Skip to main content

Mitigating operational risk from spreadsheets: Businesses must take control

(Image credit: Image Credit: Pexels / Pixabay)

What do accountants, risk professionals and finance modellers have in common? Their perpetual love for spreadsheets. If you ever speak with them about using spreadsheets, it may closely resemble talking with children about their favourite superhero or barbie doll. They will happily talk to you about the incredible speed at which they can manipulate data, prepare financial models and reports. They will also talk about the flexibility spreadsheets provide and how they themselves have customised their own spreadsheets to make their lives easier and their companies more efficient.

There is no doubt that spreadsheets form a core part of any business and whether it’s for tracking expenses or managing complex and highly sensitive financial data sets, they are a universally essential business tool.

So, given their obvious benefits, why would an organisation as respected as Forbes magazine (opens in new tab)describe Excel as ‘the most dangerous software on the planet’?  Is it the addictive feeling of running the perfect formula? Or that some users just may not be able to handle the pure numerical truth of your bar graph?

No, it is simply because just one badly managed spreadsheet can open a business to risks that have the potential to singlehandedly cause colossal financial and reputational loss.

Risks unseen and unheard

Having spent decades as an Excel and financial risk specialist, I’ve learned that there are many ways in which spreadsheets and databases can go wrong. From small firms with just a few employees and spreadsheets to global firms with hundreds of thousands of spreadsheets, the risk remains the same. One spreadsheet can cause catastrophic harm. Regardless of who or what is to blame, the most alarming thing is that most business leaders are unaware of the potential damage spreadsheets and other end-user tools can cause. Businesses need to take note now and not only recognise the risks but also learn how to mitigate them. 

We recently polled a room of risk management professionals at an industry conference and alarmingly, only 33 per cent of people we asked said they had any kind of policy for managing everyday tools like spreadsheets (opens in new tab).

Nearly half of the people we polled (47 per cent) claimed their organisations use more than 1,000 spreadsheets for day-to-day work, and what’s more, according to research from the University of Hawaii, 20 per cent to 40 per cent of spreadsheets are thought to contain errors.

The cost of complacency

For an idea of the financial cost of spreadsheet errors, let’s cast our minds back to 2008 when Lehman Brothers went bankrupt and Barclays bought some of the company’s assets. It was reported that this included the unintentional purchase of 179 contracts which had been hidden rather than deleted in a spreadsheet containing nearly 1,000 rows and 24,000 cells.

However, when the spreadsheet was converted into a PDF to be posted to the bankruptcy court’s website, the hidden cells reappeared. Although Barclays Capital filed a legal relief motion, in the end it was reported that they had to swallow the losses for an undisclosed sum.

In another more recent instance in March 2019, less than a week after posting its latest quarterly earnings, Canopy Growth Corporation, the largest cannabis company by market value, had to issue a correction. The Canadian firm said it was restating one metric in its fiscal third-quarter and nine-month earnings release after a formula error in a spreadsheet. The Smiths Falls, Ontario-based company said the nine-month adjusted EBITDA figure should have been a loss of C$155.2 million ($117.8 million) but was incorrectly stated as a loss of C$69.0 million ($52.4 million). Apparently as a result, the organisation’s shares fell by 3.7 per cent pre-market. These cases don’t even go into the world of legal compliance and data regulation, so we’ll save that for another time.

To err-or is human

There are numerous possible points of failure, especially when you consider the quality of spreadsheet output has (up until now) usually been dictated and controlled by just one human working on computers using software with, at best, some manual checks.

Firstly, the challenge of multiple users copying someone’s “good” spreadsheet and making their own amendments without knowing the breadth of formulae and underlying structure should be of concern. With different people doing different things, often using different methods to manage the same or similar set of data, it is easy to see how quickly errors can escalate.

Such situations are very relatable and can happen to any business large or small, with the implications for version control alone leaving any business exposed to risk, especially if there aren’t mandated ways of working, or special document control protocols.

So, one perfectly natural reaction is to restrict people’s access to data, documents or processes, relying on a single expert with ultimate oversight. A typical scenario in smaller companies, where fewer contributors should, theoretically lead to fewer mistakes and more controlled ways of working.

This is great until that one controller then becomes a single point of failure without the back-up of proofing or cross-checking from other teams, let alone potentially overloading work on a single person.

Finally, the hardest to spot errors come in the shape of formulae or code errors themselves and whilst these can be completely beyond anyone’s control, there are some user habits that don’t necessarily help. 

For example, if you repeatedly copy formulas from book to book, or use a single sheet for too long, formulas can fail but go unnoticed due to the trust built up by the users in their long-suffering spreadsheet.

To mitigate is divine

So, how do companies protect themselves against these risks and mistakes regardless of where they come from? For me, the solution is two-fold. Firstly, every business should have an executable compliance policy for managing how all data is handled and allow software to instantly, and cost effectively verify compliance to the policy.

These policies should give guidance to staff on how to manage data, how to use and save spreadsheets in uniform ways and help reduce user errors and boost accuracy.

To back this up, companies should look to the latest technological tools including advances in AI and cloud computing as a means of double-checking, securing and locking down the most important data. This is why my team at Brickendon has built a customisable solution capable of scanning the most complex networks of spreadsheets to automatically detect inconsistencies, mis-performing formulas and/or erroneous trends in version control.

Fast and easy-to-use, EUCplus lets businesses take control of their data and protect their business. It takes away the risk, but still lets organisations carry on with business as usual. It is a simple process to ratify changes to models and calculations, whilst allowing day-to-day data changes to happen as usual.

We named the system EUCplus – or ‘End-User Computing plus’, because we saw the need for a tool that would go well beyond the limits of human error-checking or proofing and perform at great pace. By registering, scanning and securing the data, EUCplus gives businesses the peace of mind they need to get on with their day jobs.

By keeping the flexibility and simultaneously removing the risk from spreadsheets, EUCplus will enable organisations to safely allow spreadsheets to be used by any employee needing to manipulate financial data, rather than limiting access to only ‘love-struck’ accountants and risk analysts. After all, the immense flexibility and multiple functional abilities of spreadsheets do suggest they deserve more credit than they usually get.

Christopher Burke, CEO, Brickendon (opens in new tab)

Christopher Burke, CEO, Brickendon and EUCplus, is an excel and risk management specialist with decades of experience in mitigating such risks.