Skip to main content
Poole College of Management
Enterprise Risk Management Initiative
Risk Identification and Assessment

Q & A: Controlling Spreadsheet Risk

January 10, 2013 3-min. read

Today, spreadsheets are a fixture in the operations of many companies.  They often play highly critical roles in areas like financial reporting and budget creation.  On the upside, spreadsheets offer end-users a customizable, readily available, user-friendly solution for achieving any number of business objectives.  On the downside, the same features that make spreadsheets useful can also generate substantial risk.  In a recent Protiviti publication, the firm presents more than fifty frequently asked questions and answers about spreadsheet risk and ways to effectively manage it.

How do spreadsheets create risk?

The underlying problem with spreadsheets is that end-users often develop and utilize their spreadsheets outside the watch of an organization’s normal IT development and risk oversight functions.  This creates the potential for a situation in which a poorly designed spreadsheet is being used to process critical business information.  The spreadsheet’s bad output is then fed back into the organization’s important processes and documents (i.e. annual budget, transaction analysis, SEC Form 10-K).  Protiviti provides several real-life examples of how spreadsheets create risk.

Why manage spreadsheet risk?

Protiviti mentions several reasons as to why spreadsheet risk should be managed.  Ultimately, mismanaged spreadsheets can create costly mistakes, primarily in terms of dollars and reputation.  Additionally, external auditors and regulators are mindful of spreadsheet risk.  A lack of control over spreadsheet risk can even be viewed as a significant deficiency in an organization’s system of internal control.

Guidance on managing spreadsheet risk

Much of this publication from Protiviti Inc. focuses on ways to evaluate and manage spreadsheet risk.  The following bullets are some of the key points Protiviti makes about handling spreadsheet risk:

  • Spreadsheet risk management should be championed by the very top of the organization.  Executive managers and others charged with governing the organization should understand spreadsheet risk and be able to communicate risk management policies downward through the rest of the organization.
  • One important feature of effective risk management is having clearly defined roles for managing spreadsheet risk.  Someone must “own” the risk associated with each spreadsheet.  Oftentimes, spreadsheet risk ownership is shared between an operational group or individual and the organization’s IT department.
  • Protiviti explains an approach to assessing spreadsheet risk that focuses on each spreadsheet’s “criticality” to the organization.  Criticality is mainly o function of the information input into the spreadsheet, the complexity of the spreadsheet’s design, and the eventual use of the spreadsheet’s output.
  • After identifying the most critical spreadsheets, organizations should implement a system for evaluating the control system in place for managing spreadsheet risk.  Protiviti suggests that existing, widely accepted IT control frameworks are often a good starting point for managing spreadsheet risks.

Conclusion

Spreadsheet risk contributes significantly to a company’s overall risk exposure.  With that in mind, spreadsheet risk management should ultimately be a part of an organization’s broader risk management approach.  The guidance provided by Protiviti Inc. in this publication can help organizations to more safely harness the power of spreadsheets in their operations while also improving enterprise risk management.

Original Source: ” Spreadsheet Risk Management FAQs”, Protiviti, 2010

More From Enterprise Risk Management Initiative

photo of woman with e-tablet.

Techniques to Prioritize and Monitor Risks
Using Bow Tie Analysis To Develop Key Risk Indicators

ERM Tool: Using Bow-Tie Analysis to Develop Key Risk Indicators
Using Bow Tie Analysis To Identify Risk Responses

ERM Tool: Using Bow-Tie Analysis to Identify Risk Responses