Spreadsheet Risk Issues

It is interesting to note that the riskiness of operational spreadsheets are overlooked even by companies with high standards of risk management. Only when errors amount to actual losses do they realize that these risks have been staring them in the face all along.

Common spreadsheet risk issues

Susceptibility to trivial manual errors

Due to the fundamental structure of spreadsheets, a slight change in the formula or value in any of their inhabited cells may already affect their overall output. An

  • accidental copy-paste,
  • omission of a negative sign,
  • erroneous range selection,
  • incorrect data input or
  • unintentional deletion of a character,cell, range, column, or row

are just some of the simple errors spreadsheet users frequently encounter. Rarely are there any counter-checking controls in place in a spreadsheet-based activity and manual errors therefore easily go undetected.

Possibility of the user working on the wrong version

How do you store spreadsheet files?

Since the most common reports are usually generated on a monthly basis, users tend to store them using variations of these two configurations:

spreadsheet storage

If you notice, a user can accidentally work on the wrong version with any of these structures.

Prone to inconsistent company-wide reporting

This happens when a summary or ?final? spreadsheet is fed information by different departments coming from their own spreadsheets. Even if most of the data in their spreadsheets come from one source (the company-wide database), erroneous copy-pasting and linking, or even different interpretations of the same data can result to contradicting information in the end.

Often defenceless against unauthorised access

Some spreadsheets contain information needed by various individuals or department units in an organisation. Hence, they are often shared via email or through shared folders in a network. Now, because spreadsheets don’t normally use any access control, any user can easily open a spreadsheet file and view or modify the contents as he wishes.

Highly vulnerable to fraud

A complex spreadsheet system with zero or very minimal controls provides the perfect setting for would-be fraudsters. Hidden cells with malicious formulas and links to bogus information can go unnoticed for a long time especially if the final figures don’t deviate much from expected values.

Spreadsheet risk mitigation solutions may not suffice

Inherent complexity makes testing and logic inspection very time consuming

Deep testing can uncover possible errors hidden in spreadsheet cells and consequently mitigate risks. But spreadsheets used to support financial reporting are normally large, complex, highly-personalised and, without ample supporting documentation, understandably hard to follow.

No clear ownership of risk management responsibilities

There?s always a dilemma when an organisation starts assigning risk management responsibilities for spreadsheets. IT personnel believe users in the business side of the organisation should be responsible since they are the ones who create, edit, store, duplicate, and share the spreadsheet files. On the other hand, users believe IT should be responsible since they have always been in-charge of managing IT infrastructure, applications, and files.

To get rid of spreadsheet risks, you’ll have to get rid of spreadsheets altogether

One remedy is to have a risk management activity that involves both IT personnel and spreadsheet users. But wouldn’t you want to get rid of the complexity of having to distribute the responsibilities between the two parties instead of just one?

Learn more about Denizon’s server application solutions and how you can get rid of spreadsheet risk issues.

More Spreadsheet Blogs


Spreadsheet Risks in Banks


Top 10 Disadvantages of Spreadsheets


Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry


How Internal Auditors can win the War against Spreadsheet Fraud


Spreadsheet Reporting – No Room in your company in an age of Business Intelligence


Still looking for a Way to Consolidate Excel Spreadsheets?


Disadvantages of Spreadsheets


Spreadsheet woes – ill equipped for an Agile Business Environment


Spreadsheet Fraud


Spreadsheet Woes – Limited features for easy adoption of a control framework


Spreadsheet woes – Burden in SOX Compliance and other Regulations


Spreadsheet Risk Issues


Server Application Solutions – Don’t let Spreadsheets hold your Business back


Why Spreadsheets can send the pillars of Solvency II crashing down

?

Advert-Book-UK

amazon.co.uk

?

Advert-Book-USA

amazon.com

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

Malware

In the past, viruses were created with the sole purpose of wreaking havoc on the infected systems. A large fraction of today’s malware, on the other hand, are designed to generate revenues for the creator. Spyware, botnets, and keyloggers steal information from your system or control it so that someone else can profit. In other words, the motivation for making them is now more attractive than before.

Keyloggers can reveal your usernames, passwords, PIN numbers, and other authentication information to their creators by recording your key strokes. This information can then be used for breaking into various accounts: credit cards, payment programs (like PayPal), online banks, and others. You’re right, keyloggers are among the favourite tools of individuals involved in identity theft.

Much like the viruses of old, most present day malware drain the resources, such as memory and hard disk space, of contaminated systems; sometimes forcing them to crash. They can also degrade network performance and in extreme cases, may even cause a total collapse.

If that’s not daunting enough, imagine an outbreak in your entire organisation. The damage could easily cost your organisation thousands of euros to repair. That’s not even counting yet the value of missed opportunities.

Entry points for malware range from optical disks, flash drives, and of course, the Internet. That means, your doors could be wide open to these attacks at this very moment.

Now, we’re not here to promise total invulnerability, as only an unplugged computer locked up in a vault will ever be totally safe from malware. Instead, this is what we’ll do:

  • Perform an assessment of your computer usage practices and security policies. Software and hardware alone won’t do the trick.
  • Identify weak points as well as poor practices and propose changes wherever necessary. Weak points and poor practices range from the use of perennial passwords and keeping old, unused accounts to poorly configured firewalls.
  • Install malware scanners and firewalls and configure them for maximal protection with minimal effect on network and system performance.
  • Implement regular security patches.
  • Conduct a regular inspection on security policy compliance as well as a review of the policies to see if they are up to date with the latest threats.
  • Keep an audit trail for future use in forensic activities.
  • Establish a risk management system.
  • Apply data encryption where necessary.
  • Implement a backup system to make sure that, in a worst case scenario, archived data is safe.
  • Propose data replication so as to mitigate the after effects of data loss and to ensure your company can proceed with ‘business as usual’.

Once we’ve worked with you to make all these happen, you’ll be able to sleep better.

Other defences we’re capable of putting up include:

Data Leakage Prevention – Protecting Sensitive Information

When DuPont lost $400 million in intellectual property, it wasn’t because a hacker from the other side of the world infiltrated their system. The information was simply stolen by a former employee. Alarmingly, data loss incidents are not always caused by deliberate actions.

A file containing personal information accidentally attached to an email and sent to multiple recipients; financial data stored in a USB pen drive, accidentally left in a restaurant; or bank account data of colleagues, inadvertently posted on a company website – these are also some of the everyday causes of data loss.

A report done by research company Infowatch regarding global data leaks in 2010 showed that there were actually more accidental data leaks in that year compared to intentional ones. Accidental leaks comprised 53%, while intentional leaks comprised 42% (the rest were unidentified).

But even if they ?only? happened accidentally, breach incidents like these can still be very costly. The tens of thousands of dollars that you could sometimes end up paying in civil penalties (as in the case when you lose other people?s personal information) can just be the beginning. More costly than this is the loss of customer and investor confidence. Once you lose those, you could consequently lose a considerable portion of your business.

Confidential information that may already be leaking out right under your nose

With all the data you collect, process, exchange, and store electronically every day, your IT system has surely now become a storehouse of sensitive information. Some of them, you may be even taking for granted.

But imagine what would happen if any of the following trade secrets fell into the wrong hands: marketing plans, confidential customer information, pricing data, product development strategies, business plans, supplier information, source codes, and employee salaries.

These are not the only kind of data that you should be worried about. You could also get into trouble if your sloppy IT security fails to protect employee or client personal information such as their names; social security numbers; drivers license numbers; or bank account numbers and credit/debit card numbers along with their corresponding PINs.

In some countries, you could face onerous data breach notification requirements and heavy fines when these kind of data are involved.

There are now more holes to plug

It’s not just the different varieties of sensitive electronic information that you have to worry about. Because these data can take on different forms, i.e. data-at-rest, data-in-motion, and data-at-the-endpoints, you also need to take aim at different areas in your IT system.

Sensitive information can be found ?at rest? in each of your employees? hard disks, in your servers, storage disks, and in off-site backup disks. They can also be found ?in motion? in email, instant messaging, social networking messaging, P2P file sharing, ftp, http, and so on.

That’s not all. Your highly mobile workforce may have already introduced yet another high-risk area into your system: data-at-the-endpoints. This includes USB flash-disks, laptops, portable hard disks, CDs, and even smartphones.

The main challenge of data leak prevention

Having been made aware of the various aspects of data leakage, have you already come to grips with the extent of the task at hand?

There are two major things you need to do here to prevent data leakage.

One, you need to identify what data you have that can be considered as sensitive/confidential information. Of course you have financial information and employee salaries in your files. But do you also store personally identifiable information? Do you have trade secrets that are stored in electronic form?

Two, you need to pinpoint their locations. Are they only on your hard disks and laptops? Or have they made their way to flash drives, CDs/DVDs, or portable HDDs? Are they being transmitted through email or any other file transfer media?

The reason why you need to know what your sensitive data are as well as where they are is because you would like all efforts of securing them to be as efficient and unobtrusive as possible.

Let’s say, as a way of protecting your data, you decide to implement encryption. Since encryption can consume a lot of storage space and significantly reduce performance, it may be impractical to encrypt your entire database or all your files. For the same reason, you wouldn’t want to encrypt every single email that you send.

Thus, the best way would be to encrypt only the data that really need encryption. But again, you need to know what data needs to be encrypted and where those data can be found. That alone is no simple task.

Not only will you need to deal with the data you already have, you will also have to worry about the data that will go through your systems during the course of your day-to-day transactions.

Identifying sensitive data as it enters or leaves your system, goes through your network, or gets stored in your file system or database, and then applying the necessary security actions should be done automatically and intelligently. Otherwise, you could end up spending on a lot of man-hours or, worse, wasting them on a lot of false positives and negatives.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Implementing Large-Scale Complex Business Change

Sometimes, driving your people to work harder is not enough for your organisation to withstand the pressures laying siege to it. With uncertain economic conditions, unpredictable fresh competition, and looming threats from the environment or even pandemic-grade diseases, empowering your people to not only ‘think’ but also to ‘step’ out of the box is currently the name of the game.

However, such initiatives typically require sweeping changes throughout your entire organisation … and to think even the slightest change is often met with hard resistance.

Whether you’re about to undergo an M&A, relocate due to a major catastrophe, scale down to a skeletal workforce, or implement a brand-new company-wide strategy, our systematic approach to large-scale complex business change can help you make the transition as seamless as possible.

We understand the importance of the human aspect in change management. That is why we’ll focus on making your people appreciate the benefits of having to learn new skills, perform new tasks, employ modern technologies, and go through new processes in order to tone down the resistance level.

Our entire process spans from top to bottom, wherein we’ll start with your sponsors, down to your managers, and then to other stakeholders in making them appreciative of the needed changes and in order to achieve alignment with your organisation’s goals. Our top to bottom approach is also aimed at casting a positive “shadow of the leader” on people down the line, enabling them with an optimistic view despite the gruelling tasks before them.

We invite you to have a look at the steps we take in implementing large-scale complex business change to win over a strong and lasting commitment to it.

Evaluating the Required Change

Large-scale complex business change initiatives can be implemented expeditiously and economically if you’ve clearly defined the scope of the change as well as the forces that shape your organisation. You’ll want to know which areas yield easily and which are hard to change to determine where and how you’re going to focus more of your efforts on.

To arrive at a sound and systematic plan, we first gather as much information as needed and analyse them. We determine whether your departments have the required capabilities and how we can arrive at a clear organisational alignment. That way, we don’t waste time, effort and resources when the moment comes to carry out the plan.

These are some of the diagnostic procedures we perform in evaluating the required change.

  • Change complexity analysis. We’ll assess the contribution of people and task factors to the overall complexity of the change project. This will help us determine how to approach the problem efficiently.
  • Causal analysis. By establishing cause and effect relationships, we can identify root or circular causes. This will allow us to pinpoint problem areas and prevent a repetition of past mistakes.
  • Structural analysis. Any company is propped up by a number of structures: organisational, process, motivational, social, and physical, among others. Understanding the structures that drive, motivate, hamper, connect, and influence your people’s behaviours can provide insights as to how or where structural change can best be executed.
  • Context analysis. We’ll look into market forces as well as political, economic, social, technological, legal, and environmental factors enveloping your business. We’ll also analyse your driving objectives, organisational alignment, and organizational capabilities. By analysing the internal and external environment in which your business currently operates, we can formulate a customised strategic and effective plan of action.

Managing Stakeholders

Change initiatives won’t prosper without total commitment from all stakeholders. Stakeholders refer to people in your organisation who either have interests in the change project or can be affected by it.

We deal with your stakeholders starting from the top because if we can’t gain full commitment from those already in the best position to spur the diverse entities in your company into active cooperation, striving to secure commitment from other areas will be futile.

That is, if you don’t have the full support of your key and principal sponsors, i.e. the people who have the biggest say and have greatest control over resources in your organisation, you can’t hope to sustain the change endeavour, let alone provide the much needed spark to get it started.

Here’s how we carry out our stakeholder management actions.

  • Conduct research to identify all stakeholders: the sponsors, your internal and external partners, the main targets of the change, and all interested parties. That way you can “switch on” implementors of each change action in the proper sequence.
  • Not everyone will offer resistance to your change endeavours. We’ll help you identify those stakeholders and sponsors who are willing to offer support, evaluate the level of support they are willing to give, harness all available supports and utilise them extensively to benefit the change.
  • Gain a deeper understanding as to why certain stakeholders are willing to lend support. In doing so, we can implement the right strategies that will encourage them to continue supporting you.
  • Assemble a leadership team that will champion your change initiatives. We’ll facilitate effective collaboration among its team members, transforming them into a cohesive force designed to carry out plans and motivate everyone else down the line.
  • Upon realisation of the change project, we’ll see to it that all stakeholders get a taste of the carrot at the end of the stick. This will encourage them to continue active cooperation in future change initiatives.

Planning for the Change

Anyone who has experienced having their car stuck in the mud knows that stepping on the accelerator will only get the vehicle trapped even deeper. Without the aid of a towing truck, getting the car out will require careful planning since different combinations of pulling, pushing, lifting, rocking to-and-fro, and stepping on the accelerator may be needed.

Of course, some combinations are just better than others. The same principle holds when effecting change.

Our approach to change management typically varies depending upon the information we obtain from the different analyses performed earlier. For instance, since not all organisations are suitable for a collaborative approach, we will employ either collaborative, consultative, directive, or coercive change management strategies wherever applicable.

A well-planned change will result in a smoother, less costly, and less disruptive transition. Here’s how we’ll help you plan your change initiatives.

  • When put in a predicament similar to the car-in-the-mud, the basic strategy entails identifying the current resisting forces and predicting what other resisting forces may be encountered along the way. After researching and pointing out your organisation’s resistance forces, we’ll lay out the most appropriate facilitation, education, and negotiation techniques.
  • To bring down wastage to the lowest possible levels, we’ll engineer a change delivery plan that involves the most cost-effective sequence of driver, process, technology, organisational, and people alignment.
  • To win and maintain a high level of trust, confidence and commitment from all sponsors and stakeholders, we’ll present a clear road map of the change process as well as landmarks that will prove how far we will have gone. These landmarks will then be brought to each sponsor’s and stakeholder’s attention each time they are arrived at in order to build up assurance and continued commitment.
  • We’ll design measurement tools and schedule reporting deadlines so that you’ll know what to look forward to and when to expect them.

Managing the Change

Your company will hold a better chance of maintaining a sizeable lead over the rest of the pack if you constantly establish a rally point and instil in your stakeholders the drive to rally to that point from the get-go. To make this happen, your company must undertake the unfreezing, transition, and refreezing phases of change skilfully in order to bring all stakeholders into the right mindset.

Our specialists’ systematic and efficient methods for each of these phases are designed to simplify the management of each phase as well as provide a seamless shift from one phase to the next. This is what we’ll do:

  • Set up a change project management office to ensure that everything associated with the change initiative is given the needed attention and resources even while all the other usual processes in your organisation run concurrently.
  • To unfreeze your people and get them started on the road of change, we’ll employ unfreezing techniques wherever they are most appropriate. We’ll resort to different kinds of methods ranging from presenting persuasive evidence justifying the need for change to showing a motivational vision for inspiring your people to embark on the change process.
  • Since it is during the transition phase when your people can find themselves groping in the dark, we’ll offer executive coaches for your senior managers; facilitators to provide guidance during team meetings and other change activities; coaches to educate and inspire them to meet the change with the right attitude; trainers to teach new systems, procedures, and technologies; as well as employ a variety of other techniques in order to make the transition phase as seamless as possible.
  • Although your people should always be ready to undertake the next major change after a previous one, there should be points in between where they can taste the spirit of success, establish a temporary base to rejuvenate, and immediately gain a deeper understanding of the nearby terrain so as to envision the next rally point. We’ll see to it that this vital phase of change is carried out completely.

Ready to work with Denizon?

Contact Us Today