End User Computing & Risk Management
What Is End User Computing (EUC)?
End user computing, or EUC, is often defined as a system in which non-programmers are able to understand basic technology concepts and can therefore create functioning applications.
However, for many businesses, particularly financial service firms, this definition is not very accurate given that many of their End User Computing applications are made by capable programmers. In these scenarios, a more accurate definition of End User Computing is a system in which individuals are able to create working applications beyond the divided development process of design, build, test and release that is generally followed by professional software engineering teams.
One of the most common examples of End User Computing platforms is Microsoft Excel, being readily accessible as well as fast, flexible and familiar. Over time, EUCs have become essential to many financial operations, allowing users to manage and manipulate data quickly and efficiently.
Yet, whilst these features make End User Computing so appealing and critical to business structures, they also make them difficult to manage and control. User developed applications are not subject to the same monitoring as traditional applications, and frequently management does not have visibility over how integral the use of EUCs is within the company. Because of this, many of the advantages of EUCs have in fact begun presenting risks to the businesses that rely so much on them.
End User Computing Risk
End user computing risk is a more prevalent issue than many would care to acknowledge. Given that the data produced by EUCs is accepted and trusted by management and other end-users, they quickly become the basis for integral business decisions and reporting, meaning that ensuring they are effectively managed is essential.
As end user computing applications develop and become more complex, the potential for EUC risk also increases. Yet, because we have become so accustomed to using things like spreadsheets to house confidential data, we have also become less aware of the risks associated with using these tools.
Whilst EUCs have become critical to financial operations, if a spreadsheet or database has thousands of lines of code, receives data from other systems, uses multiple macros or is not regularly reviewed, then you are exposed to end user computing risk. These factors mean that one may not know if a change has taken place and present multiple opportunities for data to be altered, whether genuine, unintentional or malicious.
EUC Management: Assessing & Controlling Potential Risk
End user computing risk has been an issue for as long as Access databases and Excel Spreadsheets have been around. Any application that leaves system based processes in the hands of an average user poses the opportunity for EUC risk.
Because of this risk and potential for loss, there is a great need for End User Computing management. Effective operational risk management means being aware of the potential for risk before it even occurs. In order to do this, it’s therefore essential that organizations have a structure in which they are able to do the following:
- Define and establish what end user computing risk is for the business
- Define what constitutes as high risk EUCs
- Define additional controls needed to manage these high risk EUCs
- Establish necessary reporting and monitoring processes that take oversight into account
- Establish protocols for action in the case of risk levels heightening or monitoring exposing exceptions
- Establish an appropriate response
This is a rough framework for managing EUC risk, however, all of this must be in accordance with and support the larger operational risk management framework.
One of the safest ways to manage and mitigate the risks of EUC applications is by taking a system based approach to supporting the control framework, with a manual approach being inhibiting and troublesome in terms of cost-benefit and risk-reward.
The Future of End User Computing
With no sign of our dependence on EUCs dwindling, it’s integral that businesses understand and assess their EUC risk. Despite the potential for extensive financial and reputational losses that End User Computing risk presents, it is often not taken into account until it is too late.
Just in 2016, research provider Chartis estimated that the EUC Value at Risk for the 50 largest financial institutions was over $12 billion dollars, highlighting the degree to which End User Computing risk can impact a business. Equally, in 2018 a simple spreadsheet error with a pivot table led to hundreds of property owners having their data breached, a result that cost Kensington and Chelsea Council £120,000 in fines. However, beyond financial loss, EUC risk can lead to a number of other consequences, with one spreadsheet error just recently resulting in junior doctors of the NHS losing their jobs.
Clearly, there is a lot at stake when it comes to End User Computing risk. It is therefore critical that businesses assess, review and manage this risk before it is too late.