Risk Management And Spreadsheets
Risk management is a key discipline for any business, as senior managers develop execute and evolve their business strategy. It is an area that is under increasing scrutiny from shareholders, auditors and regulators alike. Risk management can only be as good as the data it relies on. The corporate IT function is well versed in providing information that informs risk management. However, where organizations make extensive use of spreadsheets in their key business processes, to help drive the flexibility and dynamism that companies value, their lack of change controls means that spreadsheet risk has the potential to compromise any risk management regime.
This spreadsheet risk has the capacity to undermine regulatory compliance – for example SOX, Solvency II, stress testing – by compromising the quality of the data and the accuracy of the results. Regulators are increasingly examining how spreadsheets are used, managed and audited in the business processes they regulate, and expect the same level of transparency as featured in corporate IT applications.
Companies need to expend time, energy and resource to assure themselves, and their regulators, that the business processes underpinned by spreadsheets meet the standards necessary. Shortcomings can lead to regulatory, legal and reputational damage.
Spreadsheet risk also presents a challenge for the audit function as well. Compromised information from the spreadsheet estate can undermine preparations for the scrutiny of external auditors, potentially leading to audit points that need to be addressed. External auditors are being directed to ‘look under the hood’ much more with business critical spreadsheets, as companies rely so much on them, and increasingly need transparency in how results were calculated and how the spreadsheets are managed. Equally where the audit function is used to identify operational risks for the business, accurate information is essential to identify business issues early.