The Prudential Regulatory Authority (PRA) recently contacted the CEOs of the UK's regulated banks and building societies, highlighting the need to raise the level of investment, expertise, and focus in preparing their regulatory reports submitted to the PRA.

In its ?Thematic Findings on the Reliability of Regulatory Returns,? the PRA stressed the importance of applying the same care and due diligence to regulatory reports as banks gave to the financial statements they shared with the financial markets and their counterparties.

The PRA's primary concern was around the potential for firms to submit misstatements, impacting confidence in the broader financial service sector.

The letter highlighted several issues:

Firstly, banks typically take a fragmented approach to regulatory reporting, with processes, ownership, and documentation needing to be better understood and defined. This situation often meant that managers delegated regulatory reporting to specialist teams. Instead, the PRA expects institutions to have the management of regulatory reporting raised to a higher level in the business, with enhanced transparency of the end-to-end reporting process.

The PRA also found that ad-hoc processes featured heavily in regulatory processes, in particular highlighting  three key areas.

Modelling - this forms a significant part of many regulatory submissions, and ad-hoc processes are a feature in the way these models are used. While the PRA's analysis did not focus on model management, there were concerns around how adequate the management controls were around models and how well change controls were implemented.

Spreadsheets 'spreadsheets are an ideal tool for automating defined and repeatable processes such as regulatory reporting. Users use spreadsheets to create End User Computing (EUC) applications outside the control of the corporate IT function. However, they lack adequate change controls, and data can easily be overwritten, creating errors that can easily lead to regulatory misreporting.

Reconciliation - the reconciliation process is where managers consolidate the information needed to populate the regulatory reports from the core systems across a bank. Again, spreadsheets are commonly used in this area, and the PRA raised concerns that this was not fully documented, defined, and effectively managed.

So, what steps can firms take to address the situation and respond positively to the challenge presented by the PRA?

A practical approach might be to take the existing processes and systems and wrap them in a technology environment that maintains the flexibility of the current approach, while also bringing the level of change control, transparency, and auditability that the PRA is looking for.

Having worked with banks for many years, a common denominator in all the situations highlighted is how firms use Excel spreadsheets to find a way to make fragmented systems and processes function effectively.

Their power, flexibility, and widespread use make them ideal for bridging any process gaps, but the lack of management and change controls can lead to the type of errors that PRA has highlighted.

How can you bring enterprise-strength management, control, and transparency to a spreadsheet estate, in a complex environment such as a bank?

The first step is building a centralised spreadsheet inventory, which delivers the foundations for managing spreadsheets, delivering change control, providing document management, and offering a reporting capability that allows for transparency and auditability.

The next step is to perform a discovery, to find and locate the critical spreadsheets used in the regulatory reporting process. The fragmentary nature of regulatory reporting means that the PRA will anticipate that all spreadsheets used in a business will need to be found and assessed for their regulatory significance, with the most important placed in the inventory, as necessary.

The last step is to proactively monitor these key reporting spreadsheets, so that there is monitoring of missing data, data errors, or missing data links, for example. Reporting capabilities ensure that the reporting of changes and issues is effectively controlled, and these issues can be escalated to an Enterprise GRC platform, when necessary, to assure effective risk management.

 UK Finance will be holding a free webinar ?Models and spreadsheets on the PRA's radar? on Tuesday 23 November at 2pm. Please book here to attend.

Henry Umney, Managing Director, GRC Strategy, Mitratech