The UK’s Financial Services Authority (FSA) has issued a statement that insurance firms will be expected to demonstrate "appropriate controls" with regard to internal data flow systems, such as spreadsheets.
The FSA recently addressed the issue of spreadsheet risks in its report Solvency II: internal model approval process data review findings.
In the report, the FSA said: "We will be looking for appropriate controls for data quality such as reasonableness checks, input validations, peer reviews, logical access management, change and release management, disaster recovery, and documentation."
In a data review of both life and general insurance firms, the FSA paper said many firms had automated spreadsheets, for example, using macros to reduce manual intervention, and some relied on spreadsheet management tools to determine the dependency of interlinked spreadsheets and to apply controls such as audit trail and version management.
Although the automation of spreadsheets reduces the risk of manual error, the FSA said it can also introduce different problems such as reduced oversight and inadequate transparency about the extent of linking and proliferation of nested linked spreadsheets.
It noted that linked spreadsheets typically pass only single numerical values, without an indication of the date of last update, creating the risk of passing stale data around the system.
The FSA paper comes after Basel Committee released a consultation paper in June 2012 called ‘Principles for effective risk data aggregation and risk reporting’.
This said where a bank relies on manual processes and desktop applications including spreadsheets, databases, and has specific risk units that use these applications for software development, it should have effective mitigants in place, for example, end-user computing policies and procedures and other effective controls that are consistently applied across the bank’s processes.
Responding to the papers from the FSA and Basel Committee, Ralph Baxter, CEO of ClusterSeven, a data management company: "The failure of businesses to fully understand, control and monitor data held in spreadsheets leaves businesses worryingly exposed to unacceptable risks and recent indicators from the regulators now suggest that firm action will be taken against those that bury their head in the sand."
Baxter added: "We know that many institutions have to contend with thousands, if not millions of spreadsheets. It is unsurprising that regulators are now openly pushing that without effective data management controls in place to manage spreadsheet estates, insurers and banks are leaving themselves dangerously exposed to significant but avoidable business risks."
Research carried out by ClusterSeven earlier this year found that 77% of senior level insurance executives would welcome more specific guidance on best-practice use of the spreadsheets in the run-up to Solvency II.
ClusterSeven also found that only 20% of actuaries and insurance finance professionals are completely confident of their firm’s data control processes and the supervision of their large estates of spreadsheets.