The full estate audit. The Finance Shadow narrative. The Snowflake ODS finding.
Three tracks. One programme. Approval-ready.
A code-and-file audit of the Excel Ribbons estate, extended to the Snowflake ODS layer. One page. Everything else is evidence.
85 workbooks. One shared credential. Cleartext auth. Live-Pronto reads and writes. When any of the people who wrote them leaves, they still hold the key.
106 tables audited. 181 dashboards, 875 widgets, 400 SQL, 85 ribbons, 744K VBA lines - not one binds to Snowflake ODS. The 287 "ODS" ribbon hits target Oracle, not Snowflake.
Ribbons migrate onto Excel4Data + Power BI + MuleSoft. Snowflake ODS retires by tiers. Finance stabilises the shadow into a governed rebuild - owned by Finance, not IT.
What was scanned. What was found. Where the security exposure sits, and how the Finance function became a shadow-IT organisation without meaning to.
Seven stages. Static-analysis only - no runtime probing of Pronto. Every finding is evidenced from the code and the file share, not from interview.
969 files pulled from the O:\ share into a controlled workspace. SHA hashed. Duplicates and archives removed.
744,093 lines of VBA across 170 modules dumped for review. 50 apps carry meaningful automation.
Every connection string, every SELECT / INSERT / UPDATE / DELETE across the estate identified and grouped.
82 tables mapped, 4,238 columns catalogued, 31 identified as direct replicas of a LANDING source.
77 of 118 ribbons are self-logging, 3 workbooks do real business writes, the rest read and export.
181 dashboards, 875 widgets, 400 repaired SQL, 15 elasticubes, 203 datasources all searched for ODS bindings.
Every LANDING external-table stage mapped to its blob container. Direct-from-Pronto vs from-Oracle-ODS resolved by container path.
The scale that makes this a strategic issue, not a housekeeping one. Numbers below are from the static scan, all reproducible.
Files scanned on the O:\ share - Excel workbooks, shortcuts and orphans.
Distinct applications once duplicates and archives are removed. 50 carry meaningful automation.
Auto-open handlers, ribbon buttons, custom menus. Each one a live entry point into the estate.
Across 170 modules. Larger than most in-house apps, unversioned, unowned.
Of 118. Write their own usage log back to ODS. Not business writes - diagnostics that stayed on.
Workbooks that push data into Pronto Prod. Pricing and business-case flows. The concentration risk.
Every one is a rotation-and-migration problem, not a firefight. But it is a rotation-and-migration problem that has not been solved for years.
A subset of ribbons connect direct to Pronto Prod. Some carry write credentials. Any workbook, any user, no ceremony. Highest blast radius.
One shared username / password, embedded across 85 workbooks. Reads and writes on Oracle DW. Rotating it is a co-ordinated release, and until we do, anyone who has ever seen the workbook still holds the key.
Several ribbons write CSV to an O:\ staging folder. An 8pm overnight job picks whatever is there up and loads it into Pronto Prod. Controls around what actually gets loaded need review.
The credential rotation is a coordinated release across 85 workbooks. Every workbook needs a code change. Every user needs to pick up the new build. The estate has no owner, no version control, no rollout pipeline. So it doesn't get done.
Rotate under a migration plan, not as a standalone. Every workbook that moves onto Excel4Data or Power BI drops the cleartext credential in the same change. Sequence the estate: the migration IS the rotation.
The ribbons weren't a project. They were the way Finance got its work done when official tooling didn't. Fifteen years later, they run the reporting stack - and the risk sits with the individuals who wrote them.
Ownership: Finance keeps the model. Analytics builds the Snowflake layer. IT provides the platform. No one hands the whole thing to IT and hopes.
Speed: the ribbons exist because Finance needs fast turnaround. Excel4Data + Power BI preserve that. This is not slower - it is safer and centrally maintained.
The programme extended into the data layer. Zero Snowflake ODS consumers - which was expected. Three hidden Oracle-ODS dependencies in LANDING - which was not.
Every scanned surface came back the same. Not one Sisense dashboard, ribbon or repaired SQL binds to OMX_PRD.ODS.
tables in scope are referenced by any scanned system. The schema is a duplicate landing zone that shadows Pronto's Oracle ODS. It has no downstream reader.
How we tested: 181 dashboards, 875 widgets, 400 repaired SQL, 15 elasticubes, 203 datasources, 85 ribbon workbooks, 744,093 lines of VBA - every one searched for the 106 ODS-scope names. Zero matches.
181 dashboards / 875 widgets / 400 repaired SQL / 15 elasticubes / 203 datasources. No binding.
85 workbooks, 744,093 lines of VBA. Zero references to OMX_PRD. Zero references to snowflake.
243 hit PRESENTED, 74 hit DW, 3 hit LANDING. Zero hit ODS.
287 ribbon "ODS" references exist - but every one targets Oracle prontoods.*, not Snowflake OMX_PRD.ODS. Same names, different physical objects.
Every LANDING external table points at a blob container. The container name tells us the source system. Three tables land from an Oracle ODS export container - and were previously invisible.
One target state. Three parallel tracks. A four-week discovery mandate to lock the sequencing plan and start the migration.
One source. One warehouse. Governed reads via Excel4Data and Power BI. Governed writes via MuleSoft and the overnight loader.
Each track has its own owner, its own cadence, its own exit criteria. They share a single steering group so dependencies stay visible.
Owner: Finance + Commercial (lead), Analytics + IT (support).
Pattern: Reads via Excel4Data on Snowflake. Writes via Power BI + overnight loader OR MuleSoft canonical API.
Exit: zero live-Pronto reads from user workbooks. Zero embedded credentials.
Owner: Analytics (lead), FDL (Donovan) walk-list, IT quarantine.
Tiers: DROP-READY 79 (Phase 1) / KEEP 21 verified Pronto-direct / RETIRE-WITH-ORACLE 3.
Exit: OMX_PRD.ODS schema dropped. FDL Gold Standard forbids re-creation.
Owner: Finance (lead), IT (platform), Analytics (model).
Change: Finance keeps the reporting model, moves off scattered VBA. Business rules land in Power BI + O:\ drive.
Exit: credential rotation is a role revoke, not a coordinated 85-workbook release.
Rotate the shared DW credential inside the migration change. Formalise the "no ODS in Snowflake" rule as a written policy. Enable Snowflake query-history alerting on any read of OMX_PRD.ODS.*.
Business rules for pricing and reporting lanes move out of VBA and into Power BI + O:\ drive. Analytics stands up the Snowflake model behind them. Weekly readout starts.
Pricing lane: Power BI outputs wire into the overnight loader. Excel4Data pilot on a reference report. Per-ribbon ODS-to-DW mapping in flight. Walk 6 VERIFY + 3 RETIRE-WITH-ORACLE tables with Donovan / FDL.
Each of the ~85 apps gets a verdict: swap, land-then-swap, or retire. Dependency map locked. Single owner per lane. Programme cadence hands over from discovery to migration.
Revoke INSERT / UPDATE / MERGE from ADF into OMX_PRD.ODS.*. 30 days of read alerting. Drop DROP-READY 79 in batches by prefix. Retire the schema.
Update FDL Gold Standard v2.0 to forbid ODS in Snowflake. Migrate Excel Ribbons off Oracle prontoods.* onto Snowflake LANDING.EXT_*. Rewire or retire the 3 Oracle-ODS dependents.