BlackRock® is one of the world’s pre-eminent asset management firms and a premier provider of investment management, risk management and advisory services to institutional, intermediary and individual investors around the world.
BlackRock is a fast paced firm with new products and processes being created all the time. Excel plays an important role in innovation and is often used to prototype these products and processes. Whilst being innovative, it is important that controls are in place to prevent Blackrock being exposed to monetary, reputational and technology risk. The challenges presented were:
– Reduce and control spreadsheet risk
– Add control without making it onerous for users
– Meet regulatory requirements around the use of spreadsheets in business critical processes
The high-level objectives set out in BlackRock’s Global Spreadsheet Policy are to reduce the risks associated with spreadsheet use by:
– Making the use of spreadsheets and their business purposes more transparent
– Highlighting potential development needs in core systems
– Assigning risk metrics to prioritize spreadsheet remediation efforts
– Ensuring that spreadsheets are used from a secure environment where they are backed up and where changes are monitored
– Ensuring spreadsheet-dependent business processes can sustain the loss of one or more key people
A spreadsheet is considered in scope for BlackRock’s Global Spreadsheet Policy if it meets BOTH of the following criteria:
– Operates as an application driving a process that presents a high level of monetary, reputational or technology risk
– Contains a high degree of complexity. For example, the spreadsheet includes complex use of formulas and calculation, a high number of connections to multiple worksheets or external data sources, or employs macros or other code.
At the time of purchase (2007) of ClusterSeven ESM (Enterprise Spreadsheet Manager) there were two key differentiators that were critical to BlackRock’s specific requirements:
– It is a non-invasive tool and the business users don’t need to know it is there. It was very important to achieve business buy-in that the control put in place didn’t affect their flexibility and productivity or become an onerous task.
– The ability to handle an Excel worksheet and VBA. Version control and monitoring of VBA was a key issue and BlackRock couldn’t find a product that could meet all requirements. In 2007 ClusterSeven didn’t meet all requirements, but a key selling point was the fact that ESM was a framework that could be tailored to meet BlackRock’s specific needs.
Blackrock conducted a successful three month pilot which proved the benefits of ClusterSeven and allowed them to experiment and optimize infrastructure and ESM setups prior to their global roll-out.
Besides addressing the requirements of BlackRock’s Global Spreadsheet Policy, ClusterSeven is used to assign risk metrics to prioritize spreadsheet remediation efforts. This is used to periodically pick off the highest scoring spreadsheets and redevelop them to reduce BlackRock’s risk exposure.
Coding Best Practice reports are also run against both the population of Critical Spreadsheets and against new spreadsheet developments before they are released.
ClusterSeven ensures that spreadsheets are used from a secure environment where they are backed up and where changes are monitored. ClusterSeven enables BlackRock to monitor access security changes to every spreadsheet as well as changes to protection levels to the workbook and code.
BlackRock also uses ClusterSeven to back up every spreadsheet on the trigger of a save and retain a full version history. In the event of corruption ClusterSeven ESM enables users to identify when it happened, what caused it and restore the last working version. This provides an audit trail with complete change history and highlights high risk changes to critical spreadsheets. This enables BlackRock to be pro-active in fixing problems rather than finding them after they have caused an error.
The Global Spreadsheet Policy is, amongst other things, designed to meet global regulatory requirements on the use of spreadsheets for business critical processes.
The breadth of reporting tools in ClusterSeven ESM has provided additional benefits, including assistance in resolving a number of ad-hoc problems that have cropped up. For example, when moving from Excel 2003 to Excel 2010 legacy functionality in Excel, and particularly VBA, was identified that would break when upgraded. ClusterSeven was used to pro-actively scan the critical spreadsheet population to identify where the affected functionality existed, enabling remediation prior to the upgrade. This was so successful that the upgrade was extremely smooth with minimal interruption to the business.
Scanning reports have been used to help with the BGI/BlackRock integration effort. There have been a number of occasions where BlackRock needed to identify spreadsheets dependant on legacy add-ins. By scanning the critical spreadsheet population, dependants were identified and the add-ins replaced with Blackrock equivalents.
Once the policy roll-out is complete it is expected that the number of spreadsheets under management will plateau. However, the population is continually evolving as prototypes are replaced by strategic systems and new prototypes are built for new products and processes. The BlackRock team is always looking to improve business processes, especially where they can make the application of the Group Spreadsheet Policy easier and less time consuming. An example may be the adoption of the ClusterSeven Ribbon. This would enable the gathering of inventory information and completion of the yearly attestation process.
The BlackRock team is always looking to improve business processes, especially where they can make the application of the Group Spreadsheet Policy easier and less time consuming. An example may be the adoption of the ClusterSeven Ribbon. This would enable the gathering of inventory information and completion of the yearly attestation process.