Unless you were trapped on a desert island over the last few months, it’s unlikely that you missed the Société Générale scandal and the resulting teeth-gnashing about the need for stricter controls and oversight in the financial services industry. While I’m all for better access and process controls leading to improved segregation of duties, I wonder if a larger point was missed. No matter how carefully we design our processes, events will happen which are outside pre-conceived boundaries. Some times these exceptions will be the result of malicious behavior (rogue traders) but more often they are caused by human fallibility (simple errors).
Instead of just trying to control systems, high-performing organizations should apriori consider what they will do if these unexpected outcomes occur. This is enterprise risk management at its heart. Long before risks occur, organizations should plan for their eventuality by documenting the organization’s appetite for individual risks and establishing multiple resolution strategies should any of them pass an agreed-upon acceptable threshold. Coupled with proactive monitoring of risk inside business processes, organizations can quickly respond to exceptional situations and limit potential impact.
Enterprise risk management systems have been used to track financial, operational, and even environmental risks with much success. However, in “On SocGen and spreadsheets: the similarities”, Dennis encourages us to consider the risk of basing enterprise processes on spreadsheets. In these days of trying to make enterprise software sexier by targeting self-reliant business users, the common spreadsheet seems like nirvana: little to no IT involvement, freedom to publish and update data on-the-fly, and ultimate portability. But with this increased individual freedom, comes increased risk to the larger organization.
What should we do about this? Unlike Dennis, I doubt that a change in attitudes will hasten the decline of spreadsheets in the enterprise. Despite working for the world’s leading provider of business software, spreadsheets abound in my daily work life. And while I’m encouraged by our own move to retain the familiar spreadsheet user experience while injecting business process flows and accountability, I think that the world has a long way to go.
Rather than throwing up my hands in despair, I’ve been thinking about a certification process for data. The further it travels from its verified system of record, the more it might be judged as unreliable. This “reliability index” would allow the receiver of the data to judge his/her own risk threshold. Payroll data would need high reliability while planning data might have a looser threshold.
Imagine a company reporting its financials using this mechanism. Next to quarterly revenue would appear a reliability score which could be independently certified. As a personal investor, I would have a lot more confidence in my decisions.
I know that this scenario is a bit pie-in-the-sky but I can’t help wondering if spreadsheets helped Nick Leeson bring down Barings Bank in 1995.