Every financial institution has them. They’re in every department, on every analyst’s desktop, embedded in every critical decision process. They’re often built by the smartest people in the room, trusted implicitly, and rarely questioned.
I’m talking about Excel spreadsheets. And they’re about to become your biggest model risk management challenge.

The Wake-Up Call Nobody Saw Coming
When OSFI released its revised E-23 Model Risk Management guideline in September 2025, most institutions immediately focused on their sophisticated risk models, credit engines, and actuarial systems. Teams mobilized around validating complex algorithms and documenting high-profile quantitative frameworks. Consultants were hired. Project plans were drafted. Budgets were allocated.
But here’s what most organizations missed: the majority of their model risk doesn’t live in their enterprise systems. It lives in spreadsheets.
Research reveals a startling truth—95% of spreadsheets contain errors. Not 9.5%. Not 50%. Ninety-five percent. That means the Excel model your trading desk uses to calculate exposures, the spreadsheet your actuarial team uses to adjust reserves, and the pricing tool your commercial lending team relies on—they almost certainly contain errors. Material ones.
And under the revised E-23, which takes effect May 1, 2027, these are all models subject to regulatory oversight.
The Spreadsheet Paradox
Here’s the paradox that should concern every Chief Risk Officer and compliance leader: the tools that make your organization most agile are the same tools that create your greatest model risk.
Spreadsheets are brilliant precisely because they’re flexible, accessible, and fast. An analyst can build a sophisticated financial model in hours, not months. Business users can modify calculations without IT involvement. New products can be priced, new scenarios can be tested, and new decisions can be informed—all without lengthy development cycles.
This is also precisely why they’re dangerous.
Unlike production systems with version control, automated testing, change management protocols, and audit trails, spreadsheets evolve organically. They’re emailed between users. They’re modified by multiple people. Cell references break when rows are inserted. Formulas get copied incorrectly. Hidden calculations lurk beneath the surface. And often, the person who built the original model left the organization years ago.
Yet these tools inform material business decisions every single day.
What E-23 Really Means for End-User Computing
OSFI’s E-23 guideline defines a model as any quantitative tool with inputs, a processing component, and results. This definition explicitly captures spreadsheet tools used for model adjustments, but the implications extend far beyond that narrow scope.
If a spreadsheet calculates something material, it’s a model. If it informs a business decision, it’s a model. If it would cause problems if it were wrong, it’s a model.
The guideline doesn’t care that it was built in Excel rather than Python. It doesn’t care that it was created by a business user rather than a quantitative developer. It doesn’t care that you’ve always done it this way.
What E-23 cares about is soundness, documentation, independent validation, and ongoing monitoring. It cares about governance, accountability, and risk management. And it expects you to demonstrate all of these things for every model in scope—including the hundreds or thousands of spreadsheets scattered across your organization.
This is the moment when most institutions realize they have a problem.
The Path Forward: From Chaos to Control
The good news is that spreadsheet model risk is solvable. But it requires a fundamental shift in how organizations think about end-user computing.
First, Accept the Reality
Your spreadsheets are models. They’re in scope. They need governance. Denial doesn’t help, and hoping that examiners won’t notice is not a strategy. The sooner you accept that spreadsheet model risk is real and material, the sooner you can address it.
Second, Build the Framework
E-23 compliance requires more than good intentions. You need an enterprise-wide model risk management framework that encompasses spreadsheets alongside your traditional models. This means:
- Governance policies that define what constitutes a model and who owns each one
- A comprehensive inventory that captures material spreadsheets, not just enterprise systems
- Risk ratings that prioritize validation efforts based on materiality and complexity
- Clear roles and responsibilities separating developers, owners, reviewers, and approvers
- Documented standards for development, validation, and monitoring
This framework doesn’t emerge overnight, but it’s non-negotiable for E-23 compliance.
Third, Leverage Technology
Here’s where the conversation gets practical. Manual spreadsheet review doesn’t scale. If you have 300 material spreadsheet models—and many institutions have far more—you cannot rely on humans manually clicking through every cell, tracing every formula, and documenting every calculation.
You need automated validation tools that can:
- Detect errors systematically across large spreadsheet populations
- Reveal hidden content that manual reviewers might miss
- Document model structure in a format suitable for regulatory review
- Enable independent validation through reviewer-builder workflows
- Create audit trails that demonstrate accountability and oversight
- Support ongoing monitoring as models evolve over time
This is exactly what solutions like ExcelAnalyzer from Spreadsheet Software were designed to address. The tool scans spreadsheets in seconds, identifies formula errors with precision, exposes hidden calculations, generates comprehensive documentation, and creates the audit trails that E-23 demands.
Think of it this way: you wouldn’t validate a complex derivatives pricing model by having someone manually review the code line by line. You’d use automated testing, validation tools, and systematic review processes. Your spreadsheet models deserve the same rigor—and E-23 expects you to provide it.
The Cost of Inaction
Let’s be clear about what’s at stake. This isn’t just a compliance exercise. Spreadsheet errors have real consequences:
- Financial Impact: Calculation errors can lead to mispriced products, incorrect reserves, flawed risk assessments, and material financial misstatements
- Regulatory Risk: OSFI examiners will review your model risk management framework, including how you handle spreadsheet models. Gaps will be identified. Deficiencies will be cited
- Operational Risk: Spreadsheet failures can disrupt business processes, delay decision-making, and create operational losses
- Reputational Risk: Nothing undermines stakeholder confidence quite like discovering that critical business decisions were based on flawed calculations
The institutions that treat spreadsheet model risk as an afterthought will find themselves scrambling as the May 2027 deadline approaches. Those that act strategically now will build sustainable frameworks that not only satisfy E-23 but genuinely reduce risk and improve decision quality.
A Call to Action: Lead the Change
If you’re a risk leader, compliance officer, or executive responsible for model governance, this is your moment to act. The spreadsheet model risk challenge won’t solve itself, and time is running short.
Here’s what leadership looks like:
Acknowledge the problem. Speak openly about spreadsheet model risk in your organization. Make it a priority topic in risk committee meetings. Get executive sponsorship for addressing it systematically.
Assess your current state. How many material spreadsheet models do you have? How are they currently controlled? Where are the gaps relative to E-23 expectations? You can’t manage what you don’t measure.
Invest in the right tools. Automated validation technology isn’t optional—it’s essential for scalable, sustainable spreadsheet model risk management. Evaluate solutions like ExcelAnalyzer that can deliver the technical validation capabilities your framework needs.
Build competency and capacity. Your team needs training on E-23 requirements, model validation techniques, and the tools you implement. Model owners need to understand their responsibilities. Reviewers need to know what to look for.
Start now, don’t put it off. The institutions that excel at E-23 compliance will be those that started early, built comprehensive frameworks, and refined their approaches through iteration.
The Bottom Line
Spreadsheet model risk is no longer something you can ignore, minimize, or defer. E-23 brings these ubiquitous tools into the same regulatory framework as your most sophisticated models—because in many cases, they’re just as material to your business.
The question isn’t whether you need to address spreadsheet model risk. The question is whether you’ll address it strategically and systematically, with the right frameworks and tools, or whether you’ll approach the 2027 deadline unprepared.
Tools like ExcelAnalyzer provide the technical validation capabilities that make comprehensive spreadsheet model risk management achievable. But technology alone isn’t enough. You also need leadership, commitment, and a willingness to change how your organization thinks about end-user computing.
The institutions that get this right won’t just satisfy E-23—they’ll build more robust risk management practices, make better decisions, and create real competitive advantage. The institutions that don’t will find themselves explaining to regulators why 95% of their spreadsheet models contain errors they never detected.
Which institution will you be?
Ready to take control of your spreadsheet model risk?
Click one of the buttons at the top of this page to download a free 10-day trial of ExcelAnalyzer, or book a demo.
The deadline is approaching. The risk is real. The solution is available. Now is the time to act.
Continue the Conversation
You can connect with me on LinkedIn to discuss spreadsheet governance, model risk management, and regulatory expectations.