Spreadsheet Risk Management
|
|
|
It has become apparent that businesses are relying increasingly
on spreadsheets, and Excel in particular, to make business decisions.
The glut of information and the existence of a multitude of options,
types of financing and complex financing arrangements has meant
that businesses have needed to analyze more scenarios to reach a
decision. To make matters worse this needs to be done in less time
than ever before. |
|
The advent of personal computers and spreadsheets has catered
for this need and has meant that various complex scenarios can be
analyzed within minutes.
It may be fair to say that some spreadsheet models are more important
to the business than the systems that effectively only record the
results of the decisions previously made. The research
results and War Stories indicate that
there are significant issues and it would appear that the risks
surrounding the use of spreadsheets have been ignored.
The aim of spreadsheet risk management is to improve the quality
of the spreadsheets used and thereby reduce the risks. Now some
people might ask, and many suggest, that spreadsheet use should be
limited or banned from the business world.
|
|
|
Theoretically this
is correct. However practically the flexibility and value for money
that spreadsheets provide means that in one form or other spreadsheets
will always exist. By understanding where your risks are and providing
practical solutions you can mitigate your risk to a more acceptable
level.
Willingly or not, the business world places extensive reliance
on spreadsheets and excel in particular to help make there decisions
and provide management information. When considering the risks of spreadsheet problems you should consider
2 aspects. The primary question is the impact an error will have
on your organisation should it occur. The other aspect is the probability
of an error occurring in your organisation. A diagrammatic representation
is available here explaining these two
aspects.
The key to risk management is first and foremost to know where
the risks are. You therefore need an inventory of where spreadsheets
are used. Much of the work done during the Y2K assessments would
have focused on where IT systems exist and with luck they would
have documented where spreadsheets play an important part. From
our point of view the high risk areas are often in divisions or
departments where the revenue stream is ad hoc and there are limited
formal IT systems that can help. Departments that are full of professional
or ‘expensive’ staff (Chartered Accountants, CPA, CFA,
engineers, actuaries etc) are often prone to significant Excel use.
Why? If businesses could develop IT systems to perform the work
they would not need all these expensive staff members. So look in
your corporate finance departments, new business developments departments
etc.
You need to also consider the nature of the spreadsheets. Where
decisions are being made, the model is often the only source of
numbers. There is seldom anything to check against. And inevitably
the big decisions are made here. Departments that are responsible
for reporting can also have a big effect on an organisation. Look
at some of the spreadsheet error stories
to see what can happen when your information is wrong.
Some spreadsheets sit at the very heart of an operation, often
as a link between mainline systems. You can spend millions on fancy
accounting and ERP systems. If a spreadsheet is involved in handling
data the huge expense on internal IT controls will go out the window.
The spreadsheet error stories show some cases
of fraud that have resulted due to this issue.
You should also look at the current controls in place to address
spreadsheet risks. I estimate that at least 90% of businesses have
not formally considered this. All businesses should have policies
and procedures in place to control spreadsheet use. However, having
only this is not good enough. You cannot place the responsibility
solely on your employees. They need to be given the tools to be
able to achieve this. Just paying for your Excel license is not
enough. Empower your people to reduce the risks by providing the
excel training to use spreadsheets properly,
and giving them Spreadsheet Professional
to be more effective in finding errors.
Depending on the nature of your organisation it may be useful to
have the necessary expert skills. Financial institutions that live
off spreadsheets for the most part should have a whole department
dedicated to this skill set. Incorporate them into you Internal
Audit or IT audit departments.
The way to address this issue includes incorporating the risks
into policies and procedures of the business and making sure ALL
staff are trained on using Excel and in particular the inbuilt error
checking tools. Make this training available online, all the time
by using computer based training on your intranet. Make Spreadsheet
Professional available to everyone who has Excel on their computer.
Where necessary redesign critical spreadsheets or move them onto
a formal software language if possible. Set up departments to address
this risk particularly.
Contact
for more information.
|
