Is Excel really fit for purpose to run risk and compliance assessments?
Author: Anthony Quinn, CEO and Founder, Arctic Intelligence
I am often asked by prospective banking and consulting clients to help them justify why they should adopt RegTech and not continue using spreadsheets for managing risk and compliance engagements.
So it got me thinking and here are my top 15 reasons why RegTech beats Excel hands down!
1.Excel has no smart workflow, no audit history of comments or decisions made by reviewers or approvers – is 255 characters per cell enough to defend risk models when the regulators come knocking?
2. Excel formulas break and are prone to error – diagnosing issues is hard and with no automated testing on logical defects in model calculations – can you be sure there are no issues lurking in the logic?
3. Excel does not go through rigorous testing (system, UAT, PVT, regression etc) by firms that are ISO27001 compliant
4. Excel does not have live saving – if your model is corrupted, you will lose work – there are no proven backup/recover strategies that are ISO27001 compliant
5. Excel does not have any (let alone granular), field and data level user access controls and permissions based on role or function – do you really want anyone who has access to be able to add/edit/delete fields without any controls?
6. Excel can’t be used to upload documents – evidence supporting risks or control testing has to be stored elsewhere
7. Excel can’t be used for writing reports – information needs to be copied over into word – inefficient double handling (and higher fees!)
8. Excel has basic analytics – why export data and then build reports in another system – double handling (more time, more fees!)
9. Excel is not easily shared with people – 100+ assessments is common – 100 spreadsheets emailed to 50+ users, updated offline and merged together manually is mind bogglingly inefficient (think of all the wasted hours on this modern day paper-chase!)
10. Excel starts blank – there is no content and even if there is, it is passed to clients and not maintained – no updates, no bug fixes, no enhancements, no API integrations
11. Excel can be hard to use for non excel wizards – where are the tooltips, in application guidance, support widgets if you need help, help centres with video tutorials and FAQs? – an “instructions” tab is a lame alternative!
12. Excel is rarely maintained as risks and threats change – models get stale – we regularly see decades old spreadsheets left with clients that are horribly outdated and rarely/barely understood – they are not updated when risks or obligations change – RegTech can push these changes through instantly
13. Excel does not come with compliance alerts of regulatory changes – after the job is done, consultants will rarely notify clients of new risks, threats and they won’t give you updates to their new excel models when they update them (unless you re-engage them!)
14. Excel is bad at delivering cross divisional, cross client, cross industry or cross country risk and compliance insights – think of all the excel crunching to get that across a portfolio of clients or assessments – you can do this at the click of a button using RegTech!
15. Excel models are not influenced and improved by a user community of hundreds of engaged users providing quality feedback and suggestions informing the roadmap of how solutions can be improved benefiting all.
My view is that if you are a major bank and managing risk and compliance assessments in spreadsheets you are asking for trouble.
And if you are a consultant peddling spreadsheets as your bread and butter you should really be thinking about whether there is a smarter way to deliver engagements that provide a better value, enriched client experience resulting in “live” deliverables that can be used by your clients long after the project ends – think ongoing managed services (compliance checkpoints and the like!).
The real question clients should be asking themselves and their consultants is, why in 2019 is excel still fit for purpose in managing risk and compliance gap assessments where the costs of getting things wrong could easily exceed a billion dollars.