarded the CalQRisk solution to better their approach to board and committee meetings. Table ...
Read More

CalQRisk Shortlisted as Best in RiskTech at the 2024 CIR Risk Management Awards

CalQRisk has been shortlisted for the RiskTech category in the CIR Risk Management Awards in 2024. The Risk ...
Read More
business meeting

Reviewing Risk – A Framework Idea 

The Institute of Risk Management describes Enterprise Risk Management (ERM) as “the overall philosophy that consolidates the management ...
Read More