This table provides an update of regulatory and spreadsheet risk requirements.

Legislation Description Spreadsheet Requirement
BCBS 239 Banking Supervision’s Principles for Effective Risk Data Aggregation and Reporting Mandatory principles for SIFis defining how to aggregate and report risk data
DFAST Dodd-Frank Act Stress Testing Stress testing for banks requires extensive documentation on risk models many of which are spreadsheets
Stress testing – rest of world PRA, Finma, ECB, etc. As above
FDA 21 CFR Part 11 Requirement for rigorous validation of business processes All spreadsheet processes to be controlled and validated
FINRA 2010 priorities Big focus on spreadsheets
ICAEW Twenty Principles of Good Spreadsheet Practice Best practice recommendations for spreadsheet control
OCC Supervisory Guidance on model risk management Set of procedures and processes to validate models in banks Many models are spreadsheets
Sarbanes Oxley (SOX) Attestation and internal control regime for all listed companies in the USA All spreadsheets require effective controls. 10 years old but organisations still need update their processes e.g. COSO 2013
COSO Internal controls framework Adopted by many organisations as a standard to comply with Sarbanes Oxley
NAIC model rule A financial reporting regulation applicable to insurance companies Borrow heavily from Sarbanes Oxley and requires similar levels of controls
Solvency II Insurance industry solvency and risk management requirements All data used in solvency calculations to be complete accurate and appropriate
TAS M Technical Actuarial Standard relating to models Applies to spreadsheet models

correct at time of publishing