Time and again, the legitimacy and value of the spreadsheet to business, and in particular to the finance department is questioned, given the numerous times spreadsheet errors have caused significant issue for organisations. But the reality is that for all its shortcomings, this humble tool remains essential for core business processes and remains pervasive in many businesses.
It’s not hard to see why.
Spreadsheets offer businesses the flexibility and agility to adapt and enhance vital business processes, whether it is to manage complex projects, budgets and forecasts, develop business and financial models to support their strategic decision making, or to produce management and stakeholder reports. They often remain the preferred option for business management, planning and reporting – even for those businesses who already make use of a variety of enterprise-level IT systems to run the organisation.
The key to the value of spreadsheets to many organisations is their ability to align business and IT. They enable the business to leverage the scale and security of their corporate IT systems, while providing users a fast and flexible option that helps them respond quickly to the changing needs of a dynamic business.
The challenge of spreadsheet risk
While offering significant value to users, the uncontrolled nature of spreadsheets, and the absence of change control means that spreadsheet risk – the potential for business issues caused by errors and omissions in spreadsheets – becomes a real issue for finance departments and organisations in general.
The lack of effective controls, and the issues this can create means that organisations can potentially lose visibility of their key data and business-critical files, resulting in a poor understanding of which files are being used for critical financial reports. Furthermore, with no checks on the data sources or which spreadsheets are being used, as users create or copy spreadsheets for new applications or reports, the likelihood of the using the wrong data feeds, and/or the use of stale and inaccurate data increases exponentially.
If these potentially flawed results are fed into a business’ financial system or used for part of their ‘final mile’ reporting, it can skew the outcomes, and cause misreporting.
The fallout of these errors can be dire for organisations, as we have seen recently. Earlier this year, Conviviality, a £500m business, collapsed. As reported, the company had been using a manually updated spreadsheet to keep track of incomings and outgoings; and a user forgot to enter nearly £30m of alcohol duty. This triggered its collapse.
Similarly, Carillion Plc, a 20,000 employee, multi-million-pound turnover business; has gone bust. In the absence of adequate IT systems, multiple versions of multiple spreadsheets were used simultaneously by multiple offices to manage its subcontractor and employee workload, resulting in poor and unprofitable workforce management.
Regulators recognise the value of spreadsheets alongside their risk
The significance of spreadsheet risk has reached the point where financial services regulators in the UK – The Bank of England, The Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) – have noted the importance of the issue of how spreadsheet risk can undermine business services.
They are exploring how resilience can be designed-in from the beginning, so that risks are mitigated upfront. While this applies to those financial institutions regulated by these three bodies, it also covers outsourcing partners, and their supply chain, potentially forcing companies outside financial services to enhance their own spreadsheet risk management.
Spreadsheet risk features on regulators globally with firms facing enhanced scrutiny. For example, firms operating in the US find spreadsheet risk as part of Sarbanes-Oxley (SOX), CCAR/DFAST, IFRS9, SR 11-7 and other regimes.
Making spreadsheets safe for use
The issue is not so much the use of spreadsheets – but rather the lack of understanding of the dependency an organisation has on these spreadsheets. The solution lies in making spreadsheets safe for use. This can be done by adopting a best practice, technology-led approach to spreadsheet usage and management.
This approach leverages automation to continuously monitor and audit the use of spreadsheets across their lifecycle – from their creation, through changes and updates, all the way through to migrating the processes they support into corporate IT systems. It helps establish data controls and spreadsheet change management processes to ensure complete visibility and transparency across the spreadsheet landscape, fully supported by an audit trail.
These types of solutions can be deployed as ‘on premises’ solutions, where businesses have a reference for maintaining full control over their spreadsheet risk management environment. Cloud-based options are also available, for institutions if they prefer to implement a solution without the need to invest in their own environment.
These approaches enable organisation to utilise capabilities that allow teams to maintain an inventory of critical spreadsheets, supported by an audit trail, to help them understand the complexity of spreadsheets and to identify where there might be potential for errors that can compromise the quality, accuracy and integrity of data within them, for example for financial reports and reconciliations.
This kind of attitude to spreadsheet risk allows organisations to square the circle, so they can continue to leverage the significant value of spreadsheets, while still retaining the same level of visibility, control and auditability that they expect from their core IT applications.