CIS7014 End User Computing Risk Management
Cymru Capital Investments (CCI) is a mid sized bank working in corporate and investment Banking. The bank has offices located throughout Europe and USA employing 20,000 people in over 500 offices, and is regulated by the Financial Services Authority (FSA). The bank has enjoyed rapid growth in the last five years and at the end of the last financial year recorded a profit of £2.9 Billion.
CCI’s core business is securities underwriting although it does also trade in derivatives, foreign exchange and commodities. The bank underwrites newly issued securities (Bonds and shares) from corporations and governments on the capital markets. In addition, CCI also underwrites loans and credit to various customers through a detailed process of credit analysis, this is known as Bank underwriting.
The bank’s actuaries are the employees responsible for assessing the risks of its investments and subsequently pricing the products and services sold to clients.
The use of Information Systems at CCI for underwriting
CCI is a typical investment bank, making extensive use of information systems to support its business functions. The bank has a formal system for officially recording agreements between CCI and clients called the “Deal Capture System”. The bank also has a bespoke financial modelling system called “Aladin model builder”.
The Deal Capture System is a regulatory requirement of the FSA that allows the CCI to make a formal record of the details of all deals brokered by the bank including the correspondence between the bank and the client whilst the deal was negotiated. This system is designed to be live so that the bank has a real time view on deals progressing at any one time.
Aladin is a model building tool that calculates the risk of a deal based on variables input into the system. Once the user has collected the relevant data, Aladin gives an indication of the risk levels CCI exposes themselves to with each investment.
In addition, the organisation has a central information systems department that services the organisations hardware, software and users. Each year the IS department conducts an audit of the data processing activities of the staff.
During a recent internal audit, it was noted that the bank had a high dependency on the use of spreadsheets and that some spreadsheets are used for mission critical decision-making. The audit revealed that CCI has in excess of 50,000 operational spreadsheets across the organisation which range from trivial expenses claims through to complex financial spreadsheet models.
The auditors asked the risk modellers why they rarely used the data capture system and the Aladin model builder. The users complained that these systems are slow and inflexible. In particular the Aladin model builder is too restrictive, it lacks the ability to define the model in great detail and requires extensive re-configuration to be kept up to date with changing commercial conditions. This has led to the pervasive use of spreadsheet software as the primary means of calculating risk levels, pricing levels and negotiations.
Further investigations by the auditors revealed spreadsheets are used in almost every underwriting deal CCI makes. Frequently, the corporate systems are engaged after the deal has been negotiated and agreed on a spreadsheet. The users complain that they would not be able to do their jobs competitively without using spreadsheets as their primary tool for brokering deals.
The auditors examined a small sample of spreadsheets used day to day by the employees. The sample contained various types of spreadsheets including: Simple administration duties such as expenses, Data stores for holding client contact information, Decision support spreadsheets used by heads of departments for resource planning and financial modelling spreadsheets used by actuaries for assessing risk and pricing deals.
The auditors found no evidence that any of the spreadsheets had been developed: using a methodology; undergone testing; been formally documented. When the auditors asked the heads of departments how spreadsheet model integrity is ensured at a department level, most cited the CCI End User Computing policy signed by all staff.
The End User Computing policy was introduced to ensure that CCI complies with the U.S. Sarbanes Oxley Act (2007). The current EUC policy simply tracks where the EUC artefacts (such as spreadsheets and databases) exist on the company network and requires the heads of department and the author of the work to sign a document declaring that the information held in the EUC artefact is accurate. The EUC policy makes heads of departments and authors accountable for the accuracy of the data held in the spreadsheets. When asked about the effectiveness of the EUC policy, heads of departments explained that since they have limited expertise in spreadsheets and databases, it is impossible to objectively determine if the information presented is accurate. They therefore trust that the actuaries work is accurate and sign the document in good faith.
The auditors passed on their observations to the senior management team who in turn have requested a presentation outlining the risks to CCI and a pragmatic approach to managing the risks to which the bank is exposed.
You are to produce a 15 minute video presentation covering the following two points:
1.Firstly you must outline the risks associated with spreadsheet use and relate this to CCI’s spreadsheet activities and practices that are evident in the case study. Your video presentation should also highlight the specific risks CCI faces and comment on any poor practice evident. Make use of citations to the literature and examples in your presentation.
2.Secondly you must recommend a new approach to managing CCI’s spreadsheets risk. You are free to adopt any approach you see fit with the exception of removing spreadsheet use from CCI completely. Your approach should take into account the fact that CCI has some 50,000 operational spreadsheets.