Thomson Reuters Press Release and BIPB
Spreadsheets: dangerous and ubiquitous?
Spreadsheets and other user-defined applications are still widely employed as risk management and control tools despite the inherent operational risks they pose to financial institutions and their vulnerability to fraud.
The Basel Committee on Banking Supervision said in its January 2013 paper “Principles for effective risk data aggregation and risk reporting” that financial institutions should deploy mitigants and controls around manual processes and desktop applications to protect against errors and fraud. Despite that advice, however, and plenty of evidence of the risk posed by spreadsheets, financial institutions have been slow to curtail their use and to replace them with enterprise risk systems or more automated processes.
“The BCBS has pointed to the fact that banks should not rely on what they call UDAs — user-defined applications. They were telling banks they shouldn’t use spreadsheets or, if they do, they should have an effective mitigant. But these are only snippets of regulation. There is no edict saying firms shouldn’t use spreadsheets, but there is plenty of evidence that the middle office in particular is too spreadsheet-centric. There are plenty of places where the regulator can find issue,” Neil Vernon, product development director at Gresham Computing, told Compliance Complete.
Spreadsheets remain ubiquitous, however, because they are relatively inexpensive, flexible and easy-to-use, whereas often the software designed to replace them for risk management and trading tasks is not. That means that even when new systems are introduced, the end users tend to revert to spreadsheets.
Are spreadsheets really dangerous?
User-defined applications such as spreadsheets are acknowledged to exacerbate risk on the trading desk, especially when it comes to internal trades. When a trade is made, many controls are executed over that transaction, and although lots of those controls exist in spreadsheets the problem is that spreadsheets can easily be altered, lack audit-ability, harbour trading mistakes and are a weak spot that fraudsters can exploit.
“Controls are not in proper enterprise solutions. They’re in spreadsheets and they’re in databases. They’re in little gizmos someone has knocked up in 10 minutes to solve a particular point problem. The problem is those things break, because someone goes on leave, or they leave the firm or they just stop working. Even if they didn’t break, the reality is you don’t have the right level of audit and control in a spreadsheet,” Vernon said.
Problems with using spreadsheets can manifest themselves in a number of ways. One of these is that when errors occur on the trade date they are not picked up until the settlement date. This means that in some cases , for example, with equities where settlement occurs three days after the trade, errors can remain unnoticed in the system for some time, giving rise to losses.
Most trades will go through a confirmation venue which provides a control environment as well as a certain amount of transparency, but Internal trades, where trading desks within a firm are trading with each other, are often entered in a ledger or sub-ledger, making mistakes and fraud difficult to detect. That was one of the lessons learnt from the rogue trading incidents at Société Générale and UBS. In those instances fraudulent trades were buried in internal transactions that were not subject to the same kind of risk management and controls as external ones. The fact that spreadsheets are still used as risk management tools on the trading desk means that a lack of control around internal trading remains a weak spot for firms’ risk management practices.
Vernon said that this could lead to significant risks for firms as staff might be tempted to act fraudulently. “Where you’ve got an environment where you know an error won’t be picked up for days and days and you’ve got any inclination to commit fraud, you probably know the control environment is not sufficient to pick up that fraud for some time. Certainly the well-known frauds were out there a long time as a consequence of not having a proper control environment in place,” Vernon said.
Difficult to end use of spreadsheets
Spreadsheets are unlikely to go away despite attempts by regulators and management teams of trading firms to minimise the operational risk and the inaccuracy of categorising enterprise, market and credit risk. The reality is that although spreadsheets can meet most needs they are difficult to audit and operate outside a control environment.
“The authorities want to minimise those risks and want to minimise the use of spreadsheets. However, the other side of the coin is [that] the spreadsheet is simply too easy a tool to use for sketching out concepts and prototypes. It’s a user-centric computational tool that can be used in a lot of cases where software doesn’t do what you want it to do. Particularly at smaller firms where the IT staff is minimal or non-existent, end users need to rely on what they have,” Paul Rowady, senior analyst at the TABB Group, said.
In some instances the software systems introduced simply do not provide the end user with the kind of flexibility and ease of use offered by spreadsheets. The result is that despite good intentions, some of the replacement solutions have had low adoption rates. Some firms have spent a lot on new systems, which then gather dust as end users return to spreadsheets.
“We believe in self -service and end users having the flexibility and freedom to do what they want to do. Of course in an enterprise environment that does require governance, so how do you marry up those two concepts? Now there are ways of implementing some audit-ability and controls around the spreadsheets and then that leaves the business intelligence and analytics to pick up where the spreadsheets just can’t cope with the numbers anymore,” Charles Radclyffe, chief executive of BIPB, a data and analytics consultancy, said.
More controls, more automation
Spreadsheets give the illusion that there is a real control in place, whereas in fact there is none. What is more, running spreadsheets is a manual exercise requiring a lot of work on a task that these days can be easily automated. Using an enterprise risk system or placing more controls around spreadsheet use means risks or errors can be identified, escalated and addressed quickly.
“There are new tools that take user-defined spreadsheets and put an auditable wrapper around them to try and deal with the operational risk inherent in spreadsheets. The battle is being fought from the top and the bottom trying to minimise the use of spreadsheets and migrate to other solutions. For those use cases where the use of spreadsheets cannot be eliminated, firms should try to build better controls around them,” Rowady said.