At Board and senior management levels we are grappling with GDPR, CRS, Cyber Security, financial filing regulations (JFSC C17s), but what about the risks within. Staff policies and training may help keep our data within our control, but just how many spreadsheets are used daily to make decisions ? What about all those legacy Access databases ? The ones that have become business critical, developed by an enthusiastic staff member 10 – 15 years ago now supported by the one person who wrote it and about to
retire. Part of the issue here is how much of this is considered by the top team, is there enough IT knowledge at this level, should Boards be taking on NEDs with technology experience.
For the time being lets focus on these little spreadsheet and database time bombs. In finance, government and many other sectors probably the most popular and widely used piece of software is Excel – the Swiss army knife of data crunching and statistics. Of course as both regulators and compliance experts know, unconstrained use of spreadsheets can bring huge risks and dangers. Forbes magazine calls Excel “the most dangerous software on the planet”, bit of a scary headline. Add to this the Access database tool, years ago and still today, enthusiastic employees and Non-programmers created most of these databases. Administrators, managers, assistants, and office juniors use Access to store and analyse data, without any help from IT. While the database might get the job done, it’s often inefficient and difficult to maintain. So where are the risks, after all Excel and Access as a platforms for data storage, processing and calculations are amazing – In Excel’s case there’s no replacement in sight and no better tools for what it does.
Not all is so bleak – we know these platforms are amazing. However regulators and compliance officers know something must be done to get them under control. Advanced users can use its built-in programming language, VBA, and external plug-ins to create any complex calculation need, but do they stand up to rigorous examination. Are these tools secure and properly supported during periods of absence or staff changes ? Can anyone go behind the scenes to manipulate and edit the data, worse still, copy all the data ? Most of us have experienced spreadsheet duelling each trying to overwrite the other, or worse still spreadsheets lost never to be found again. I wonder how many of these are used daily in the City to reconcile multi million pound transactions.
A lot of organisations have tried to resolve this situation, but the answer isn’t easy. They all recognise the power of Access and Excel but also the dangers of self-developed databases and spreadsheets that end up bloated, perform badly and often hated by the IT department who have to monitor and maintain them. It’s interesting to note many organisations now remove Access from the user profiles, not so easy with Excel, let’s face it, we would all be up in arms, however some robust user policies and sensible network infrastructure should mitigate some of the risks.
We see a number of old and very old databases, and more often than not, find ourselves getting a support mechanism in place very quickly before the preverbal wheel falls off. Is the database or spreadsheet critical to the business? An Access database written 10 years ago in house by someone with some knowledge for 3 users may have 50 users today, it still happens and becomes a nightmare to support. Not all is lost, generally these time bombs can be reviewed supported and ultimately replaced, just be aware client access requests will increase, thanks to GDPR and others, regulators will demand more and does your data controller/data protection officer know where and what information resides in these places.
Senior people, directors, data controllers, compliance officers, whilst you review your cyber security and firewalls let’s not forget what might lurk within. Monitor, consider, review, communicate and document and let’s get full Board engagement. And yes we love “Time bombs” at TCB.
Christian Jule is a Director at TCB Consulting Limited