There’s no getting away from it. Spreadsheets have burrowed their way into just about every corner of financial markets. From in-house monitoring of trading conditions to the annual reporting of financial results, banks have repeatedly eschewed more suitable alternatives in favor of the cozy familiarity of manual data entry.
According to research from Chartis, as much as $12.1 billion within the world’s 50 largest financial institutions could be at risk from improper use of end-user computing (EUC) tools such as spreadsheets.
Recent history is peppered with examples of losses running into the hundreds of millions of dollars that have been caused by user error: the $6 billion trading loss, a US bank was hit with in 2012 due to a copy-and-paste error, the $1.35 billion of worthless U.S. bank contracts that a U.K.-based bank had to buy in 2008 due to a formatting error or erroneous transfers.
Such incidents should serve as a wake-up call for banks to take some form of remedial action. The problem is that the pervasiveness of spreadsheets across organizations makes it fiendishly difficult to move away from them.
But there are some things that firms can do to lessen this pain.
Finding the right strategy
The key to being successful in any major organizational change is finding the strategy that fits best. One of the difficulties is that, in many cases, the scale of the task ahead is so vast that it can seem quite daunting just to get started.
To be successful, firms need to be able to see the results of all their hard work paying off quickly.
This does not mean radically overhauling every single piece of offending technology at a single stroke. But it does mean giving careful thought to which parts of the business need to be changed first.
Here are the key stages that firms need to go through when establishing their own remediation framework.
- Develop a coherent governance and oversight framework to ensure that tools being deployed across the organization are used consistently. Senior management buy-in is vital to ensure smooth adoption of the framework throughout the enterprise.
- From there, a system for accurate record-keeping must be established and maintained in line with record-retention requirements, so that documents can be retrieved whenever they are needed.
- An inventory of EUCs that are actively in use across the different business units must be established. After all, it’s difficult to instigate change without a good understanding of precisely what needs to be changed. Assets need to be defined, grouped in a centralized location, and relevant details recorded using a common taxonomy.
- Once this is done, it is important to understand where the current risks and shortfalls in the current approach lie, as well as what new dangers could be introduced by shifting everything over to a different platform.
- This risk assessment can then feed into the prioritization of those EUC assets that should be dealt with first, according to those that are considered most critical to the organization.
- It is important to establish a robust securities framework so only authorized individuals can run and/or modify EUCs.
- Only once the above steps are completed should the firm start migrating the existing EUC systems over to new low-code or no-code platforms. These should be remediated according to the priorities and strategy developed previously.
- Data validation is important at this stage, with any data field not meeting the set validation requirements flagged in the documentation.
- A change control methodology is essential for governance, with each modification including the specific details of the change, exactly who made the change and the name of the person who authorized the change.
- The final stage is to enact a sustainable framework for maintaining and supporting the day-to-day operations of the firm wide EUC ecosystem. This includes ongoing production and development support, testing and release management and continued user training.
Any organizational upheaval carries with it some risk, and it is vital that firms stay on top of this. After all the main reason for embarking upon EUC remediation in the first place is to limit the dangers of costly mistakes further down the road. There is no point in reducing this only to introduce new risk elsewhere.
The classic “people, process, technology” approach is as relevant here as for any major company restructuring:
- People. Key stakeholders in the organization need to be identified and provided with appropriate training about the changes taking place.
- Processes. Easy-to-follow procedures should be developed to assess and monitor EUC risk, support development and guarantee sustainability of the daily operations of the EUC ecosystem.
- Technology. System requirements must be clearly defined to reduce reliance on manual processes and mitigate risk. A robust support strategy needs to be introduced to ensure the long-term viability of these changes.
Some thought must also be given to future proofing EUC development across the entire organization. This means making sure that the new framework is scalable: developing a consistent set of standards and best practices, ensuring that future releases are properly documented and putting in place ongoing management training so that everyone is onboard with the new way of doing things.
There are certain to be other fat-finger errors that will become known this year. Those organizations that wish to avert similar disaster would do well to get their EUC remediation strategy in order sooner rather than later.