5 MIN. READ
This article is the second in a five-part series exploring spreadsheet risk, the challenges it presents, and ways to protect your company’s resources and reputation from the risk inherent in spreadsheets.
As established in the first blog of this series, many companies rely on spreadsheets to make critical business decisions. Unfortunately, inaccurate data found within those spreadsheets can cause serious damage to a company’s success. Surprisingly, companies are doing little to control this threat. Spreadsheet risk must be addressed at the board level in order to prevent potentially disastrous consequences.
Businesses that cannot guarantee the accuracy of their data – especially their financial data – can often trace the issue to their ungoverned use of spreadsheets. Ungoverned spreadsheets pose a threat to a business’s compliance with government laws, customer retention, preservation of public trust, competitive advantages and revenue. In fact, companies can face substantial government penalties if their financial data is incorrect. Larger financial institutions must pass the Comprehensive Capital Analysis and Review and Dodd-Frank Act Stress Test, which can be tricky without strong spreadsheet discipline.
This discipline can be near impossible to maintain; it is common practice to use a complex naming convention to save spreadsheets as different versions in different locations. Such a haphazard practice makes it easy for businesses to confuse and misplace vital information.
Given this potential risk, it would be prudent for boards of directors to advise spreadsheet management be addressed as a part of their information security and finance transformation initiatives, Unfortunately, it is often discounted or overlooked by many. The question is, why?
In a recent Forrester Consulting study we commissioned on spreadsheet risk, entitled Think Spreadsheet Risk Isn’t a Threat? Think Again, researchers discovered just how prominent spreadsheets are in completing the fundamental tasks of running a business.
About a third of businesses rely on spreadsheets for many of their financial responsibilities, including payroll (32%), department budgeting and forecasting (37%), and financial disclosures and SEC filing (31%). And spreadsheets play a greater role in the risk and compliance process than one may think. Despite easy manipulation and lack of inherent controls, nearly 50% of companies still rely on spreadsheets alone to do their auditing and controls – a process necessary for risk assessment and compliance management. With such a large percentage of businesses relying solely on spreadsheets for so many critical tasks, many businesses are putting their revenue and reputation at high risk of financial and ethical ruin.
Risking revenue and reputation – a board-level issue
A company’s board has a fiduciary responsibility for protecting both the company’s reputation and its shareholder value from potential risks that could damage them. As mentioned before, spreadsheets, although widely used across companies with extremely versatile uses, are a major opening for these risks if they are not properly regulated.
To better understand the impact of spreadsheets on everyday business life, the Forrester study took a poll of how often spreadsheets alone were used for various tasks. The results were staggering: 44% use them for comparative analysis, 36% use them for revenue recognition and sales compensation, and 31% use them for financial planning and analysis. Spreadsheets used for data analysis frequently contain account and customer information that is considered personal or confidential. In fact, the study reveals 36% of companies use spreadsheets for customer-specific data analysis, and 39% use them for procurement spend analysis.
The absence of a risk governance framework leads to unintentional and deliberate data breaches. For example, accidental data breaches may occur by inadvertently emailing an unencrypted spreadsheet to the wrong customer or accidentally posting it online. Malicious attacks meant to cause harm to an organization may originate from internal or external entities. Indeed, revenue losses as a result of fines for noncompliance with federal regulations is substantial. In 2019, the total average cost of a data breach on the United States was $8.19 million, a 130% increase from 2006.
Further, reputational losses as a result of data breaches have certainly impacted a number of financial institutions. In July 2019, Capital One announced a hacker accessed the personal information of individuals and businesses that applied for a credit account between 2005 and 2019. The reputational damage resulted in an eight percent drop of Capital One shares. In 2014, Sony Pictures also fell victim to a data breach. A hacker gained access to a spreadsheet holding the names, titles and salaries of over 6,000 employees, as well as another spreadsheet with the birth dates and social security numbers of 3,803 employees. Reputational losses are not limited to customers; employees will also lose confidence in their employer when their personal information is compromised.
The effects of ignorance
Being proactive, not reactive, is key. Even though it is likely that a data breach will motivate a business to finally take precautionary measures against spreadsheet risk, it could very well be too little too late. Once customers lose confidence in a company to protect their personal information, their trust – and business – is gone. That damage is nearly irreversible. Customers will quickly move to a competitor that they believe will protect their personal information from accidental exposure or deliberate attacks. They won’t give a second thought to the company that failed to protect confidentiality.
Now, because of one data breach, that business forfeited customers, revenue and their trustworthy reputation. Spreadsheet risk may be a low priority for businesses that have never suffered the consequences of a data breach. However, spreadsheets quickly change from low priority to the cause of a company’s near destruction if a hacker accesses just one of the many spreadsheets a company uses for their vital tasks.
Persistent security threats are why an effective spreadsheet risk mitigation protocol must be an integral part of a company’s information security and risk management strategies. Implementing controls that define proper storage procedures, restrict access to authorized users, and track or prevent changes are only part of a comprehensive security solution.
Spreadsheet management software is specifically designed to address these risks.
Despite the heavy use of spreadsheets, the risks may not be calculated in broader risk management and information security strategies. The Forrester study confirms that the risks are real and addressing spreadsheet risk should be a board-level imperative. The study reveals the majority of businesses simply do not know how to approach spreadsheet risk in order to properly eradicate it. Utilizing the assistance of a modern, automated solution may be their answer.
To learn more about how you can begin to mitigate spreadsheet risk, download the Forrester research report.