Henry Umney, Vice President of Sales, ClusterSeven
Most commonly, losses in the financial and banking sector are associated with poor investment decisions, impact of the global economic performance and crimes such as fraud and embezzlement. Consequently, many different types of regulations have evolved to help financial institutions better manage all manner of risks – credit, liquidity, market and operational. There is another key risk, which has managed to stay under radar because it is seemingly benign and seldom acknowledged, but is capable of causing significant losses to business, is End User Computing (EUC).
Microsoft Excel is of course one of the most pervasive examples of EUC applications, but they range from spreadsheets to databases and financial modelling tools. A single inconsistency or discrepancy in a spreadsheet related to a key trade that proliferates across the EUC application landscape in an organisation has the potential to generate potential losses or misstatements in the billions of dollars – notwithstanding the secondary effects such as regulatory fines, the loss of customers and reputational damage for years to come.
The business case for EUC risk management
C&C, the Irish group that owns Magners Cider is a case in point. A spreadsheet error caused the company’s shares to fall by 15 per cent after it admitted that its total revenues in the previous four months had dropped five per cent, not risen three per cent, as previously reported.
A recent report from Chartis estimates that the EUC value at risk for the largest 50 financial institutions is over $12 billion. This is no paltry sum. Clearly, there is a strong business case for managing EUC risk for organisations.
Approach to EUC risk management
There are some approaches that financial organisations can take to instituting effective controls to make EUC application management routine in the business.
Retain the value of agility
Foremost, it’s imperative that the introduction of EUC controls and management processes do not diminish or in any way compromise the agility and speed that these applications offer users. After all, that is why they are so valued in business. For instance, putting in place access controls on EUC applications usage that result in lengthy approval cycles are both impractical and futile. Equally, if additional access control processes are implemented on key files, they must be exceedingly reliable to ensure that users are not accidentally locked out of their applications at the most critical times.
EUC controls must never alter the experience of users and for the most time-sensitive business processes, they must never be the cause of delays either. This is essential to persuading users to accept and embrace the controls.
Identify where the EUC risk lies
It’s vital to assess the EUC estate to understand where the potential failings lie so that appropriate corrective action can be taken. Organisations would do well to conduct a process of discovery by scanning file shares and repositories alongside analysing the overall EUC application estate structure, properties and content. This will enable them to rank the discovered files by the level of risk they pose based on the complexity and data content of each. Additionally, the process will likely highlight security vulnerabilities such as poorly defined access control lists, absent passwords, insecure connection strings and existence of personal data.
Improve data quality for regulatory compliance
Specifically, for the financial services industry, three pieces of regulation in particular – BCBS 239, Supervisory Guidance on Model Risk Management (SR 11-7) and Solvency II – have set the stage both for specific EUCs control issues and for the wider expectations on data quality. With key EUC applications being embedded as critical data links within end-to-end business processes, it’s important for organisations to use controls and their understanding of the EUC applications landscape to support a much greater awareness of data quality and processes. So EUC control programmes can’t be an end in themselves, they must also satisfy these higher level expectations.
Improve the efficiency of EUC usage
Typically, the efficiency of EUC applications usage is affected by numerous factors that are often related to the poor and undocumented business processes to which EUC applications contribute. For example, it is common for users to work on out-of-date versions or unknowingly recreate already existing spreadsheets. It is also all too easy for users to corrupt EUC applications without quick access to a restoration option. Establish processes that pre-empt such events by capturing metadata that ensures wider knowledge and existence of relevant documentation to the organisation.
Establish a conveyor belt – from EUC creation to corporate systemisation
A common internal cultural problem with EUC management is that it is often seen by IT managers as perpetuating the use of uncontrolled and inadequate technology – when broader enterprise systems already exist, presumably provide the necessary functionality that EUC applications offer and facilitate end-to-end high quality processes.
In order to gain the IT mindshare and resources, establish a conveyor belt-style EUC management process that support everything from creation of new EUC applications through to eventual corporate systemisation. This means that based on the merit of the individual EUC applications, ultimately they are converted into core system functionality. With this level of visibility, every EUC application is inventoried, tiered for risk and properly protected for security and disaster recovery.
EUC applications are a reality and their risk must be managed
Yes, there are enterprise financial systems that are deployed in organisations and are indeed the preferred option when working with corporate financial information. These systems unfortunately don’t necessarily provide the fundamental functionality that users require for numerical manipulation, analysis or problem solving. And even if they do, they are not always available to all users and may even require training and practice – eventually making it far easier for users to resort to the tried and tested, ubiquitous Microsoft Excel spreadsheet and other databases. They simply do the job and so are here to stay! Against this scenario, effectively and securely managing EUC applications to mitigate business risk and regulatory losses is an astute approach.