Stop and think: how much does your firm — and your work group — depend upon electronic spreadsheets to get mission-critical assignments done? How badly could a spreadsheet error damage your company’s reputation? Its financial results? Your own career?
Here’s an example. Advising Tibco Software on its sale to Vista Equity Partners, Goldman Sachs used a spreadsheet that overstated its client’s shares outstanding and, as a result, overvalued the company by $100 million. The Wall Street Journal reported, “It’s not clear who created the spreadsheet. Representatives for Tibco and Goldman declined to comment. Vista couldn’t be reached for comment.” (October 16, 2014.) Nonetheless, it’s safe to assume that the analyst who prepared the spreadsheet was identified, along with his or her manager, and that they both were penalized for the mistake.
Spreadsheets proliferate in financial organizations for good reasons. They offer convenient, flexible, and surprisingly powerful ad hoc solutions to all sorts of analytical problems. But as risk managers we are an impatient lot, and all too often results-oriented people like us turn to spreadsheets even for production applications because we cannot wait for IT resources to become available. We know that the IT department has a hard-and-fast policy of disavowing the business lines’ spreadsheets, but that’s all right, we tell ourselves, because “it’s only temporary.” Then we turn our attention to another problem….
Let’s take it as axiomatic that the firm’s risk management operations should not exacerbate the firm’s exposure to operational risk.
You may already have established some controls to mitigate spreadsheet risk in production applications. For example, key spreadsheets may be encrypted, stored on dedicated, non-networked PCs with password protection, and backed up every night. And it might be said that spreadsheets are self-documenting because the macros and formulas are visible and the functions are vendor-defined. As a practical matter, however, only the analyst who originally developed a spreadsheet fully understands it. When she leaves, and other analysts add enhancements — possibly with new names for existing variables — the spreadsheet becomes much more difficult to troubleshoot.
We recommend taking these steps now:
- Starting in the risk management area, inventory all the spreadsheets in use across the firm’s operations.
- Confirm that every time a spreadsheet enters a workflow it is identified as such. Cross-check the workflow documentation and swim lane diagrams against the spreadsheet inventory and update them where necessary.
- Document every non-trivial spreadsheet, minimally including its purpose, the data sources, and any procedural tips.
- Select the operationally embedded spreadsheets whose failure would be most injurious to departmental objectives and downstream processes, and look for permanent solutions with proper controls.
Whether or not it’s explicitly listed in your performance objectives, you owe it to your firm and yourself to migrate mission-critical spreadsheet applications to a reliable platform with codified controls. Systems development life cycle (SDLC) methodologies impose the discipline that’s needed in all phases of the project, from requirements analysis through deployment and maintenance, to minimize operational risk. This is not a trivial task; transferring the ad hoc functionality you currently have embedded in spreadsheets to a system that is well designed and amply supported takes heart. But the potential consequences of inaction are unacceptable. We strongly encourage you to take the necessary steps before a problem comes to light because a key person leaves the organization, a client spots a costly mistake, or — in the worst case — an operational crisis prevents the firm from meeting its contractual or regulatory obligations. And you lose your job.