End User Computing Risk – Too Critical for Energy Companies to Ignore
A guest post by Colin Cooper, Energy Trading & Risk Management Expert
Like in any other industry, operational risk for energy businesses is a high priority. However, risk emanating from End User Computing (EUC) applications such as spreadsheets, databases and modelling tools, which are used extensively in energy companies, is not given much thought.
Even if it is, the level of priority awarded to it is nowhere as high as the issue merits. EUC applications are sometimes referred to as ‘Shadow IT’ because they are invisible to the IT department.
The use of spreadsheets is widespread across the value chain in energy businesses – from exploration and production, through mid-stream, refining and marketing, transportation, retail and distribution activities. The same is true for generation and transmission, distribution, and retail activities in the power and gas businesses.
In fact, small companies, or those with limited trading, depend almost entirely on spreadsheets for Energy Trading and Risk Management (ETRM) and Commodity Trading and Risk Management (CTRM). Most of the larger energy companies have built their own or implemented one or more vendor ETRM and CTRM systems, but nevertheless, spreadsheets still proliferate the business environment for individual needs or ad hoc reporting and analysis.
More specifically, in the trading aspect of the value chain of an energy company, spreadsheets play a critical role in the front office for pre-trade modelling and analytics, optimization, performance analysis and origination.
In the middle office, spreadsheets are used for curve management and reporting; while in Back Office and Operations, they are ubiquitously deployed for margin management, reporting and post-trade analytics. Additionally, the use of EUC applications is rampant in corporate departments such as Treasury and Finance as well as for activities such as data management.
Energy firms must manage EUC risk
With EUC applications being used so extensively, energy companies cannot afford to ignore EUC risk for many reasons – poor auditability, inadequate data quality, inability to exploit business intelligence due to multiple versions of the truth (which in turn leads to poor decision-making and potentially lost business opportunities), lack of efficiency and effectiveness, potential to lead to financial and reputational losses, and propensity to effect regulatory non-compliance.
Admittedly, some companies are initiating programs to control and mitigate EUC risk, but the problem, is that these initiatives are often either ad hoc or lack the comprehensive and structured approach the issue demands.
Due to the complexity and pervasiveness of EUC applications, implementing a technology-led framework in which automated best practice processes play a key role is likely the most ‘fool-proof’ method of EUC management and risk mitigation. This approach entails everything from identifying business critical files based on a clear definition of criticality, inventorying critical files tiered by the level of risk they pose to the business, through to imposing controls around the development, maintenance and use of EUC files.
This provides a control framework to manage EUC files on an on-going basis and ensures data integrity of critical spreadsheets so that they can be relied on at all times. Crucially, such control frameworks are underpinned by compliance procedures – both for adherence of internal policy and industry regulations. Businesses will do well to consider EUC more rigorously.