What is End User Computing Risk and Should You Care?
A guest post by Sam Lee, Head of Operational Risk, EMEA, SMBC, Torchlight Services
Believe it or not, like it or not; End User Computing (EUC) application risk has prevailed ever since the advent of tools such as Access databases, Excel spreadsheets and any other applications that put the design of system-based processes in the hands of the ‘average’ user.
Over time, these tools have become critical to many financial operations and some of their advantages (flexibility, ease of amendment, etc.) have actually started posing risks to the businesses that so heavily rely on them. So what is End User Computing risk?
Broadly, risk falls into two buckets
- Those risks which we become aware of due to an event, through the experiences of the market and borne out of our business activities, individual inspiration, regulatory inspiration or guidance. These are linked to an organization’s risk maturity, insight and level of risk awareness/embeddedness.
- Those which develop slowly over time and of which we aren’t aware of their existence for some time. End User Computing risk falls into this bucket.
As the complexity of End User applications increase (e.g. when used for modeling, valuation, spreadsheets to house business critical or confidential data) and their ubiquity transcends, we are becoming desensitized to the risks associated with such tools.
‘So what?’ one may ask. Therein lies the problem; if you have a spreadsheet or database that:
- Has many thousands of lines of code;
- Utilizes multiple macros;
- Is fed by/ feeds other spreadsheets or databases (or even systems);
- By definition, will not be subject to robust change controls or security or be tested;
- Almost equally by definition, will not be formally documented as to its purpose or be subject to a review cycle;
- Or any combination of the above;
…then one may not know if a change has occurred (whether bonafide, accidental or malicious) and what its impact is.
Good operational risk management is not about waiting for an event to occur to confirm the existence of a risk. It should be about understanding whether we have risk, assessing it and deciding what to do with that information based on its impact – be it financial, client related, reputational, regulatory or operational.
Another problem many organizations face is: who should ‘own’ this EUC risk? It’s not uncommon for this risk to be bounced from pillar to post, once it is understood. It erroneously earns itself an ‘IT’ badge just because it employs ‘IT’ solutions.
The reality though is that as with most operational risks, EUC risk is owned by the business. With the plethora of enterprise risks that are on the agendas of boards, senior management and risk committees, this is yet another.
It’s imperative to have a risk management framework
It’s necessary in order to:
- Define what EUC risk is for the organization.
- Define what constitutes high risk EUCs.
- Define the additional controls that are required to manage high risk applications.
- Establish appropriate reporting and monitoring protocols for oversight.
- Establish protocols for action in the event of the risk levels deterioration/ the monitoring revealing exceptions.
- Establish appropriate escalation.
All this must be congruent with and feed the larger operational risk management framework.
Perhaps, the safest way to execute on and mitigate the risks of EUC applications is by taking a system-based approach to supporting the control framework. A manual approach is prohibitive and burdensome from a cost-benefit, risk-reward perspective.
EUCs are here to stay and our dependence on them is unlikely to diminish, meaning the risks that they present must be understood and assessed. The truth of the matter though is that for any of this to happen, foremost, risk must grab the attention of management.
This in itself is proving challenging, which is hugely surprising given the potential for significant financial and reputational losses EUC risk presents to organizations. Only recently, research provider Chartis estimated that the EUC Value at Risk for the 50 largest Financial Institutions is over $12 billion dollars. It would be rather imprudent to continue ignoring it.