5.1 Defining the Risk Metrics to assess the applications with
The Complexity and the Materiality of an application are the two main contributors to risk.
The more complex a spreadsheet (or for that matter any application) is, the greater the risk is of the risk crystallising and creating an issue. Once the risk crystallises, how material is the effect on the Society’s business operation?

Complexity- We used one of the simpler ways to measure Complexity and this is suggested by PwC
(PwC, 2004). A spreadsheet with low complexity is just for information logging and tracking. There are no formulas or links. Medium complexity is where simple formulae are used, for example to translate or reformat information. High complexity is the rest, where complex formulae are used, there are links to external sources, macros, and modelling.
The more complex an application is the less likely someone other than the author can understand it and the greater is the spreadsheet risk.
Materiality - Materiality could be measured as the impact resulting from the risk crystallising. This could be:
a. Inconvenient
b. Poor Customer Outcomes
c. Reputational
d. Loss of Business
e. Financial
f. Statutory / Legislative
Different areas of the business rank these in different orders so we used a different approach instead.
Independent research done by Chartis suggests the following classification for materiality (Chartis, 2016):
a. High – Application supports financial or regulatory reporting or private or
confidential information.
b. Medium – Application supports management reporting, calculation, or input into a
core management information system or used for making key business decisions.
c. Low – internal operations or day to day decisions or contains outputs from core management information systems.
1. https://arxiv.org/ftp/arxiv/papers/1909/1909.00855.pdf
2. https://apparity.com/euc-resources/spreadsheet-euc-risk-blog/basics-of-an-end-user-computing-euc-policy/
EUCs are typically identif...