Spreadsheets are indispensable for many functions. They are the main component in end-user computing (EUC), which is software built by non-programmers usually on a users’ desktop. They are the ideal choice for financial reporting, ad-hoc analyses, personal data tracking, numerical data recording and many other data-related activities. They are flexible, easily manipulated and can do many things for many people. And therein lies the problem.
Spreadsheet errors can cost companies millions
Flexibility is a positive when it works well, but also an opportunity for problems when it doesn’t. In recent history – as recent as last month in the case of Canadian cannabis producer Canopy Growth – has shown, this flexibility can cost organisations substantial amounts of money. Canopy Growth was forced to refile its financial results with the Canadian Securities Administration after a formula error in a spreadsheet caused the company to understate its financial loss by CA$103m. (1) Meanwhile, the collapse of construction and facilities management firm Carillion, rendering 43,000 global staff redundant, is still being investigated, but it has been suggested that spreadsheet mis-management may be partly to blame. One news report said that in the absence of adequate IT systems, multiple versions of spreadsheets were used simultaneously by multiple offices to manage Carillion’s subcontractors and employee workload, resulting in poor and unprofitable workforce management. (2)
Add these recent issues to the already widely-reported cases of JP Morgan losing US$6bn and being fined US$1bn (3) and Societe Generale losing EU4.9bn (4), both due to spreadsheet errors – the latter due to malicious activity by one of its staff – and there is no doubt that controlling end-user computing (EUC), and in most cases spreadsheets, is a big issue.
“Operational risk, and in particular risk associated with spreadsheets, is a very real concern for businesses,” said Chris Burke, CEO of EUCplus, a newly launched application that removes operational risk by registering, scanning and securing business-critical spreadsheets.
Speaking after addressing the audience at Cefpro’s new generation operational risk conference in London this week, Burke said that failing to address the issue of end-user computing is tantamount to riding a motor cycle without a helmet.
Many companies don’t have a robust EUC policy
According to a short survey of conference attendees, more than 50% of the respondents admitted that their organisation did not have a robust EUC policy. Over 25% of respondents said their organisation uses as many as 10,000 spreadsheets for day-to-day functioning, while almost 50% admitted that up to a quarter of the spreadsheets used were critical to the running of their organisation.
“No one is immune,” said Burke. “EUC management is an issue that affects all businesses.”
This is backed up by a study carried out by Ventana Research, which found that 35 per cent of organisations routinely find errors in data and 26 per cent find formula errors in the most important spreadsheets they use. (5)
Good EUC management is important for regulatory compliance
So, while the concept of spreadsheet errors is nothing new, it is something that is becoming much more widely-reported. The implementation and preservation of appropriate end-user computing controls for financial services firms is referenced in a raft of financial regulation, including Sarbanes Oxley, MiFID II, Solvency II, SMCR and many more, and it is this threat of fines, damage to reputation and the inability to conduct business correctly, that has brought end-user computing to the fore.
The key, according to Burke, is to develop an effective end-user computing framework and attestation policy. Such a framework not only helps ensure regulatory compliance, but also reduces or prevents fraud, accidental errors or mis-reporting and demonstrates best practice spreadsheet risk management. Ultimately it also provides assurance to the board that the issue is being taken seriously. The Senior Managers and Certification Regime (SMCR) in the UK places much more regulatory responsibility on the shoulders of the senior executives when it comes to financial reporting and risk management. As a result, senior stakeholders are starting to take things more seriously. Having a policy is not enough. Firms need to robustly implement the policy and ensure ongoing compliance.
One such framework and attestation policy is EUCplus, a customisable, cloud-based tool that reduces operational and business risk by registering, scanning and securing all business-critical data in one simple process. It provides:
- visibility and control over all your business-critical data,
- identifies irregular data and allows it to be removed or corrected,
- prevents further opportunities for accidental changes,
- provides an accurate and impenetrable log for compliance purposes, and
- fully encrypts the business-sensitive data.
Taking control of your EUCs also drives better business
As well as using the latest technology, including algorithms and big-data processing to take control of your spreadsheets, EUCplus also drives better business, IT and architectural decisions. It provides automated reporting from the customisable data model and enables robotic process automation and business-process outsourcing.
“By focusing on this one critical area of your business, you are doing more than just ensuring regulatory and financial compliance,” said Burke. “You are future-proofing your business by providing a clear attestation framework that can be used as a benchmark for future developments and helping maintain a top-class reputation.”
Contact us to find out how EUCplus can help you reduce your operational risk and maintain your high-class reputation: email: [email protected] or call +44 203 693 2605