Post-COVID Business Practicalities: Better Policy, EUC and Model Risk Management
At the recent Mitratech Virtual Summit, Die Zukunft der Compliance, Henry Umney, SVP Commercial at Mitratech hosted a panel discussion, with Deepa Ghosh, Head of EUCT Governance Technology at Well Fargo, Jon Hill, Professor of Model Risk Management, New York University and Igor Prizant, Managing Director at Ernst & Young.
The focus of the discussions was the way that COVID-19 had impacted policy management, EUC (End User Computing) applications, and model risk management. The session also featured input from those attending the session.
All the panelists, from their own unique perspectives and experience with financial services and corporate businesses, recognized how organizations use EUCs – applications created and managed by end-users, instead of corporate IT – to deliver important capabilities to meet pressing business needs. While spreadsheets were often the preferred tool for EUCs, they also recognized that other environments like MATLAB and Python featured heavily in many corporations.
Henry and Igor explored the issue that while EUCs cover typically core business processes, they can lack the profile and management of corporate IT applications. This was reflected in an attendee poll which indicated that only 29% of attendees thought their business recognized EUC risk as an issue.
EUC risk can expose a business to multiple operational, commercial, reputation and even regulatory risks.
They both recognized that the prime response to COVID – working from home – had exposed the lack of management controls yet further. Files might circulate on email, rather than be changed centrally, creating version control problems. Data links might be inaccessible at home, creating data accuracy issues. There may be little, or no visibility over who had made changes and when. Everyone on the panel knew of situations where stale data, calculation errors, or even simple deletions had created flawed results, flawed reports, and ultimately flawed decision-making.
One area of strong discussion was about the way EUCs support business modeling, whether for investment management, portfolio management or the overall management of the business. Henry highlighted how organizations were turning to their modeling teams to help chart a way forward for the business out of the pandemic.
He emphasized the way that issues like a second COVID spike, a slow recovery versus a swift recovery, or the use of negative real interest rates all presented different challenges to the business. These were presenting model teams the opportunity to help senior management understand their options and make informed decisions.
In response, Jon and Igor both emphasized how regulators, through regulations like SR 11 7 in the US and SS3/18 in the UK, were driving enhanced Model Risk Management (MRM) as a means of ensuring that the models, their data, and their change management were fully transparent and auditable. Jon emphasized the need to apply MRM to third-party models, where appropriate, using effective vendor risk management.
The need for EUC management frameworks
Deepa applied her experience in implementing EUC management frameworks to help organizations draw up a blueprint for better EUC management. Her first point was to form a centralized inventory to help standardize definitions about what a model is, and its importance to the business. She also emphasized the need to educate the business about the risks and significance of EUCs, and the need to manage them well, to provide consistency, accuracy and full transparency.
The significance of this was emphasized by a poll result during the session which suggested that 40% of those attending had a centralized EUC inventory, reflecting the importance of a centralized management framework, as well as the progress other organizations still need to make.