Businesses unaware of operational risk caused by spreadsheets
Businesses are facing serious operational risk, including extensive financial and reputational loss, due to a lack of control over their spreadsheets, or end-user computing (EUC) tools.
A recent poll of risk professionals* conducted by EUCPlus, a customisable, cloud-based application – powered by the transformational consultancy Brickendon, revealed that 53% of businesses admitted to not having a comprehensive policy governing the use of EUC applications, ultimately opening them up to significant risk. EUCs are software, usually spreadsheets, built by non-programmers. This figure is worrying, especially as more than 47% of respondents said their organisation used more than 1,000 spreadsheets for day-to-day functioning, and 30% admitted that more than 25% of the spreadsheets used were critical to the running of their organisation.
Alarmingly the poll found that only 33% of those questioned have an EUC policy, with a worrying 14% unaware whether their company even has one or not. Across the risk professionals sampled, 23% didn’t know what percentage of spreadsheets used in their organisation are critical to the running of the business.
A clear lack of knowledge is prominent in the sector, and businesses must do more to futureproof their operations to avoid significant fines and reputational losses. Spreadsheets - an asset or a poisoned chalice? This confirmation that spreadsheets form an integral part of many organisations highlights the urgent need to use them correctly. Large organisations like JP Morgan, Societe General and more recently Canopy Growth, have already suffered substantial losses, both to their finances and reputations, because of their lack of accountability. The flexibility and functionality offered by spreadsheets can be an opportunity when utilised properly, but also a profound risk when it comes to financial reporting. Failing to take proper control of them is like riding a bicycle without a helmet.
So, what should companies do to avoid falling into the trap of spreadsheet mismanagement?
The key is to implement an effective end-user computing framework. This will not only help in ensuring regulatory compliance but will also assist in reducing or preventing fraud, accidental errors or mis-reporting. It also demonstrates best practice in risk management and ultimately provides evidence to the company’s board that the issue is being taken seriously. EUC structure paves way for regulatory compliance For corporates both large and small, spreadsheet risk management is primarily a process which ensures that the financials are correct and there are no discrepancies. However, for financial services firms, the implementation and preservation of appropriate end-user computing controls is referenced across many regulatory legislations including Sarbanes Oxley, MiFID II and Solvency II.
The potential threat of non-compliance and consequently damage to reputation and the inability to conduct business correctly, has brought end-user computing to the fore for these firms. Additionally, the Senior Managers and Certification Regime (SMCR) in the UK and Banking Executive Accountability Regime (BEAR) in Australia, are making senior managers pay attention, as the responsibility for compliance ultimately lies with them.
However, organisations need to take stock and raise awareness of the issue more holistically. Ideally firms need to develop a formal certification/attestation policy and then robustly implement the framework, policy and appropriate software system to ensure they stay compliant. This is particularly important given the increased cost pressures and competition businesses face. Staying ahead of the game and on top of all regulatory and reporting requirements has never been more important. Frameworks guiding businesses Whilst there is a whole lot of work needed to be done on an educational front, technology has paved the way for new digital product launches which can mitigate the risk and protect businesses. At Brickendon we’ve recently developed EUCplus, a customisable, cloud-based application which reduces operational and business risk by registering, scanning and securing all business-critical data in one simple process.
In addition to using the latest technology, including algorithms and big-data processing to take control of the spreadsheets, EUCplus also paves way for better business, IT and operational decisions. It provides automated reporting from the customisable data model that enables the implementation of robotic process automation (RPA) and business-process outsourcing. By focusing on this critical area in an efficient and cost-effective way, organisations can future-proof their businesses by providing a clear framework that can be used as a benchmark for development. It demonstrates that businesses understand the importance of taking control of their business-sensitive information and preventing mis-management issues.
After all, who wants to end up in the headlines for understating losses by CA$103 million (£58 million), as happened to Canada’s Canopy Growth in February 2019, or to lose US$6 billion (JP Morgan) or EU4.9 billion (Societe Generale) as a result of spreadsheet errors that could have been avoided if the right framework had been in place?
*The poll was commissioned by EUCplus and conducted at the Cefpro new generation risk conference in London on 13th March. The 52 respondents were all senior operational risk professionals at director level or above.