End User Computing Risk Management
What Is End User Computing?
End User Computing (EUC) can be accurately defined as ‘a system in which individuals are able to create working applications beyond the divided development process of design, build, test and release that is generally followed by professional software engineering teams’.
Microsoft Excel is one of the most common examples of End User Computing platforms – readily accessible, fast, flexible and familiar. Over time, EUCs have become essential to many financial operations, allowing users to manage and manipulate data quickly and efficiently.
Whilst these features make End User Computing appealing and critical to business structures, they also make them difficult to manage and control. EUC applications are not subject to the same monitoring as traditional applications, and frequently management does not have visibility over how integral the use of EUCs is within the company. Because of this, many of the advantages of EUCs have begun presenting risks to the businesses that rely so much on them.
Complete the form on the left to receive our whitepaper, ‘The Business Case for Managing End User Computing‘.
End User Computing Risk
End User Computing risk is a more prevalent issue than many would care to acknowledge. Given that the data produced by EUCs is accepted and trusted by management and other end-users, they quickly become the basis for integral business decisions and reporting, meaning that ensuring they are effectively managed is essential.
As End User Computing applications develop and become more complex, the potential for EUC risk also increases. Yet, because we have become so accustomed to using things like spreadsheets to house confidential data, we have also become less aware that using these EUC tools comes with an associated risk.
Whilst EUCs have become critical to financial operations, if a spreadsheet or database has thousands of lines of code, receives data from other systems, uses multiple macros or is not regularly reviewed, then you are exposed to end user computing risk. These factors mean that one may not know if a change has taken place and present multiple opportunities for data to be altered, whether genuine, unintentional or malicious.
Challenges & Costs of End User Computing
Though EUCs are well structured applications, within businesses the knowledge of their existence or location can often be very limited. This means that their value to the rest of the company is not easily accessible and can lead to a number of potential costs. These costs can be divided into three categories:
Direct costs and risks have a clear, measurable impact on a business’s finances. This can be through a spreadsheet error leading to a loss in revenue, or on a systemic basis as they contribute towards ongoing operational costs.
These costs are the result of two potential factors: the added operational processes to meet regulations or the failure to adhere to regulations, leading to fines and extended audits or external monitoring.
Indirect costs include things like reputational loss and are often the result of operational or financial incidents caused by poor EUC management. Reputational loss frequently affects all of the stakeholders of a business, including shareholders, clients and auditors.
EUC Management: Assessing & Controlling Potential Risk
End User Computing risk has been an issue for as long as Access databases and Excel Spreadsheets have been around. Any application that leaves system based processes in the hands of an average user poses the opportunity for EUC risk.
Because of this risk and potential for loss, there is a great need for End User Computing management. Effective operational risk management means being aware of the potential for risk before it even occurs. In order to do this, it’s therefore essential that organizations have a structure in which they are able to do the following:
- Define and establish what end user computing risk is for the business
- Define what constitutes as high risk EUCs
- Define additional
- EUC controls needed to manage the associated high risk
- Establish necessary reporting and monitoring processes that take oversight into account
- Establish protocols for action in the case of risk levels heightening or monitoring exposing exceptions
- Establish an appropriate response
This is a rough framework for managing EUC risk, however, all of this must be in accordance with and support the larger operational risk management framework.
One of the safest ways to manage and mitigate the risks of EUC applications is by taking a system based approach to supporting the control framework, with a manual approach being inhibiting and troublesome in terms of cost-benefit and risk-reward.
The Future of EUCs
With no sign of our dependence on EUCs dwindling, it’s integral that businesses understand and assess their EUC risk. Despite the potential for extensive financial and reputational losses that End User Computing risk presents, it is often not taken into account until it is too late.
Just in 2016, research provider Chartis estimated that the EUC Value at Risk for the 50 largest financial institutions was over $12 billion dollars, highlighting the degree to which End User Computing risk can impact a business. Equally, in 2018 a simple spreadsheet error with a pivot table led to hundreds of property owners having their data breached, a result that cost Kensington and Chelsea Council £120,000 in fines. However, beyond financial loss, EUC risk can lead to a number of other consequences, with one spreadsheet error just recently resulting in junior doctors of the NHS losing their jobs.
Clearly, there is a lot at stake when it comes to End User Computing risk. It is therefore critical that businesses assess, review and manage this risk before it is too late.