With spreadsheet and End-User Computing (EUC) applications used widely in organizations, in both financial and non-financial services businesses, we often recommend that enterprises create and enforce strict EUC policies to effectively and efficiently manage spreadsheet usage.
To this end, here are some top tips to help you create the right policy for your organization:
- A step at a time – Don’t try and solve the whole organizations spreadsheet-related challenges at one go. Focus on the high value models first and look to build technology safeguards for them. Thereafter, go down the pecking order based on value of the applications and business priorities.
- Significant spreadsheets – Focus on criticality to identify the most significant spreadsheet models and applications, based on the business processes the models represent. The more business-critical the process, the higher the criticality of the spreadsheet. Also, define significance – i.e. does the spreadsheet carry reputational value, financial value, operational value and so on.
- Significance of risk – Ascertain how ‘scary’ the identified spreadsheets are. For example, if a particular spreadsheet that is found on a stolen laptop is published, will that file result in reputational damage?
- Training and awareness – Don’t underestimate the value of imparting knowledge and training to employees on the business rationale for EUC policy. Offer computer-based training, utilize the marketing team to roll-out an effective awareness campaign. Messages on the business value of EUC management in common areas, around coffee machines, on coffee mugs are all good tactics. The greater the visibility the issue gets, the more effective EUC management will become.
- Oversee effectiveness of policy – Given how quickly new spreadsheets are created, a manual attempt at ensuring that the EUC usage policy is being adhered to is not only impractical, but impossible. Leverage technology to facilitate control of EUC management processes.
- A service approach – Over the last 10 years, organizations have wielded the ‘compliance’ stick at employees to enforce EUC policy. Rather leverage technology and position it as a service to the employees. It is a more mature approach to risk management.
- Understand where the data sits – Spreadsheets fall in the remit of unstructured data, and typically sit outside of enterprise systems. Understand where in the business the business-critical, high-value spreadsheets reside. Aside from EUC management, this is essential to ensuring confidentiality of data too.
- Policy ownership – Often organizations make the mistake of giving the responsibility for the governance of business-critical spreadsheets to the IT Manager. This almost never works as these key files sit within the business and the IT manager isn’t empowered to drive the activities and governance defined within the policy. The EUC usage and management policy ownership is best held with the relevant business/department managers.
- Self-attestation of controls – In the organizations’ policy for EUC management, ensure that it stipulates self-attestation by employees for the most critical, high value spreadsheets – that they are implementing the controls outlined in the company’s EUC directive. This will ensure that they take responsibility for the accuracy and integrity of spreadsheets.
- Integrated approach to risk – Integrate spreadsheet risk-related processes into the wider risk management strategy of the business. This will provide transparency around EUC management and ensure that wider governance structures are appropriately wrapped around EUC processes too.
Utilizing spreadsheet management technology is the most efficient and effective way to ensuring enforcing EUC policy. EUC management/Spreadsheet management solutions like ClusterSeven provide comprehensive support for policy enforcement, but also for change management and remediation controls. For instance, manually, it is impossible to know if a 1000-row spreadsheet has errors in it. ClusterSeven is able to test the integrity of the spreadsheet and remediate any issues before taking the application into management; you can try it yourself for free here. This helps maintain the accuracy and integrity of the spreadsheet for all times to come. This is especially important if the application in questions is a data source for other EUC applications as an error in one file could seriously threaten the integrity of other spreadsheets.