What Is Spreadsheet Risk and How Do Best-in-Class Firms Manage It?
7 MIN. READ
You may have heard of the infamous spreadsheet risk. However, it can be difficult to mitigate without knowing what it means or how it can affect your business. Consider this scenario for a glimpse into just how real spreadsheet risk can be:
Maria is staring at her laptop at 9:27 PM on a Friday. The markets cratered this afternoon, and she needs to evaluate the required capital on a number of reinsurance blocks of business. A hedge fund sank along with the markets, and its counterparties are holding a good amount of the firm’s capital overnight. Overall, their liquidity is uncertain in the short term.
With a few more updates to her model, Maria can call it a night. She updates the market data and adds a number of columns to track scenarios of estimated capital calls. Thankfully, her analysis shows there is still adequate capital in the firm to meet its obligations, even in the event of a short-term credit crunch.
The markets are on edge throughout the following week. On Wednesday, Maria notices a misalignment between what she reported to the CFO Friday night and the current cash position. Risk-based capital levels may not be reached, and the quarter is closing in a few days. She engages her team to confirm her findings, and unfortunately, they agree with her numbers. They quickly dig into the issue. Maria is concerned she made a mistake late in the evening. However, tracing through her spreadsheet, she determines her updates were all correct.
Later that afternoon, one of her analysts discovers an error in a linked Excel file, which overstated the reserves in a key account. This error was not obvious, as it was two files removed from Maria’s analysis, nor was it out of the ordinary, as it aligned with the prior version of the spreadsheet. It was a simple mistake – an intern failed to properly update the day’s transactions. But now, Maria and the CFO are scrambling to determine how to raise the appropriate capital before the quarter ends.
Spreadsheet risk is inherent in all finance organizations
Microsoft Excel is the most transformative business tool that has ever existed. It allows analysts to perform in minutes what would have taken months prior to the invention of the computer. Its flexibility is limitless, and Microsoft keeps adding features to make it more powerful. However, the same power and flexibility that are Excel’s biggest strengths create the conditions for its inherent weakness: the spreadsheet risk that lies behind each complex analysis within an organization.
The fictionalized account of Maria’s capital problem due to a spreadsheet error is repeated in businesses around the world each day. Excel allows accountants and analysts to solve the most complicated financial problems of the modern world, but it also allows a simple typo to spiral into a colossal misstatement, which has the potential to impact business decisions, capital positions and regulatory filings. Perhaps even worse, it has the potential to expose customer information to nefarious digital criminals. There is a wide range of risks in the spreadsheets that run the financial engines of our economy.
In fact, a report from Deloitte found that no fewer than fifteen different types of spreadsheet risk exist within organizations.
We’ve summarized these findings into three high-level concepts to define what spreadsheet risk involves:
- Data integrity.
- Workflow efficiency.
- Lack of controls and identification.
Our initial story highlights the predominant problem in spreadsheets. The flexibility of Excel allows users to manipulate, model and analyze data on the fly, which is great for the purposes of rapidly generating information based on changing conditions. However, it may come at the cost of data integrity.
Input errors, mislinked cells, and inserted rows and columns can all lead to degraded data integrity. Rows and columns hidden within spreadsheets can cause confusion to users who did not create the original file. Anyone can create, edit and publish a spreadsheet using data from any source they can get their hands on, or any figures they can fabricate in their minds. The information being published can appear credible, but without knowing how it was produced, there is no way to validate it. The ad-hoc nature of spreadsheets allows models to be built in minutes, but very few of these models are tested rigorously. Also, backtesting Excel models is expensive if done manually.
Data is often dumped into spreadsheets for modeling purposes, but the data often contains sensitive customer information, such as account or social security numbers, so analysts can link files together. This exposes information that would have otherwise been hidden in a more formal and secure system. Worse yet, it can cause an unwitting employee to improperly distribute sensitive information.
These risks are present each time an update is made to any spreadsheet linked throughout a critical process. One mistake can cascade throughout a system of spreadsheets within an organization. If a company relies on this corrupted data for decision-making or regulatory reporting, the repercussions can be severe.
Spreadsheet risk also contributes to the cost of inefficiencies within your organization. Manual and repetitive processes can exist in dozens of spreadsheets across the firm without an inventory of where information exists. Teams can duplicate efforts trying to solve the same or similar problems. Multiple versions of the same document can frustrate teams trying to make simultaneous updates. All of this adds dollars to the wrong section of your profit and loss statement.
Excel models the modern business environment. Due to the ever-increasing complexity of today’s organizations, spreadsheets are likewise becoming increasingly complex. A single spreadsheet may be based on tens or hundreds of thousands of data points. Most Fortune 500 companies have a significant number of spreadsheets linked together across business units and functional areas. Some spreadsheet processes do not have anyone in the organization who understands the data flow end-to-end. How can a process be efficiently designed if no one understands it?
The relationship between spreadsheets is a risk in itself. An analyst can adjust a document to suit that day’s needs without considering the downstream and long-term impacts. Likewise, there is no system that automatically traces dependencies and downstream workflows when a spreadsheet is altered, so the user making the change is likely unaware of the impact.
Lack of controls and identification
The beauty of spreadsheets is that they allow the end-user to construct complicated financial analyses without engaging with IT developers. However, that comes at the price of an informal process when spreadsheets are under development. What starts as a single analysis becomes the bedrock of an ongoing financial process, without any formal governance or broad understanding. This can leave a small group of people (or even just a single person) as the only employees who understand how the system is built.
Computer code generated from an IT project details the business requirements and the purpose of important lines of code. Spreadsheet processes often have no documentation related to how they are constructed. Typically, a process is only documented when it needs to be transitioned upon an employee’s promotion or termination. This creates a key person dependency within your organization to ensure business continuity.
Moreover, most firms do not even know where all of their spreadsheets are located. They can be saved to individual laptops, on servers, in emails and in the cloud. Finding the correct file may be impossible without an automated solution that monitors a network to find where critical spreadsheets exist.
In aggregate, these issues expose organizations to a host of risks and errors that can damage their brand, reputation and, most importantly, their customers’ well-being. An appropriate control environment must be established, spreadsheet risk must be identified, workflows need to operate efficiently and you need to know financial data can be relied upon by removing concerns about spreadsheet risk from your company.
Best-in-class firms prioritize mitigating spreadsheet risk
Organizations that prioritize mitigating spreadsheet risk are better positioned to protect customers, revenue, and reputation. Fortunately, modern technology solutions are available to support these businesses as they start to prioritize spreadsheet risk management.
While other spreadsheet management solutions are manual, expensive, and overly complex, Incisive’s solution provides a modern, automated approach to gaining greater accuracy, control, and insight into an organization’s most complex, sensitive, and critical spreadsheets, providing accurate and consistent data you can trust.
Incisive’s spreadsheet management solution opens the door to more accurate decision-making, reduced overhead and greater risk prevention. For more information about why companies that prioritize spreadsheet risk are better positioned to protect their client base, preserve top-line revenues and fortify their reputation, download our Forrester Opportunity Snapshot study.