Spreadsheets: The Good, The Bad & The Risky
Spreadsheet Risk has become a worldwide epidemic. The central issue of Spreadsheet Risk is the danger posed by the prolific use of unregulated spreadsheets in mission-critical applications throughout industries, including medical, banking and government sectors.
Risk Integrated recently participated in the seventh annual conference of the European Spreadsheet Risk Interest Group (EuSpRIG) on July 5 - 7, 2006. Discussions at this conference held at the University of Cambridge, UK, showcased the impact spreadsheet risk assessment can have across industries, and brought notice to the severity of this issue.
Some key findings presented at the conference included serious weaknesses were found in publicly available clinical spreadsheets. Poor practice, error-prone construction, lack of documentation, lack of evidence of testing, and few controls on data and structural integrity were encountered in the spreadsheets examined.
The problems are not confined to financial applications. Clinicians and Medical establishments who continue to use untested or badly engineered spreadsheets in a clinical situation are placing themselves and their patients potentially at risk. Such mistakes are not only expensive, but could be life threatening.
Alongside the possibility of such severe mistakes, spreadsheets are also costly to operations as they strand some of the institutions most vital data out onto ‘islands’ of spreadsheets.
This often means they are unreachable by the central IT infrastructure, the consequences of which leads to re-keyed, delayed reporting, and simply a lack of knowledge as to what is really going on in the business.
By their nature, spreadsheets are very easy to create, without any specialist programming knowledge. This is the core of the problem. Spreadsheets written by non-programmers (and even by non-specialists) are used across industries.
Until recently, banking regulators and IT departments simply passed the buck. They took the view that spreadsheets were merely temporary prototypes dreamt up by the business units and useful for analysts to play with, that held no place in the enterprise computing infrastructure.
It was viewed as a system that would be discarded as soon as the "proper system" was rolled out. However, there is a danger of the "proper system" never coming to be.
For understandable reasons, there is a creeping increase in the use of spreadsheets for enterprise-level applications in financial and other institutions, with no defined parallel plan to build a "proper system".
Another common problem is that the plan to replace spreadsheets often involves a long difficult translation into another language. For example, the new Basel II regulatory framework encourages banks to build complex internal credit risk models in order to reduce their regulatory capital requirements, and hence improve their bottom-line.
These models are complex, detailed, deal-specific, and require specialist business knowledge from seasoned practitioners devising complex structures for commercial real estate and project finance deals.
Hence, the models are invariably written in spreadsheets, and cannot be transcribed to systems such as C++ without a near-complete loss of flexibility and business agility. Once the models are transcribed, it is often a difficult process for the original creator of the analytics to make any amendments or enhancements.
The good news is that software technology firms are responding to the needs of the spreadsheet users. Risk Integrated’s Enterprise Spreadsheet Platform (ESP), for example provides a server-based framework for managing and running spreadsheets in a fully-controlled and robust environment.
Other firms provide auditing, tracking, and testing tools, designed for mitigating various aspects of the risk of using spreadsheets. These approaches are finally allowing spreadsheets to be used as the basis of solid enterprise-level applications.
Now with appropriate management and infrastructure, spreadsheets are here to stay…and that is a good thing.
Yusuf Jafry, Risk Integrated, Founder & Chief Technical Officer
Entry Filed under: SUPPLIER AND TECHNOFIN®, Risk Management
Trackback this post