Enterprise spreadsheet risk management in 2023

As business reconsiders their budgets this year, many are already taking extra cuts in 2023. We’ve already seen some layoffs at major banking and financial institutions, and if a recession happens, as firms such as BlackRock and JP Morgan have predicted, this will likely continue. 

Restructuring spending is a natural reaction in tougher market conditions, but companies will regret cutting resources for data governance and risk management. Regulators are strengthening enforcement and issuing more fines for compliance errors such as compromised data and spreadsheet failures.

Robert Showers, CRO of Capital Markets and Bank Services for SaaS company Coherent

The last decade has seen an increasing number of fines by regulators to banks with weak living-will plans involving the use of spreadsheets — fines that have made headlines in all key financial centers in the United States, Europe and Asia. In addition to the financial costs, this news can impact reputation. Among banks, there is an ever-increasing rise of manual spreadsheet calculations and modeling deployed to make business decisions. But to avoid repercussions, they will need to keep governance and tracking in check.

Spreadsheet error: The Achilles heel

Performance speed has often led to spreadsheet errors and is proving incredibly costly — misplaced data or calculations can make institutions lose billions of dollars and be fined millions more.

While there are numerous benefits to automating and integrating a bank’s spreadsheets, including bringing products to market faster and scaling successful ones more quickly, the most pressing issue this year is complying with regulatory rules for the software tool.

Excel has been an enterprise tool for decades, so why is this issue so critical now? It’s because regulators in the U.S. and the U.K. want financial institutions to take data governance in general — and spreadsheet risk, in particular — more seriously. Specifically, authorities want to see better implementation of BCBS 239, the section of Basel III that addresses spreadsheet risk. 

Since 2019, regulators have sent CEO letters to the industry highlighting failures to implement BCBS, especially around the lack of data automation and proper controls over spreadsheets and the potential risk posed by spreadsheet failures. Now, regulators globally are taking an enforcement-led approach of strengthening regulations, increasing oversight and issuing more fines for banks’ spreadsheet failures to bring more attention to the importance of compliance. 

The U.K.’s PRA is consulting on CP6/22’s “Model risk management principles for banks,” while the U.S. FR Y-14 reporting regulations will be strengthened in 2023 to require more accurate and timely P&L reporting, particularly in a “severely adverse scenario.” The decision to implement these new regulations is because they believe that firms’ use of spreadsheet models will continue to increase and become more complex. However, previous reviews have found numerous data governance failures, particularly around reporting requirements.

What risks do spreadsheets pose?

Many of the concerns around spreadsheets stem from their ease of use. They can be adjusted with one click, making them vulnerable to overwriting. Often, many employees rely on a spreadsheet for tasks as massive as tracking millions of data points to something as benign as quick sums. 

But without appropriate documentation of key processes, risk assessments and judgments, they are also a compliance landmine, leading to improper management. Regulators are cracking down after discovering that several firms were not formally registering working files as EUCs, and others have no program of ongoing reviews of the underlying logic. 

Regulators argue that lack of controls makes it difficult to generate accurate returns, particularly at speed during periods of market volatility.

Preparing for heightened banking regulations

Not only will proper compliance save a firm potentially millions (if not billions) of dollars, but it will also create a culture that is more strategic. 

Software add-ons to Excel can be incredibly valuable in assisting employees with compliance tasks. They can create better accounting of spreadsheets so they cannot be overwritten, help manage reports and flag and manage risks before they become a company’s headache. Regardless of which solution a company takes, it will have to have some strategy in place to govern increased operational risk exposure. The key will be implementing this strategy before it’s too late.  

Robert Showers is CRO of Capital Markets and Bank Services for Coherent, a global SaaS company that converts spreadsheet business logic into enterprise-grade code for financial institutions and insurance companies.