The PRA & Regulatory Reporting: Spreadsheet Risk Management
Here is another development demonstrating why implementation of spreadsheet risk management is an urgent concern for financial services organizations.
The UK’s prime banking regulator – the Prudential Regulatory Authority (PRA) – recently contacted the CEOs of UK banks and building societies, highlighting their disappointment in finding issues around the quality of the systems and processes used to prepare regulatory reports submitted by many financial institutions.
In its “Thematic Findings on the Reliability of Regulatory Returns,” one concern the PRA raised was that firms did not always apply the same effort and diligence to their regulatory reporting as they did with the financial reports they provided to their shareholders and counterparties.
Instead of an efficient, streamlined process with clear lines of responsibility and proper ownership, the PRA found that the regulatory reporting process for many institutions is fragmented, manual, and potentially error-prone. The process often lay with small teams who were unaccountable to the PRA and often lacked outside scrutiny and proper management oversight.
A particular area of concern for the PRA was how spreadsheets featured heavily in many regulatory reporting processes and workflows, as this reflects the ad hoc nature of regulatory reporting uncovered by the PRA’s research.
The PRA has highlighted spreadsheet risk as a significant weakness for many institutions and has tasked many to draw up plans to address the issue. They will be looking for evidence of grip and progress in short order.
So, what do you need to do as best practices in an effective spreadsheet risk management program?
How to lower your spreadsheet risk
Here, as with MRM and Reconciliation, your first step is to build an inventory of the key spreadsheets. This is your foundation for building a spreadsheet risk management capability that gives you the appropriate level of control over your EUC estate to satisfy regulators.
An inventory offers you multiple capabilities. It provides a one-stop-shop to see at-a-glance your most sensitive regulatory reporting spreadsheets, regardless of where they are located – on PCs, on file shares, on SharePoint sites, or in cloud computing environments.
It also provides a platform for document management so that the EUCs in use can have their structure, purpose, ownership, and change history (for example, shared with others for review). It provides a change control capability so that changes made to spreadsheets can be monitored and registered by user and approver for review later. A spreadsheet inventory brings enterprise levels of control to a fluid and dynamic application environment, and is essential to spreadsheet risk management.
With a centralised inventory in place, the firms need to proactively monitor the key reporting spreadsheets so that changes can be monitored, and issues identified quickly before they can have a material impact on the business. Automated reports can capture this information, so that changes, issues and enhancements to the critical spreadsheets can be recorded, ready for use by management, regulators, and others.
The final phase is discovery, where you ensure the completeness of your inventory of critical spreadsheets that are core to the reporting process, whether a data store, calculator, model, or as part of the reconciliation process. A search across the entire estate is needed to find all the key spreadsheets in the reporting process. A less-than-complete search can mean that key spreadsheets are overlooked and fail to satisfy the regulator.
Searches need to be carried out regularly so that new, relevant spreadsheets added to the estate can be identified and monitored quickly.
How to best mitigate this risk? With leading technology…
Mitratech offers a market-leading, proven, and scalable spreadsheet risk management platform that provides enterprise-strength control and management levels. In use with some of the most demanding financial institutions in the world,