Keep in mind that many organizations are not yet considering spreadsheet and UDA risk as part of their overall ERM program. It is a fairly new issue, and as a result most organizations are still trying to figure it out. That said, I believe the CFO should own the problem, the CIO should provide tools and technology to address the problem, the CRO/CCO should provide guidance on governance processes and internal controls required to mitigate the risk, the COO should assist with and change management aspects to existing business processes, and the CEO should recognize and support the need to address the issue. In summary, a UDA Control project will only be successful if it is a Team effort.

Best regards,
Eric

Great article! Also very much liked the S2 article. We are working with similar quaestions as you and we share many of your thoughts.

I just have a question for you regarding:

“Members of the UDA Steering Committee should include an executive sponsor (e.g. CEO, CFO, CRO)”

This, in my opinion, is the really tricky question – who should be the natural sponsor of a UDA Management Initiative and why?

When discussing this with different CxOs – they often think someone else than themselve should be sponsor – but whos pain is it?

CIO – UDAs can be considered an information problem – but CIOs may claim UDA is out of their control and the value delivered from an UDA initiative does not realize effects within IT.

CFO – In my opinion, Finance tend to have most and also most citical (material) UDAs – they also suffer most from many ineffective spreadsheets and thus a UDA initiative would create much value for Finance – but they claim it is not a Finance problem but a information problem and information security problem.

CEO – Usually have other things to think about..

COO – Could very well be regarded as a Operational problem but may claim the majority is within Finance and that it should be regarded as a information problem.

CRO – Same as COO.

What is your opinion?

Regards, Petter