Andrew Sheen February 10, 2021

Don't Tell Your Regulator... (2)

"We use Excel to oversee our risks"

This blog is one of a series designed to identify common mistakes made by firms. It explains why the mistake is damaging and could lead to regulatory sanctions, a capital add-on and even a skilled persons review (S166). If you are making this mistake then you need to change your practice.


Having experienced significant problems with my Excel spreadsheets in the past, as they grew exponentially and their purpose changed over time, I was interested to hear in October that Excel was being used in England to hold key coronavirus data, and very saddened to learn that an issue had arisen that resulted in data being omitted from crucial reporting. Like me, many people will have thought negatively of this practice, without questioning their own reliance on Excel to hold critical risk data. 

Manage the risk…not the data

While I recognise that many firms use Excel to hold their operational risk data without any problems or concerns, I was reminded of a firm visit several years ago. The firm’s two-man operational risk team was trapped in an endless monthly cycle of:




As this process took roughly four weeks it was clear the operational risk team was managing the data and not the risk. We discussed the possible benefits from obtaining risk software and in due course the firm purchased and implemented a GRC system. Subsequent visits revealed a significant improvement in the quality of risk management amongst the risk team, risk and control owners, Risk Committee members and the Board.

The risks from Excel

Risk data is critical to any firm and maintaining this information in Excel could:

  • Result in data being omitted or lost as the amount of data being held increases and the purpose of the spreadsheets changes, making end-user computing arrangements critical;
  • Create a cottage industry to manage the data and generate the reports required for risk committees:
  • Often holding data from various tools and sources without the ability to recognise potential linkages and emerging threats;
  • Utilising valuable resources that would have been better directed at managing risk, rather than the data;
  • Fail to keep pace efficiently with the growing number of customers, products and risks.

Investing in risk software

Anyone who, like me, has been involved in replacing a manual Excel process with formal risk software will have felt both liberated and empowered when they began to focus their attention on managing their firm’s key risk exposures. Because most off-the-shelf systems can manage data flows, send alerts to users, draw links across different tools and produce risk reports, much time will be saved and efficiencies generated. The resulting increase in the efficiency and effectiveness of the risk team will prove invaluable as firms struggle to adapt to the demands of a post-coronavirus environment.

While the cost and complexity of some of the systems available, together with the associated implementation costs, will be a barrier to some firms, I have recently seen simpler and cheaper systems that would benefit firms currently using Excel. In any event, these costs must be offset against improvements in efficiency and the quality of risk management.

Sending the right message

The decision to invest in a risk management system will send a strong message to the regulator that risk is taken seriously within a firm and improve the quality of information presented to the firm’s risk committees, internal and external auditors and supervisors. As the quality of risk information and risk management improves, the likelihood of regulatory sanctions decreases.

We hope you find this blog helpful. For a full overview of our approach to framework improvements, please contact us.