Top Tips: What are the Key Components of an EUC Policy?

End User Computing risk emanating from end user applications such as spreadsheets, databases and financial modelling tools is one of the key contributors to operational risk. Due to the inherent nature of these end user applications and their ubiquity in any asset management business for complex calculations, mitigating EUC-related operational risk requires a concerted, comprehensive and strictly enforceable risk management policy.

Compliance and governance of an EUC policy

Asset management organizations looking to institute End User Computing policies as part of their overall operational risk management strategy will do well to bear the following in mind:

Scope – Ensure that the policy applies to and covers all business critical EUCs. Each must also be compliant with the firm’s broader data and model EUC governance standards and vice versa.

Define – It’s imperative that the definition of an EUC is clearly understood. For instance, what type of business applications fall under the category of an ‘EUC’, what software programmes they are built in (e.g. Excel, Access, Python, etc.) and such? Subsequently, articulating the criteria to determine what makes an EUC ‘business-critical’ is key. As an end user computing policy example, if the output of the EUC is shared with clients, it would be deemed business-critical. Similarly, if the output of the application is fed into databases and models in other business areas, it would be considered business-critical.

Owners and validators – Without owners, enforcing any policy is impossible. Assign individual owners for every single business critical EUC; by doing so, you are making the individuals responsible for the output of the business application across its lifecycle – from creation through to decommissioning and replacement. This will ensure that the owner monitors all the control points for data accuracy and integrity. Similarly, appoint a validator to ensure that the applications are suitably tested and structural modifications approved during the lifetime of every file.

Inventory – Full visibility of the business application landscape is vital. Establish where the inventory of business critical EUCs will be logged and under which individual in the organization. For example, should it be with the application owner or should the responsibility sit with Department or Team Heads?

Monitoring residual risk – Allocate the responsibility of determining residual risk to the owner. This will ensure that any instances of high residual risk are escalated to higher authorities and Risk Management in a timely manner to potential pre-emptive action, if needed.

Annual assessment – Assign responsibility of at least an annual assessment of the EUC landscape to the Heads of Departments. A simultaneous review of controls will also help confirm that the EUC policy has been satisfactorily adhered to.

Access to advice – Identify individuals within the IT and Risk departments to who individuals can go to for advice on best practice and ad hoc queries. This is essential to ensure that the EUC policy is properly executed.

Automate – Manually executing an End User Computing policy is difficult and time consuming. The best way to enforce and EUC policy in order to manage the risk these applications present is automation. It ensures checks and balances as a matter of routine, so that users can focus on their core jobs rather than worry about adhering to the policy.

EUC risk is a key component of operational risk

EUC risk is one of the key components of operational risk. While many of the factors impacting operational risk are often outside of the control of organizations, EUC risk is manageable. In fact, EUC management not only mitigates risk, but delivers business value. Knowledge of the landscape can drive improvements in operational efficiency and improve internal standards, which is fundamental for today’s cost-conscious, customer-focused businesses.