After a series of polls we conducted during a recent webinar with UK Finance and Protiviti, it became clear from the responses that End User Computing (EUC) and Shadow IT management is becoming an increasing priority for financial institutions. 88% of respondents were aware that their firm had an EUC policy or a wider IT policy that covered End User Computing; the reason for this high level of awareness could lie in a greater awareness of the commercial, operational and reputational risks that uncontrolled Shadow IT creates. Regulation, such as SS3/18 and SMCR, are likely to be large drivers for this.

It’s is refreshing to see that organizations are putting in place a good foundation for systematic EUC and Shadow IT management, with most having an EUC policy. This is an excellent start but clearly some are further down the road than others.

46% of respondents indicated that they had a single inventory of their EUCs, meaning the majority have no formal and consistent process for maintaining an inventory of the critical applications across their organization.

Of those that have an inventory, 55% use manual, standard Microsoft Office tools to manage their EUCs, with only 9% investing in specialist third party systems. The positive here is that at least there’s a departmental view of the EUC inventory. The challenge is that with a dispersed inventory landscape alongside manual processes, they are going to be asked much more by regulators to show evidence of good management and control of these applications. Let’s not forget either that this approach is resource and time intensive, as well as error prone.

But the most revealing indicator of organizations’ attitude to EUC management is that the issue is yet to make it fully onto the Board agenda. Only a quarter of participants believed that their Board was fully aware of the Shadow IT risks to the business, with 74% saying there was limited awareness.  From conversations I’ve been having, what truly grabs attention of those in the C-suite is when loss occurs – I’m reminded of Marks & Spencer, Carillion, Conviviality, JP Morgan and Goldman Sachs, to name a few. This is a view that regulators, auditors and shareholders will challenge much more, and sooner than people think.


Proactively addressing the risks posed by Shadow IT is the obvious answer. And adopting automation to incorporate it into the wider risk and compliance initiatives is easily done.

Prev Next

Related Content:

Get In Touch

Let's talk about how you can control your Shadow IT.