Why would a senior executive with strategic responsibilities even remotely think about something so seemingly tactical as spreadsheet risk? Read on: This article discusses a series of recent cases that illustrate how a spreadsheet error can quickly evolve into a material - and public - business crisis.
Should the CEO Care about Spreadsheet Risk? Yes! Three Current Headlines Reveal Why.
If you are wondering why you, a senior executive with strategic responsibilities, should even remotely think about something so seemingly tactical as spreadsheet risk, read on. This article discusses a series of recent cases that illustrate how a spreadsheet error can quickly evolve into a material - and public - business crisis.
Case Study: Material Spreadsheet Error Drives Public Scrutiny
When a spreadsheet, or other end-user controlled application (EUC), is used in a critical business process, you can be personally at risk. The impact can be significant. Here is the timeline of events of Conviviality Plc (LON:CVR), which includes the CEO resigning just 13 days after her CFO became aware of a material error in a spreadsheet:
- March 8th: The public profit warning, £2 million error in a forecast spreadsheet, share price falls by over 50%
- March 14th: Another mistake, failed to account for £30 million tax liability, trading suspended
- March 19th: CEO steps down
- March 21st: Updated profit warning (downward)
- March 29th: Conviviality reveals a plan to appoint administrators
Was the outcome of this unfortunate series of events attributable solely to spreadsheet error? No, of course not. But that error was material. More importantly, it was the catalyst for increased scrutiny that frightened away lenders and investors - and ultimately put the company in a cash crunch.
The two takeaways are:
- Material weaknesses in controls can cost you your job
- Spreadsheets & other end-user controlled applications typically have weak, if any controls
What is the Root Cause of Spreadsheet Risk?
The short answer is weak, ineffective controls:
- In March 2018, VBS Bank was put under curatorship (i.e. the board and executive management were removed) by the South African Reserve Bank due to large financial losses. These losses were alleged to involve fraudulent manipulation of spreadsheets used in critical business processes.
- In April 2018 Samsung Securities lost over $300 million of market capitalization and one of their largest customers, the National Pension Service. A simple human mistake exposed the weakness of their controls – a $120 billion data entry error became public knowledge.
- In the case of Conviviality, a series of acquisitions necessitated the use spreadsheets to help tie operations together while the standard, enterprise financial systems were integrated. In their hard-charging, performance-oriented culture, it’s fair to assume that controls on those spreadsheets were minimal, if any.
In the end, humans are fallible and operational errors (or fraud) can take many forms. Effective controls are your primary line of defense.
How does Spreadsheet Risk Manifest Itself?
Spreadsheets and other end-user computing applications are not managed by IT. They lack many of the controls applied to corporate accounting and other enterprise data systems. Employees in the line of business rely on spreadsheets because the speed & agility of using them are key to innovation and sustained competitive advantage. Given that spreadsheets are ubiquitous and there may have been no problems in your company so far, what is the likelihood of a material spreadsheet error? CIMCON’s empirical data suggests that 99% of your spreadsheets can have errors and it probably won’t matter. But when those files are part of a critical business process, and a financial report or forecast model is dependent on them, your corporate - and personal - risk skyrocket. Every business has spreadsheets embedded in critical processes. Some more than others, but no business is immune. The critical question is not “do I have this risk?” but “where is this risk?”
What can be done to improve your controls?
Step #1 is to take spreadsheet risk seriously and question your direct reports. We see many firms that have written policies or standards that gather dust because no one is truly accountable. Recognize that having such policy documents can provide a false sense of security. It can probably defend you against a regulator or auditor and it can buy time needed to address their identified concerns. But it won’t protect you when there is a material error. As the Conviviality saga illustrates, material events spiral out of control very quickly.
Your line of business owns spreadsheet risk. Your Operational Risk staff owns the credible challenge to the line of business's risk management efforts. Make sure they all aren't just ticking the box.
Step #2 is simply to identify where these risks lie and who owns them. What are the critical processes that are dependent on a spreadsheet or an end-user (non-IT) controlled file? Most senior executives do not have a clue as to this dependency - nor should they. But someone in their organization should.
It’s a common practice to have numbers extracted from a corporate database, transformed through Excel and then fed into some forecasting model. That is a potential weak link. If there aren’t effective controls, you are vulnerable even though the data appears to be coming from the proverbial “one source of truth.”
Given the sheer number of spreadsheets in an organization, this identification task can seem daunting. However there are many tried and true processes (e.g., technology or consulting services) to easily accomplish the task. Knowing where this risk is and who is accountable is well over half the battle. To paraphrase Peter Drucker, you’ll get what you measure.
It isn’t your job to think through how this gets done, or how the risks will be identified and mitigated. But if something goes wrong - a single key stroke error in a single file - recognize that it can be material. The impact will typically be immediate, and then you, personally, can be affected.
Historically the value proposition for better spreadsheet and end user computing controls was oriented around regulatory compliance. That’s a red herring. Companies often have multiple years to correct regulatory deficiencies. It’s usually errors that can bring you down - errors in critical calculations, data feeds, forecast models, etc.
And last, the remedy usually isn’t about eliminating all critical spreadsheets. The answer is better controls. Replacing a complex, functioning spreadsheet application can take months and cost hundreds of thousands of dollars. After all of that expense, the business process likely won’t improve, in fact, your agility and independence may disappear.
So, in summary, the answer is better controls. That is far and away the highest return on your spreadsheet risk mitigation investment.