Articulating Risk in Complex Financial Models

Why clarity matters — and how to measure what’s often invisible

White Paper v 1.2 – June 2025

Prepared by Navitas Business Modelling Pty Ltd
Lead Author: Col Werner (MBA), Director
With contributions from modelling, governance and risk specialists

1. Executive Summary

Financial models play a central role in decision-making across forecasts, deals and budgets — yet many lack the required rigor, are opaque and misunderstood. While tools like the FAST standard help improve structure, few organisations have a clear method to measure model risk or the capability of those who build them. This paper outlines why articulating model risk is so difficult in practice, how complexity, pressure, and culture amplify the challenge, and what practical steps can be taken to improve visibility and control. Drawing on two decades of modelling experience, we introduce a dual-assessment framework that evaluates both model risk and modeller capability – helping organisations uncover hidden issues, apply the right level of scrutiny, and build greater confidence in the decisions their models support.

2. Introduction

Financial models drive decisions on deals, forecasts and budgets – and yet they can be accidents waiting to happen. Behind every complex spreadsheet lies hidden logic and interlinked formulas that few users genuinely understand. One study found that approximately 94% of spreadsheets in use contain faults, often due to the rise of end-user development without formal software training (Poon et al., 2024). Add tight deadlines and non-specialist builders, and even skilled analysts resort to “band-aid” fixes under pressure.
Despite its risks, Excel remains one of the most powerful and flexible decision-making tools available — and its user base continues to grow. Removing it altogether would be like banning cars because of crashes. The answer isn’t to abandon the vehicle, but to set clearer rules for how they’re used. Similarly, financial models need better governance, not less usage. This paper explores why model risk remains difficult to see and even harder to explain — and introduces practical diagnostic frameworks to assess, communicate and manage it with greater confidence.

3. Problem: Why Articulating Model Risk Is So Difficult

Articulating risk in financial models is more challenging than it sounds — especially where logic is buried, assumptions are undocumented, and the audience isn’t technical. Several factors make model risk difficult to explain clearly — and even harder to challenge, they are laid out as follows.

• No common language or visuals. Model risk has no widely adopted standard vocabulary or scorecard. Some organisations use guidelines like the FAST standard (which promotes a shared modelling language) so that technical and non-technical users engage with model outputs effectively. FAST does a great job in helping mitigate model risk but it doesn’t measure it per se. Measuring the risk side of this equation is not universal. In most cases, risk is communicated without structure, leaving decision-makers to interpret with limited capacity to challenge or trust the model.
• Model complexity. Financial models can span dozens of interconnected worksheets and thousands of formulas, with nested lookups and macros (complex Excel formulas and automation scripts). No human brain can easily map all the links and assumptions. Reading a complex spreadsheet can be likened to navigating a maze and attempting to memorise the path you took.
• Developer vs Decision-maker mismatch. Those who develop models have detailed knowledge and assumptions hidden in the cell logic, while the decision makers just want reliable answers. This information gap often leads to blind spots. In practice, developers rarely discuss or document every assumption, and decision makers rarely find time to delve into the detail.
• Risk-averse culture (fear of review). Many organizations don’t have a culture that encourages raising concerns. Without psychological safety, people tend to keep quiet. As one expert explains, a strong risk culture “encourages staff at all levels to raise concerns,” but in a weak culture people “may choose silence, fearing consequences” (Edmondson 2018). In other words, if analysts worry that flagging a spreadsheet issue will get them in trouble, everyone loses.
• Time pressure and fragility. Deadlines force quick fixes. Model builders under time pressure are forced to often choose incremental changes rather than a restructure. In other words, shortcuts are taken, without properly assessing how the update should be integrated into the model. These band-aids can fix a problem temporarily – but they make the model fragile, potentially creating future pitfalls (PWC 2016).
• Siloed information. In the worst cases, only one person genuinely knows how a model works. If that person is absent from the role the rest of the team run blind. This scenario highlights a serious risk: major decisions are derived from a spreadsheet only one person understands. Often a single individual becomes the sole custodian of a model – sometimes unintentionally protecting their relevance by not sharing knowledge. And if they’ve been quietly managing the same model for years, few are brave (or qualified) enough to ask whether it still makes sense.
• The Dunning-Kruger effect. Another common but under-recognised issue is the tendency to overestimate one’s modelling ability — often linked to the Dunning-Kruger effect (Kruger and Dunning, 1999), where individuals with limited skills mistakenly assess their competence as high. Across the industry, we observe generally low levels of Excel proficiency, with limited structured development either individually or institutionally. In many organisations, modelling remains undervalued as a professional discipline, leading to competency gaps that often go unaddressed.
• The rise of AI. Another trend making matters worse is the rapid uptake of AI tools and advanced coding environments like Python. While these innovations are promising, they can create a shortcut to foundational learning. Many jump into complex automation without first mastering the core building blocks of effective model design. Being strong in Excel does not guarantee capability as a financial modeller — which draws on finance, accounting, and IT. AI may assist with speed and learning, but it also introduces new risks: from misplaced confidence in its outputs to incorrect assumptions about what constitutes a robust model. In reality, most modelling failures arise from poor structure, and it takes hard-won experience to spot and correct structural weaknesses — something no tool can easily replace.

When models aren’t questioned, the real danger isn’t the errors — it’s assuming there aren’t any.

4. Impact: The Cost of Poor Risk Articulation

When model risks aren’t clearly defined and articulated, their effects often go unnoticed until they affect outcomes. Confidence in outputs weakens, not necessarily because the model is wrong, but because no one can clearly explain how it works.
Risk escalates sharply in models tied to high-dollar decisions — the larger the financial exposure, the more serious the consequences of getting it wrong. Without clear articulation, even well-constructed models can quietly undermine the decisions they were meant to support.
This phenomenon is illustrated by high-profile cases documented in the business world, such as those highlighted by Forbes. The article “Sorry, Spreadsheet Errors” (Forbes, 2014) outlines how ambiguous or poorly communicated model risks led to significant financial losses in organizations—even when the underlying models were technically sound. In each instance, the lack of clear documentation and transparency about how models functioned resulted in misplaced confidence and, ultimately, costly mistakes.

5. Solution: Currently Available in the Market

While some banks and financial institutions have developed bespoke internal frameworks to assess spreadsheet risk — often embedded in broader operational risk systems — these are proprietary, tailored to their own regulatory environments, and not readily adaptable for wider industry use. A range of commercial solutions also exist, including spreadsheet audit software like PerfectXL, Operis Analysis Kit, and ExcelAnalyzer. These offerings provide technical insights and/or compliance checks, particularly for heavy exposure modelling, but are often used reactively or by specialist teams. Sotware like PerfectXL, for instance, offer excellent technical diagnostics and spreadsheet transparency, and can be used in tandem with broader frameworks. However, few options offer a practical, organisation-wide approach for measuring the modelling environment, model risk and modeller capability in a way that can integrate with enterprise risk frameworks and support internal reviews before an audit is triggered.

In light of these challenges and their consequences, how can organizations proactively identify and communicate/reduce model risk?

The framework introduced in this paper is designed to fill that gap. It brings structure to a space that has relied on intuition, legacy files, or implicit trust. By offering an accessible and repeatable method to evaluate spreadsheet risks and human capability together, it helps organisations make visible what is otherwise hidden. Particularly for mid-sized firms, government agencies, and corporates lacking formal model governance, it provides a low-friction entry point into identifying where further oversight is needed — before problems escalate. One answer to the growing challenge of invisible model risk is to introduce a more structured assessment framework.

When model risks go unspoken, the impact can be fast and far-reaching.

6. Solution: A Framework for Evaluating Model Risk

To bring structure to what is often a subjective discussion, in conjunction with an ASX 100 company, Navitas has developed a diagnostic framework that quantifies model risk through two dimensions: financial materiality and model integrity. These are assessed through a 22-question framework.
7 questions focus on financial exposure — measuring the relative size, accuracy and relevance to the business of the model. Two examples of questions that are asked are as follows:

• If the data processed by this model were incorrect, the impact on the business would be significant, potentially leading to financial losses.
• I have carefully reviewed the calculations in the model and there is no need for further discussion to ensure accuracy.

The remaining 15 questions assess model integrity including structure, usability, analysis and compliance risk. Two examples of questions that are asked are as follows:

• I am confident that the model is comprehensive, accurate and aligns with the future strategic direction of the business.
• The model would benefit from further automation.

Figure 2 summarises the model integrity results across four key areas, highlighting where structural or usability risks may be present.

Together, the results place each model in a risk matrix — where financial materiality defines the impact and model integrity defines the likelihood of something going wrong. Responses are numerically scored and processed through a proprietary diagnostic engine, which maps each model to a risk position based on both dimensions. The engine applies a weighted analysis across the key risk areas shown above, incorporating subdomain indicators and logic, and is designed to evolve as usage data and industry insights refine its precision. This structure provides a clear, consistent way to compare model risk across the business and helps focus attention on the models that matter most. It turns a technical issue into something risk and executive teams can engage with. Figure 3 below presents the Financial Model Risk Matrix, which visually maps the intersection of model integrity and financial materiality — helping organisations classify their models by risk level and prioritise oversight where it counts most.

If you can’t see the model risk, it’s difficult to manage — let alone explain.

The model risk assessment can be run periodically — allowing organisations to track whether modelling standards are improving, stagnating, or deteriorating over time. This framework is designed to align with existing Enterprise Risk Management (ERM) frameworks, making it easier to integrate model risk into broader governance and reporting structures. While some degree of subjectivity is inevitable in self-assessment, the process itself fosters visibility and shared understanding — and that’s often the first step toward improving model quality and reducing risk.

Identifying high-risk models is half the battle – we also need to ensure the people running those models are up to the task.

7. Solution: Closing the Gap Between Model Risk and Modeller Capability

Financial modelling does have certifications like the FMI and CFI qualifications, but these are not yet universally understood or widely recognized in the business world. Despite their value, these certifications often lack broad adoption and are not entirely known as a standard benchmark for expertise in real-world business environments. In practice, organisations lack a simple, objective way to verify that the modeller assigned to a high-risk model truly has the required skills. Instead, modeller competence is often assumed based on seniority, role inheritance or experience – assumptions that can be dangerously misleading. Two of the most common sources of model risk are errors in model implementation and misinterpretation of results. Both depend directly on the modeller’s ability. Without a formal skills assessment, a high-risk model may go into production under the management of someone whose capability has never been validated – creating a risk management blind spot.
To address this gap, we designed an automated Modeller Skills Assessment. Figure 4 below summarises the results of this assessment, providing a domain-by-domain view of the modeller’s capability across five core skill areas.

The output from the Diagnostic is shown above. In this example, a radar chart (also known as a spider chart) plots the modeller’s performance across five key skill domains, providing a visual summary of strengths and development areas. It shows, for instance, a high score (green) in Financial Modelling Concepts (88%) and Skill Application (100%), but weaker scores (yellow/red) in Excel Functions (58%) and Collaboration & Communication (50%). The visual profile highlights specific strengths and weaknesses in the modeller’s skillset. This enables teams to pinpoint exactly where a modeller may require coaching.
The detailed breakdown is summarised using an overall Modelling Skills Score diagnostic using a standardized performance scale (e.g. Foundation, Proficient, Advanced, Expert). The gauge chart below shows an aggregate score of 76%, placing the modeller in the “Proficient” band. This single-number summary provides a sense of capability. In the same spirit as the modelrisk assessment, the skills score offers a quantitative metric for the human side of modelling risk. Figure 5 below presents the modeller’s overall skills score on a standardised capability scale, offering a single view of modelling proficiency.

The modelling skills framework is designed to be completed alongside the model risk assessment. By comparing a model’s risk rating with the modeller’s capability profile, any mismatch – for example, a very complex model (with a “very high” risk rating) paired with say a moderate skills score (with a “proficient” skills score) – is identified. Figure 6 below illustrates how model risk ratings can be mapped against modeller capability levels — making gaps visible and enabling organisations to align risk with the right level of modelling expertise.

Used together, the model risk rating and modeller capability score offer a structured way to surface invisible risks. This dual-diagnostic approach provides a clearer view of the model and the modeller. In a discipline where human error often goes unnoticed, objectively assessing capability is essential.

Human error is the most consistent risk in modelling — and the least consistently addressed (Panko 2015)

8. Broader Levers Beyond This Framework

All models are wrong, but some of them are useful (Box 1979)

This quote from George Box reminds us that models are simplifications — tools to support judgement, not substitutes for it. And yet in the wrong environment, even a useful model can become dangerous.
High-functioning modelling environments mirror those found in safety-critical industries like aviation — where errors are treated as opportunities to learn, not grounds for blame. In such cultures, individuals are encouraged to voice concerns, share uncertainty, and continuously improve the systems they use. This isn’t the norm in many businesses. Models are often built under pressure, by solo analysts, with little review — and if something goes wrong, people fear reputational damage or job loss.
This paper does not aim to solve organisational culture issues. But by providing a consistent way to assess risk, the framework can help distinguish between model-specific issues and broader systemic ones. This separation is essential: when cultural challenges are conflated with technical faults, the root causes of risk remain hidden.
Technology continues to offer new ways to reduce risk through smarter Excel practices. Embracing new practices like Dynamic Arrays, LAMBDA functions, and Power Query can minimise risks such as hardcoding, inconsistent formulas, and reliance on manual data updates. These features introduce more structure, reduce fragility, and improve auditability — particularly valuable for teams lacking formal governance.
Ultimately, this section reminds us that model risk is rarely about one factor. People, tools, and context all play a part. And while surveys and diagnostics won’t fix a poor culture, they can bring clarity to the discussion — and that’s the first step to doing better.

9. A Note on Methodological Limits

Risk matrices are a commonly used framework in enterprise risk management. However, academic critiques – such as Thomas et al. (2013), noted that simplified scoring systems can suffer from issues such as “ordinal misuse,” where subjective ratings like likelihood or impact are mistakenly treated as precise, and “range compression,” where categories obscure the real scale of risk. These points are legitimate, particularly in financially significant quantitative environments.
When applied to the assessment of model risk, some level of subjectivity is inevitable. Individuals are asked to self-assess aspects of financial exposure and model quality, and those responses are shaped by personal confidence, role visibility, and organisational context. While this introduces bias, we believe acknowledging this subjectivity – and designing around it – is far more useful than ignoring it altogether.
This framework aims to take a balanced approach. The model risk assessment deliberately separates quantitative exposure from structural integrity and allows organisations to tailor
materiality categories to suit their scale. Rather than mixing dollar amounts with ordinal scores, financial thresholds can be defined explicitly (e.g. <$500k, $500k–$5m, >$5m) — enabling “like for like” classification of impact and improving internal consistency.
The diagnostic is not a perfect risk instrument — nor does it claim to be. But it introduces rigour and transparency in a domain where assessments are often implicit or absent. By helping users frame risk in structured terms, it enables more grounded conversations, better governance decisions, and ultimately more resilient models.

10. Where to Next

This paper explored why model risk is often misunderstood, how it can be assessed, and how modeller capability can be objectively measured. Grounded in two decades of complex modelling environments across government, mining, finance and ASX-listed firms, these insights offer a practical path to uncover hidden risks and improve decision-making.
To support organisations dealing with the challenges mentioned in this paper, Navitas has built a suite of diagnostic frameworks that help identify, evaluate and address model risk. Organisations can access a free automated diagnostic on our website, covering both model risk and modeller capability, with a tailored three-page PDF report to support internal review or escalation.

Note: These diagnostic frameworks are designed to surface hidden risks; further action may be required to appropriately mitigate them. Depending on the nature and severity of the findings, additional options such as our Model Risk Navigator framework or diagnostic software like PerfectXL may support deeper analysis or remediation.

To get started, follow this link portal.businessmodelling.au/assessments, or click on the button below:

Together, these approaches offer a grounded, actionable way to bring hidden risks to light and support better decision-making.

11. About Navitas Business Modelling

With over 20 years’ experience, we help ASX-listed corporations, government agencies, SMEs, and blue-chip companies build and improve financial models that support better decision-making. For organisations that want to take the next step, Navitas offers a set of practical diagnostic frameworks — including a self-guided remediation process known as the Model Risk Navigator.
To learn more, or access a diagnostic output, visit portal.businessmodelling.au/enterprise-solutions or get in touch contact@businessmodelling.com.au

12. Peer Review Acknowledgement

This white paper has been peer reviewed by experienced professionals in financial modelling, risk, and governance to ensure the relevance, accuracy and practical application of its insights. We gratefully acknowledge the following reviewers for their independent input:

• Danielle Stein Fairhurst – Principal Financial Modeller
• Robert Mitchetti – Senior Modelling Consultant
• Grant O’Connell – Risk Industry Specialist
• Lance Rubin – Leading expert on data-driven decision-making solutions

Their feedback has helped strengthen the clarity and rigour of this publication. Responsibility for the final content remains with Navitas Business Modelling Pty Ltd.

13. References

• Box, G.E.P. (1979) ‘Robustness in the strategy of scientific model building’, in Launer, R.L. & Wilkinson, G.N. (eds) Robustness in statistics, Academic Press, New York, pp. 201–236.
• Edmondson, A. (2018) The fearless organization: Creating psychological safety in the workplace for learning, innovation, and growth, Wiley, Hoboken, NJ.
• FAST Standard Organisation (n.d.) The FAST standard for financial modelling, FAST Standard. Available at: https://www.fast-standard.org (Accessed: 25 May 2025).
• Forbes (2014) ‘Sorry, your spreadsheet has errors (almost 90% do)’, Forbes, 13 September. Available at: https://www.forbes.com/sites/salesforce/2014/09/13/sorry-spreadsheet-errors/ (Accessed: 25 May 2025).
• Kruger, J. & Dunning, D. (1999) ‘Unskilled and unaware of it: How difficulties in recognizing one’s own incompetence lead to inflated self-assessments’, Journal of Personality and Social Psychology, vol. 77, no. 6, pp. 1121–1134. https://doi.org/10.1037/0022-3514.77.6.1121.
• Navitas Business Modelling Pty Ltd (2025) Financial model risk & capability assessment framework, Navitas Business Modelling, Perth, WA. Available at: https://businessmodelling.com.au (Accessed: 25 May 2025).
• Operis Analysis Kit (n.d.) Operis Analysis Kit, Operis. Available at: https://www.operis.com (Accessed: 25 May 2025).
• Panko, R. (2015) ‘Human error and spreadsheet risk: What we know and what we don’t know’, in Proceedings of the European Spreadsheet Risks Interest Group (EuSpRIG). Available at: https://www.eusprig.org (Accessed: 25 May 2025).
• PerfectXL (n.d.) Spreadsheet analysis software, PerfectXL. Available at: https://www.perfectxl.com (Accessed: 25 May 2025).
• Poon, P.-L., Lau, M.F., Yu, Y.T. & Tang, S.F. (2024) ‘Spreadsheet quality assurance: A literature review’, Frontiers of Computer Science, vol. 18, no. 2, Article 182203. https://doi.org/10.1007/s11704-023-2384-6.
• PwC (2016) Spreadsheet governance for financial reporting, PwC Australia. Available at: https://www.pwc.com.au (Accessed: 25 May 2025).
• Spreadsheetsoftware.com (n.d.) Excel Analyzer: Spreadsheet audit software review. Available at: https://spreadsheetsoftware.com/review-audit-software (Accessed: 16 June 2025).
• Thomas, P., Bratvold, R. & Bickel, J. (2013) ‘The risk of using risk matrices’, SPE Economics