An analysis of the latest Dear CEO letter highlighting spreadsheet and EUC risks
The trend continues. Regulators globally are placing increased pressure on companies to more effectively manage their spreadsheet and end user computing (EUC) risk programs.
The most recent example of this is the Prudential Regulation Authority (PRA) Dear CEO letter. The letter focuses on spreadsheets and other EUC applications utilized as part of the regulatory reporting process. The PRA’s message is clear; ensure you have the proper regulatory reporting governance program in place with clear ownership and controls. Also, be prepared to make the appropriate investment into the initiative.
In this blog post, you’ll learn about the key points of the letter with actionable steps you can take.
Section 1: Governance & Ownership
Issue 1: This is a senior management issue. Program ownership should not be pushed too far down in the organization nor should it be distributed across many stakeholders.
- Companies with fragmented, complex processes often had the biggest gaps
- Responsibility should not be shared by too many people or teams
Issue 2: Many companies faced poor governance around key regulatory interpretations.
- Companies had limited documentation, review, & sign-offs
- Limited flexibility when companies need to update interpretations and judgments, given these are often hard-coded into systems
How you can address governance & ownership
Any effective program begins with defining a governance model and building a policy with senior management ownership. Clearly defining roles and responsibilities are critical to address PRA concerns, as is implementing flexible systems to enable the policy. As with all policy and governance programs, you must ensure senior management takes responsibility and endorses the program and its importance. This goes a long way to also ensure stakeholder accountability.
Section 2: Controls
Issue 1: Lack of controls around models, spreadsheets, and other EUC applications.
- Given the reliance on models and EUC applications, particularly those built using spreadsheets, the PRA has found that controls are deficient
- When controls are in place, they are often ineffective – model changes & spreadsheet reviews were explicitly mentioned
Issue 2: Limited program visibility into controls effectiveness & inventory documentation.
- Lack of documentation was highlighted at every step of the process
- EUC file inventories were inaccurate
- Controls were not documented
- Limited documentation led to a lack of understanding of controls and their effectiveness
How you can address controls
It is impossible to control a critical model or EUC file if you do not know where it is. Therefore, building a comprehensive and accurate inventory of all EUC files & models involved in the regulatory reporting process is critical. Software solutions are used across financial services, and other industries, to ensure critical files are programmatically discovered and inventoried.
This same technology is then used to apply the necessary controls with special attention given to spreadsheets. This ensures controls not only remain effective, but also that companies can report against their controls’ effectiveness (without heavy, manual intervention).
Section 3: Data & Investment
Issue 1: Limited investment into the regulatory reporting processes has led to reliance on manual processes & controls.
- Companies often rely on manual intervention to bridge the gap between their system and data issues
- No strategic investment has been made into this area
Issue 2: Targeted investment into data.
- Investments into data quality leads to less data errors
- Less downstream impacts and manual ‘fixes’ are required
How you can address data and manual processes
While simple, taking the PRA’s advice here is the correct course of action. Investing into flexible systems and quality data can help companies greatly improve in this area. While the exact technologies will differ, the overall goal is to reduce the reliance on manual processes in regulatory reporting. Companies will realize significant ROI by reducing manhours spent on activities that ‘bridge the gap.’
The PRA’s letter follows a global trend. In short, regulators are strongly recommending companies to understand and control the inherent risks of models and EUC applications. Wherever you are in your EUC application & model governance lifecycle, we’re here to help.
If you need a good place to start, take a look at our sample EUC policy.