How spreadsheets are used in Banks and Why?
Banks today deploy a variety of well-supported enterprise IT systems for accounting, risk management, compliance, trading and tax; to run the critical processes for business operation. While these systems are undoubtedly the preferred destination for processing financial information and executing processes, there has been an explosion of “shadow IT” in the form of end user computing (EUC) tools, particularly Excel spreadsheets, for performing business-critical activities. Typically, a vast number of spreadsheets surround the core systems and serve as the default tool for new reports, business initiatives and projects. They are used for final mile reporting, financial modelling, audit and compliance, portfolio management alongside general business management.
The reason for the adoption of EUC tools is simply that enterprise systems aren’t able to accommodate the evolving needs of the business with the speed and flexibility that is often needed by dynamic financial organisations. Many of these needs are driven by regulatory demands against urgent timescales. Spreadsheets fill this gap, enabling banks to align business with IT. They are also easily accessible and easy to use and so are used without any formal training or authorisation and usually without any formal change, testing and version controls.
What is the risk?
The last sentence is where the risk starts. Due to a lack of internal usage policies and change control mechanisms, the use of these tools for critical business processes is unfettered and unmonitored. Spreadsheets feed a number of business processes, but due to a lack of visibility of the entire spreadsheet landscape and an understanding of data flows across the data environment; the integrity of many business-critical financial, operational and regulatory processes is threatened. It’s impossible to track the deep and interconnected lineages between the various files and EUC models. So, a single error in a spreadsheet can invalidate the accuracy of output of processes and models, putting the business at significant operational risk. All banks will recently have experienced a situation of having to go back to the regulator with restated versions of a regulatory return because somewhere in the chain of spreadsheets and data extracts an error has occurred. To date the IT departments have typically washed their hands of the problem arguing the clue is in the title – “End User Computing” – and hence is not their responsibility. This argument is wearing thin as the take up of spreadsheets across the entire enterprise means end users cannot solve this problem alone.
Spreadsheet usage has regulators’ blessing
Despite the shortcomings, EUCs and spreadsheets continue to remain core to business processes. Financial services regulators too recognise the value of spreadsheets to business and therefore are demanding a best practice-led usage of these tools in order to minimise the risk they potentially pose. For instance, spreadsheet risk features prominently as part of Sarbanes-Oxley (SOX), CCAR/DFAST, IFRS9, SR 11-7 and many other regimes. Recently, the Bank of England, The Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) – have also noted the importance of the issue of how spreadsheet risk can undermine business services. Such
Automated Control is the answer
The extent of the problem means manual approaches are no longer viable. Financial institutions need to adopt an automated approach to spreadsheet usage and management. Spreadsheet risk management leverages continuously monitored use of spreadsheets across their lifecycle – from creation and updates, all the way through to migrating the processes they support into corporate IT systems. It will help financial institutions to establish data controls and spreadsheet change management processes to ensure complete visibility and transparency across the spreadsheet landscape, fully supported by an audit trail. It will entirely eliminate the risk and inefficiency of manual checking, offering fail-safe assurance that the outputs derived from the data in spreadsheets are indeed accurate. Such automation and control techniques provide a vehicle for the IT department and business areas in a bank a means to collaborate on solving the problem rather than pointing fingers.
Benefit of attestation management for regulatory compliance
Spreadsheet risk management also provides automated processes for attestation by employees for the most critical spreadsheets, thereby ensuring that changes are made in line with the company directive. Internal staff can be prompted to review and approve documents, transactions and processes; and ensure they remain compliant, even if no issues have been raised. In today’s era of the Senior Managers and Certification Regime, where the regulators are making senior executives responsible for their business’ activities, spreadsheet risk management provides in-built safeguards for attestation management. The Netherlands-based Rabobank is an example of a financial institution that is using automated spreadsheet risk management to continuously enhance its attestation management capability to meet internal compliance and external regulatory requirements.
Banks will do well to make spreadsheet risk management a 2019 priority. It can help financial institutions reduce financial, regulatory, operational and indeed reputational risk caused by spreadsheet and EUC error.