Spreadsheets, end-user-computing and trouble
We have supported several insurance companies with their risk management processes. Since risk management is still evolving (Solvency II, QIS and internal models) most of them use a lot of Excel sheets for data capturing, modelling and reporting.
For prototyping Excel sheets may be acceptable. You don't need to ask IT to install special software, documentation and being auditable is not an issue for prototypes and so it seems ideal to work with Excel.
The trouble is that most companies don't have explicit guidelines and therefore a controlled process when to move from a prototype to an operationally safe system. So, the models evolve and the Excel sheets grow, get linked to others or contain significant macros. Systematic testing and documentation is normally neglected. The creators of such a solution generally consider them safe and sound and don't realize the continuously rising hidden costs that such solutions produce. They are usually labour intensive. Auditing - if at all possible - is time intensive and still comes with a lot of disclaimers and they are hard to maintain.
I recently read in an auditors review that organizations using spreadsheets, Access databases, and other end-user computing (EUC) applications in critical business processes are exposed to significant operational risk and non-compliance with regulatory mandates.
Some people claim that this is only true for uncontrolled spreadsheets. In theory, that is true: One could protect all the cells in a spreadsheet, separate the business logic from the data, version everything, ..... maybe even automatically test sheets (although I haven't seen a product to do this). In theory yes, in practice I have never seen a client take all these measures. The reason is very simple. If you take all these measures, i.e. you implement a professional system, then it is as costly in Excel as it is in any other software environment and hence, why bother with the restrictions of Excel.
So, if you come across Excel solutions in risk management, then ask yourself whether it is a prototype or an operational system. If it is the latter, then you are heading for trouble.