Spreadsheet Risk Triggers £5 Million Fine for UK Bank
The UK’s banking regulator, the Prudential Regulatory Authority (PRA), recently announced that it had fined a UK bank over £5m (over $7m) because of problems caused by uncontrolled spreadsheets in crucial business processes.
It comes as regulators worldwide enhance their efforts to encourage their chartered banks to ensure that their focus on the robustness of their operational processes and the accuracy of their reporting matches their focus on managing their capital.
The PRA’s ruling highlights a range of technical, operational, and commercial issues financial institutions face and how often spreadsheet-based, ad-hoc business processes fill the gaps these issues help create.
Current challenges facing banks
The challenges facing banks are well known. They face intense competition from existing institutions and new entrants, there are significant cost pressures, they need to innovate, and there is the unrelenting pace of technological disruption, to name a few.
These issues are well known, but other important issues receive less attention.
One problem is that institutions struggle to find qualified and experienced back-office staff at a rate a bank can justify. This can mean that the quality and robustness of business processes can suffer, as new or temporary staff may lack operational experience or familiarity with the core systems a business uses.
Another issue is that the investment needed for back-office IT projects often suffers at the expense of the investment given to higher-profile front-office systems. Funding may be insufficient, or timeframes may constantly slip as competing projects receive the green light.
Turning to improvised solutions
The compromises that arise from this constantly shifting environment often force middle and junior management to find ways to square the circle, using their expertise and resourcefulness.
In response, many managers and staff bridge the gaps that result with improvised solutions that will – hopefully – be replaced by corporate IT applications. For example, Excel spreadsheets are a popular choice for staff to use as a temporary fix, while the IT function develops a long-term solution to the problem.
While fixing the short-term problem, the prized power and flexibility of spreadsheets pose a significant operational risk.
Firstly, spreadsheets lack the controls found in corporate IT applications, so auditability and transparency are lacking. It can be unclear who made changes to a spreadsheet and who reviewed and approved it. It is also difficult to enforce any workflows needed to review and approve changes to spreadsheets.
There is little visibility of missing data or errors in spreadsheets that can lead to operational issues. Users can also easily fall into the bad habit of hard-coding information into cells, again with no transparency, leading to data quality issues and errors. Finding and updating these hard coded cells is time-consuming and error-prone.
In an ideal world, banks would replace these spreadsheets with corporate IT applications, but as we’ve seen, this is impractical. Instead, institutions need to accept that spreadsheets, and the risks involved, will feature in many core business processes, in one way or another, for the foreseeable future.
So, what can banks do to bring the management of key spreadsheets in line with corporate IT applications, reduce the risks involved, and address regulators’ concerns?
How to mitigate spreadsheet risk
The first step is creating a spreadsheet inventory.
This provides a foundation for centralizing the management, review, and visibility of the critical spreadsheet estate used in the business. It also provides a repository for the documentation essential for defining and controlling the core spreadsheets used in a company.
The next phase is the proactive monitoring of the critical spreadsheets.
This is done to ensure that changes are transparent to all and minimizes issues related to missing data, flawed calculations and formulas, or stale data.
The last phase – Discovery – is where companies find mission-critical spreadsheets they need to manage that are not included in the inventory.
The key here is to find the most significant spreadsheets used, defined by a range of parameters, including who uses a file, how often it is changed, what other applications and data sources it is linked to, and other relevant criteria. User input can be included here to refine the search criteria.
While fixing the short-term problem, the prized power and flexibility of spreadsheets pose a significant operational risk.
Mitratech offers a powerful and proven spreadsheet risk management solution that helps mitigate their spreadsheet risk. Learn more here.
Manage your Shadow IT spreadsheets
With ClusterSeven, take control of the End User Computing assets hidden across your enterprise that can create hidden risk.