PRMIA Intelligent Risk - June, 2018

Page 58

spreadsheet risk case studies. why should the CRO care?

by Craig Hattabaugh If you are wondering why a CRO with strategic responsibilities should even think about something so seemingly tactical as spreadsheet risk, then read further. Recent (March 2018) events at Conviviality Plc (LON: CVR), shows a timeline with the CEO resigning just 13 days after her CFO became aware of a material error in a forecast spreadsheet. Soon after that, the company filed for protection. This unfortunate series of events was not attributable solely to that spreadsheet error. But it was material, and it was the catalyst for increased scrutiny that discouraged existing lenders and potential investors. The two takeaways are:

1. Material weaknesses in controls can cost you your job. If the CEO job is not safe, then neither is yours. 2. Spreadsheets (and other end-user controlled computing applications) typically have weak (if any) controls. People caused the error, but risk technology could have minimized the likelihood.

what is the core issue amplifying EUC risk? The short answer is weak, ineffective controls for end-user computing applications. In March 2018, VBS Bank was put under curatorship by the South African Reserve Bank due to large financial losses. These were alleged to involve fraudulent manipulation of spreadsheets in critical financial processes. In April 2018, Samsung Securities lost over $300 million of market capitalization and one of their largest pension customers. A human error exposed the weakness of their controls as the potential $120 Billion (yes, billion) impact became public. At Conviviality, a series of acquisitions necessitated the short-term use of spreadsheets to facilitate financial reporting. In their high growth culture, its fair to assume the controls on those spreadsheets were minimal, if any. In the end, humans are fallible. Operational error and fraud can take many forms and have different causes. But through it all, effective controls are your primary defense and risk technology can help you apply and enforce them.

how does spreadsheet risk manifest itself? Spreadsheets and other end-user computing applications are not managed by IT. They are unstructured and lack many of the controls applied to accounting and other enterprise systems. The line of business relies on them as the speed/agility of using such tools are key to innovation and competitive advantage. Given that Excel is ubiquitous and assuming there have not been any problems in your company, what is the likelihood of a material error?


Intelligent Risk - June 2018