The Data Quality Challenge What about all the spreadsheets? Ralph Baxter, CEO, ClusterSeven
Agenda Spreadsheets...and Business...and Regulators.and Cost...and Management...and Data Exploitation/Opportunity 2
Spreadsheets...and Business 3
But where are the spreadsheets? 4
IT is outside the loop (and often wants to stay there) Come the apocalypse two things will survive, the spreadsheet and the cockroach they deserve each other. Gartner analyst, 2005 We have a clear corporate policy. Spreadsheets must not be used for business critical applications. That means they just don t tell us. Investment bank CIO, 2008 5
Metadata management, data cleansing and integration Reporting, Data Analysis, Decision making Data Management the high level view Data Warehouse, Data Mart, Internal Model 6 ETL ETL ETL ETL ETL ETL ETL Policy Claims Loss Risk Finance After Aviva, IIAG, 2011
Metadata management, data cleansing and integration Reporting, Data Analysis, Decision making Data Management the reality Data Warehouse, Data Mart, Internal Model 7 ETL ETL ETL ETL Policy Claims Loss Risk Finance 7
Spider for full data lineage Single File feeding the Internal Model Level 1 Level 2 Level 3 Level??? High Risk Protected File Exists Has Macro Data Link
Spreadsheets...and Regulators 9
Regulatory and audit drivers now more specific and intrusive Data Quality and Processes are the focus FSA (Data management thematic, 2012) 4.41 Where EUC tools, such as spreadsheets, are material to the internal model data flow, we will be looking for appropriate controls for data quality such as reasonableness checks, input validations, peer reviews, logical access management, change and release management, disaster recovery, and documentation. Solvency II and Basel III: Data must be appropriate, accurate and complete Fed/OCC (2011) The data and other information used to develop a model are of critical importance; there should be rigorous assessment of data quality and relevance, and appropriate documentation. Basel (2013) Principle 3.36 b " Where a bank relies on manual processes and desktop applications (eg spreadsheets, databases) and has specific risk units that use these applications for software development, it should have effective mitigants in place (e.g. end user computing policies and procedures) and other effective controls... 10
Lloyds Model Validation workshop 2012 Requirements: Version control Access control Usage Input control Backup Analytics Change control 11
...a journalist perspective It reminded me of a math lesson at High School where I was actually able to come up with the answer to a problem. When the teacher asked how I arrived at said answer, I pointed to my ink stained back of hand, where I had done all the calculations. Unintelligible to all but myself, my lines of calculation failed to pass muster... this vignette is how I m starting to think about the way regulators are looking at risk and other reports from financial institutions. It s not just about the answer anymore; the regulators want to understand the models underlying the reports and more pertinently to us whether the data used in the models is both accurate and consistent. 12 Andrew Delaney, ReferenceDataReview.com
FSA 2012 In most cases, the issue was inadequate compliance with existing EUC policies and standards 13
Embarrassment: A (common) regulatory conversation Can you explain to me how you populate the risk model? The data is loaded into the landing stage and then uploaded into the model A database for data intermediate between transaction systems and the risk model And what would this landing stage be? I mean, what is the platform this database is on? (Pause) A set of file structures And what is a file structure? (Pause) A set of secure directories And what would be in those directories? Would they be spreadsheets by any chance? 14 (Pause) Er, yes
Creating dysfunctional conversations and undeliverable plans FSA, Spreadsheets & Solvency II, 2010 Solution I still see audit reports or project plans that recommend replacing spreadsheets and manual processes with IT solution This will never happen It is impractical to replace 2 or more fragmented systems with a single system Replacing the spreadsheet operations with IT designed ones only compounds the problem and removes any ability of users to address problems The only solution is to eliminate the worst processes and to apply appropriate controls to the ones that remain. 15
Spreadsheets...and Cost 16
But the world runs on spreadsheets. So, if spreadsheet risk is a big issue why aren t incidents more common?
In practice, spreadsheet risk is controlled by huge manual effort Risk Checking Automate the checks to reduce risk and cost 18
...and it is a lot of checking So what are my people doing all day? 19 Global Risk Exec 10% PowerPoint 10% Word documents 80% Spreadsheets
One business process involves five people opening and checking 50 large spreadsheets every day I can t believe it... 20
Spreadsheets...and Management 21
What we do: Sustainable Management of Spreadsheets What s out there in your spreadsheets? How do you maintain an up to date register of spreadsheet assets? How do you maintain integrity in the application and the data? Change Control Discovery Inventory Security Structure Data Replacement File scanning File lineage spider Risk/logic checking Business attributes Process attributes Ownership attributes Version control Access control Audit trail Business-as-usual filtering Data validation/ tolerances Data trends and reconciliation Alerts, Review & Approval Assurance Operations Analytics Assurance reporting and workflow for Governance, Risk and Compliance Business efficiency by automating manual checks Validated time series data for BI and downstream systems
What does a project look like? 1. Define 2. Identify 3. Assess 4. Control 5. Replace / Exploit Governance Policies Stakeholders Objectives Methods Consolidated inventory Determine EUC risk categorization and control framework(s) Manage in ClusterSeven under appropriate control framework Establish operating efficiencies and exploit data e.g. validations & reconciliations 1.2 Software demonstrations 1.1 Stakeholder buy-in 2.3 New EUCs identified by Services 2.2 New EUCs identified by ClusterSeven 2.1 Known EUCs 3.6 Reporting needs 3.5 Business process needs 3.4 Regulatory needs 3.3 Process and EUC materiality assessment 4.4 Secure 4.3 Rapid response remediation Files to be managed 5.5 Improve business processes 5.4 Exploit ClusterSeven data-warehouse 5.3 Second degree remediation Client Services 3.2 Control options 3.1 File risk assessment 4.2 Un-managed Files 4.1 Eliminate/ Retire 5.2 Replacement with product 5.1 Replacement with product ClusterSeven
EUC control process (based on End user computing governance, PwC 2012) Discovery Implementation Discovery & assessment File servers Selection of in scope systems Workshops Scanning Risk assessment Create inventory Maintain & update inventory Control framework & validation Define criticality ratings Apply criticality based on business input Criticality ratings Initial EUC inventory Document use & requirements Document data lineage back to source Assess control framework Confirm key controls and monitoring process Operational monitoring Remediation & control Design EUC policy document Discovery & Risk Assessment Inventory Management (Security, Attributes) Remediate control gaps Report data/control Change Management (Structure & Data) Overlay on process map shows how ClusterSeven technology supports the PwC EUC control process
Control process (End User Computing: Solving the Problem, Deloitte 2011) Governance Policies & standards Definition of EUCs Identification of EUCs Ownership Monitoring & reporting Monitoring & reporting People Training & awareness Roles & responsibilities Define risk ranking framework Application of risk ranking framework Define an inventory approach Version control Access control Availability control Change control Data integrity control Process Templates Baselining/ remediation Create & maintain a central repository to maintain data Risk ranking & prioritization Inventory EUC controls Discovery & Risk Assessment Inventory Management (Security, Attributes) Change Management (Structure & Data) Overlay on process map shows how ClusterSeven technology supports the Deloitte EUC control process
Spreadsheets...and Data Exploitation/Opportunity 26
Perception that control cannot help efficiency 27
Full MI for historic spreadsheet data?? Ensuring good quality data management is a fundamental requirement to support the continued success of Canopius. The real power of the software is its ability to embed appropriate data- and function-checks as part of our normal business practices. It is difficult to know how this could be done effectively without using this type of technology.? Mark Allen, Head of Business Information at Canopius
Integrated view on unstructured and structured data Single view of a business process via unified visualization of both structured data sources alongside Excel cell data QlikView ClusterSeven Reporter ClusterSeven Excel Data Warehouse e.g. SAP e.g. Oracle V3 V2 V1
Checks on data accuracy e.g. Heat Map Data quality and control have become critical to risk management in the current business environment. Spreadsheets lie at the heart of an insurance firm s business and as such insurers need solutions to manage, control and authenticate their key spreadsheet files. ClusterSeven s product and service capability are exactly what we needed to keep MAP at the forefront of best-practice operational risk management. Adrian Duggleby, Head of IT at MAP (here shows values that have moved by more than 100%) 30
Case study: Solvency II data validation and integration in global general insurer 31
Generic solution Corporate applications and reports ClusterSeven Excel Data Warehouse integrated into enterprise BI system Datamart 1 Datamart 2 Datamart 3 Enterprise data warehouse ClusterSeven Excel Data Warehouse e.g. SAP e.g. Oracle V2 V1 V3
Thank You & Questions Ralph Baxter, CEO 020 7148 6270 rbaxter@clusterseven.com More info: www.clusterseven.com inquiries@clusterseven.com