What is End User Computing Risk and Should You Care?
Believe it or not, like it or not; End User Computing (EUC) application risk has prevailed ever since the advent of tools such as Access databases, Excel spreadsheets and any other applications that put the design of system-based processes in the hands of the ‘average’ user. Overtime, these tools have become critical to many financial operations and some of their advantages (flexibility, ease of amendment, etc.) have actually started posing risks to the businesses that so heavily rely on them.
Broadly, risks fall into two buckets:
- Those risks which we become aware of due to an event, through experiences of the market and borne out of our business activities, individual inspiration, regulatory inspiration or guidance. These are linked to an organizations risk maturity, insight and level of risk awareness/ embeddedness.
- Those which develop slowly overtime and of which we aren’t aware of their existence for some time. EUC Risk falls into this bucket.
As the complexity of EUC applications increase (e.g. when used for modelling, valuation, spreadsheets to house business critical or confidential data) and their ubiquity transcends, we are becoming desensitized to the risks associated with such tools.
‘So what?’ one may ask. Therein lies the problem; if you have a spreadsheet or database that:
- Has many thousands of lines of code;
- Utilizes multiple macros;
- Is fed by/ feeds other spreadsheets or databases (or even systems);
- By definition, will not be subject to robust change controls or security or be tested;
- Almost equally by definition, will not be formally documented as to its purpose or be subject to a review cycle;
- Or any combination of the above;
…then one may not know if a change has occurred (whether bonafide, accidental or malicious) and what its impact is.
Good operational risk management is not about waiting for an event to occur to confirm the existence of a risk. It should be about understanding whether we have a risk, assessing it and deciding what to do with that information based on its impact – be it financial, client related, reputational, regulatory or operational.
Another problem many organizations face is: who should ‘own’ this risk? It’s not uncommon for this risk to be bounced from pillar to post, once it is understood. It erroneously earns itself an ‘IT’ badge just because it employs ‘IT’ solutions.
The reality though is that as with most operational risks, EUC risk is owned by the business. With the plethora of enterprise risks that are on the agendas of boards, senior management and risk committees, this is yet another.
It’s imperative that organizations have a framework to:
- Define what EUC risk is for the organization
- Define what constitutes high risk EUCs
- Define the additional controls that are required to manage high risk EUCs
- Establish appropriate reporting and monitoring protocols for oversight
- Establish protocols for action in the event of the risk levels deterioration/ the monitoring revealing exceptions
- Establish appropriate escalation
All this must be congruent with and feed the larger operational risk management framework.
Perhaps, the safest way to execute on and mitigate the risks of EUC applications is by taking a system-based approach to supporting the control framework. A manual approach is prohibitive and burdensome from a cost-benefit, risk-reward perspective.
EUCs are here to stay and our dependence on them is unlikely to diminish. EUC risk must be understood and assessed. The truth of the matter though is that for any of this to happen, foremost, EUC risk must grab the attention of management. This in itself is proving challenging, which is hugely surprising given the potential for significant financial and reputational losses EUC risk presents to organizations. Only recently, research provider Chartis estimated that the EUC Value at Risk for the 50 largest Financial Institutions is over $12 billion dollars. It would be rather imprudent to continue ignoring it.
If you found this interesting you may find our latest whitepaper useful:Download Now
Get in touch
Let's talk about how ClusterSeven can increase transparency and control around your spreadsheets and give you confidence in your business critical processes and the accuracy of your data empowering you to make informed business decisions.Contact Us