Don’t wait until the horse has bolted
Overuse of spreadsheets is creating an inaccurate picture of a firm’s credit, market, liquidity and compliance risk. We can only see the tip of the iceberg…
The sudden collapse of Conviviality is a wakeup call for all C-suite members responsible for risk management. It should prompt searching questions about (a) their firm’s vulnerability to overuse of spreadsheets and (b) the limitations of naïve ROI assessments often used to determine Risk IT investments. Investors and other stakeholders should be asking the same questions.
Whilst the full facts around the Conviviality collapse remain unknown, the Company has already revealed that an “arithmetic error” led to a £5 million misstatement of estimated profits in its wholesale division. According to press reports (The Times, 9th April 2018), this was caused by someone erroneously entering a line in a spreadsheet months ago. £500 million was wiped off the company value and, whilst it would be absurd to suggest that the profit misstatement was the sole cause, spreadsheet risk was clearly a contributor.
This is a risk manager’s nightmare scenario. But, sadly, one that is not as rare as some senior executives would like to believe. Conviviality’s collapse is but the tip of the iceberg, having echoes of other recent incidents where “error prone” spreadsheets have played a role. One of the most famous is JP Morgan’s 2012 London Whale scandal, which cost the bank $5.8 billion in trading losses, $900 million in fines, regulatory censure and a lot of egg on its face. Again, the scale of these losses points to something more fundamentally broken but buried away in amongst all the contributing factors was the all-pervasive spreadsheet.
Below the water’s surface, and away from the glare of publicity, spreadsheet risk is a very real problem for most, if not all trading firms. Armies of operations, finance and risk personnel routinely experience small to moderate losses due to “operational risk”. Cumulatively these take their toll on profitability and spreadsheets play their part. Arguably, an even more important issue is larger “near misses” that are not captured or reported consistently (if at all), ironically because of the overuse of spreadsheets! Undoubtedly, risk executives at some firms are not seeing the full picture.
The problem with spreadsheets, as every risk manager will lament, is not restricted to the amplification of basic human input error. Overuse of spreadsheets makes it extremely difficult or outright impossible to perform basic risk aggregation, control and early warning tasks. In other words, risks just disappear into the swamp of manual processing, never to appear…until the horse has bolted and the stable doors are left flapping.
Why do some firms consistently lead the field in risk management investment and best practice, whilst others fail to invest, sometimes until it is too late? There is no simple answer to this and a myriad of factors such as culture, leadership and historical experience all play their part. Another factor is a rational response to the problem of too many projects chasing too little CAPEX budget; a Return on Investment (ROI) beauty parade.
Poor decisions are made when the ROI approach fails to recognise the inherent bias towards projects that can show regular projected revenue benefits or cost savings with little need to consider tail probabilities. On the other hand, a typical Risk IT project will struggle to make a compelling ROI based on cost savings alone. It becomes necessary to layer in assumptions about the size and probability associated with losses (and fines and reputation risk) that are avoided through better risk management. Forward-thinking firms take such an approach and are realistic in their assumptions, whereas others ignore this or are persuaded by the lack of recent loss experience (e.g. benign credit environment) and assign size and probability assumptions close to zero.
All that said, we need to be realistic that a world without spreadsheets is a fantasy. However, when it comes to risk management they absolutely must be used in a proportionate and controlled manner. Firms should seek cost effective and quick to implement risk management solutions, which include the capability to feed data contained on those infamous spreadsheets. This needs to be achieved via a standard interface with strong data controls, coupled with a common risk data warehouse across credit, market, liquidity and compliance risk to enable a true enterprise view.
Global warming won’t melt this iceberg. Act now before the horse has bolted and you are left having to answer serious questions about why human error and spreadsheets overuse are leaving your firm more exposed than you realise.