Spreadsheet Risk Management: A Guide for the Perplexed

Spreadsheets are everywhere, in every corner of the enterprise, from human resources to treasury. They're the conduit for just about any finance process you can think of, from billing to budgeting. And they're a growing concern for many organizations because "they continue to proliferate, and to do so in areas that are highly judgmental and highly non-routine -- which is really why people use a spreadsheet for them in the first place," says Edward Hill, managing director with global consulting and internal audit firm Protiviti.

"You'd be amazed at the different things they're used for, like calculation of legal reserves and calculation of almost any of your big reserve balances," Hill adds. "If you look at the impact that could have on financial reporting, it's pretty straight and pretty direct."

If you're daunted by the sheer scope of the spreadsheet risk management challenge, you're not alone. Despite increasing awareness of the exposures and mounting pressure from regulators, few organizations really understand the problem or what they need to do about it, according to a new report from Protiviti. The study, in the form of fifty or so "frequently asked questions," aims to dispel some of the confusion.

The first step in confronting spreadsheet risk is to identify your complex and business-critical spreadsheets, according to Hill. Software can help here. Automated scanning tools can inspect all of the spreadsheets on your servers -- which may number in the millions in a typical search -- and flag potentially high-risk files. But Hill recommends instead simply meeting with process owners and department heads in critical areas of the business, especially in the functions that are most dependent on spreadsheets and those that have had spreadsheet-related problems in the past.

Next, you have to address specific risks such as high levels of complexity in formulas, high volume of linkages to other systems, or design elements that could increase the likelihood of errors (for example, hard-coding of numbers or assumptions into formulas). "You need to have some sort of process whereby the spreadsheet is initially OK'd for use," says Hall. "If it's supposed to calculate value at risk, does it do that? You have to evaluate the current integrity of the spreadsheet."

The next step is to validate the process that you use every month or quarter to update the data. You may also need to set up a change control process so that the organization knows when an alteration is made and who made it. And you may need to consider security, backup, and recovery.

Of course, not every spreadsheet will need the full treatment. "Generally what you do is create gradients," says Hill. "You have your ad-hoc spreadsheets that everybody uses just for daily decision-making, and you probably have some general rules about those. Then you have your lowest level of criticality; you use them, but in a low-risk area. Those need to be on an access-restricted server so at least they're backed up." Spreadsheets ranked at a medium level of criticality will need more controls and security, and "at the very highest level you have to decide how are you going to address all of the issues," he says.

Software tools can help in many of these decisions, but in some cases they can run to six figures, according to Hill. So how many critical spreadsheets do you have to have in order to justify the purchase? That depends on the answer to another question: What spreadsheets do you have at risk and how much are you willing to spend to protect them? "In certain industries the answer is -- a lot," says Hill.

View the complete Protiviti report, "Spreadsheet Risk Management: Frequently Asked Questions Guide" here.

For an introduction to spreadsheet management software, see Robert D. Kugel's "New Tools to Enhance Excel" in our April 2007 issue.