Organisations are opening themselves up to serious operational risk, including extensive financial and reputational damage, due to their failure to take control of end-user computing (EUC) tools such as spreadsheets and databases.
According to a recent poll of risk professionals*, 53% of firms don’t have a robust policy governing the use of EUC applications, that is software, usually spreadsheets, built by non-programmers on a users’ desktop. This is a worrying figure, especially given that more than 47% of respondents said their organisation used more than 1,000 spreadsheets for day-to-day functioning, and 30% admitted that more than 25% of the spreadsheets used were critical to the running of their organisation.
Alarmingly the poll found that only 33% of those questioned actually have an EUC policy, with 14% not knowing whether their company has one or not. Additionally, 23% said they didn’t know what percentage of spreadsheets used in their organisation are critical to the running of the business.
Spreadsheets are an asset and a poisoned chalice
This confirmation that spreadsheets form an integral part of many organisations only emphasises the need to use them correctly. A raft of large organisations, including JP Morgan, Societe General and more recently Canopy Growth, have already suffered substantial losses, both to their finances and reputations, at the hands of their spreadsheets. The flexibility they offer is both an asset and a poisoned chalice when it comes to financial reporting, and failing to take proper control is, we believe, tantamount to riding a bicycle without a helmet.
So, what should companies do to avoid falling into the trap of spreadsheet mismanagement?
The key is to implement an effective end-user computing framework. Such a framework not only helps ensure regulatory compliance, but also reduces or prevents fraud, accidental errors or mis-reporting. It also demonstrates best practice risk management and ultimately provides evidence to the company’s board that the issue is being taken seriously.
An effective EUC framework helps ensure regulatory compliance
For corporates, large and small, spreadsheet risk management is primarily an exercise to ensure the financials are correct. However, for financial services firms, the implementation and preservation of appropriate end-user computing controls is referenced in a raft of relevant regulation, including Sarbanes Oxley, MiFID II and Solvency II. It is this threat of non-compliance and the ensuing fines, damage to reputation and the inability to conduct business correctly, that has brought end-user computing to the fore for these firms. In addition, the Senior Managers and Certification Regime (SMCR) in the UK and Banking Executive Accountability Regime (BEAR) in Australia, are making senior managers pay attention, as the responsibility for compliance ultimately lies with them.
However, organisations need to do more than just be aware of the issue. Firms need to develop a formal certification/attestation policy and then robustly implement the framework, policy and appropriate software system to ensure ongoing compliance. This is particularly important given the increased cost pressures and competition facing businesses today. Staying ahead of the game and on top of all regulatory and reporting requirements has never been more important.
Helping drive better business
One such framework and attestation policy is EUCplus, a new customisable, cloud-based application developed by our digital arm, Brickendon Digital. EUCplus reduces operational and business risk by registering, scanning and securing all business-critical data in one simple process. It:
- provides visibility and control over all your business-critical data,
- identifies irregular data and allows it to be removed or corrected,
- prevents further opportunities for accidental changes,
- provides an accurate and impenetrable log for compliance purposes, and
- fully encrypts your business-sensitive data.
As well as using the latest technology, including algorithms and big-data processing to take control of your spreadsheets, EUCplus also drives better business, IT and architectural decisions. It provides automated reporting from the customisable data model that enable the implementation of robotic process automation (RPA) and business-process outsourcing.
By focusing on this critical area in an efficient and cost-effective way, you are future-proofing your business by providing a clear framework that can be used as a benchmark for future development. It demonstrates that you understand the importance of taking control of your business-sensitive information and preventing mis-management issues.
After all, who wants to end up in the headlines for understating losses by CA$103 million (£58 million), as happened to Canada’s Canopy Growth (1) in February 2019, or to lose US$6 billion (JP Morgan) (2) or EU4.9 billion (Societe Generale) (3) as a result of spreadsheet errors that could have been avoided if the right framework had been in place?
*The poll was commissioned by EUCplus and conducted at the Cefpro new generation risk conference in London on 13th March. The respondents were all senior operational risk professionals at director level or above.