We’ve all been there – touched the wrong key on the keyboard and before you know it a formula has changed and suddenly the output of the equation is not what it should be. Or alternatively, the individual responsible for a particular spreadsheet has left the business without explaining to anyone how to access essential information. For most of us, the result of these actions can be dealt with quickly and easily, but for businesses it is not always so simple. For them, failure to effectively manage end-user computing (EUC), the act of non-programmers creating or altering working applications, can have catastrophic effects.
Take for example, JP Morgan Chase. The failure of model risk controls, including EUC applications, cost the US’ largest bank US$6bn in trading losses and $1bn in regulatory fines[1]. Meanwhile, the lack of adequate safeguards and controls enabled a trader at AIB’s Allfirst Bank to hide a US$700m loss by substituting links in a company spreadsheet to his private manipulated spreadsheet[2]. These losses are not something to sniff at.
Using EUC tools has many benefits, including:
They are however not subject to the same development process and testing as traditional applications. The very same attributes that make EUC tools an attractive prospect, also make them challenging to manage and difficult to control. Left unmonitored, EUC tools can lead to:
These consequences at a time of heightened regulatory awareness and increased competition are a great concern to many businesses.
There is currently no specific legislation governing EUC applications, but the use of such tools is referenced by several of the global regulators, including the UK’s Prudential Regulatory Authority (PRA), the Basel Committee on Banking Supervision and the US Federal Reserve.
The UK’s Prudential Regulatory Authority (PRA) states that: “Spreadsheet controls might include adequate testing for the process of extracting data from spreadsheets, and a formal control process just as for corporate IT systems.”
The Basel Committee on Banking Supervison describes dependence on manually intensive processes or end-user computing “without sufficient controls” as an example of “ineffective data architecture and IT infrastructure” and “a key gap” in a bank’s compliance. Meanwhile the Federal Reserve says that the risks associated with end-user computing and distributed processing systems “must be evaluated for each significant activity as well as for the overall organisation.”
While none of these regulators focus specifically on EUC applications, the heightened awareness around regulation only emphasises the need for added controls.
So, how should financial institutions be addressing these concerns and what can they do to take advantage of the opportunities EUC tools offer without putting the future of their business at risk? The answer is spreadsheet management applications, tools which not only help organisations take control of their business-critical information and reduce operational risk, but also improve their overall architecture.
One such example is EUC+, a customisable, cloud-based tool powered by Brickendon Digital, which provides one simple process to store, analyse and secure all spreadsheets and databases.
It saves organisations time, money and reputation.
Easy-to-use and customisable to each organisation’s specific needs, EUC+ can register, secure and validate end-user computing tools from a web browser, with no need for costly teams. It is cloud-based, easy to support and acts as a useful information tool in cases of staff changeover and regulatory compliance.
Implementing a spreadsheet management application such as EUC+ has a raft of benefits, including:
In short, in order to embrace both the benefits of EUC applications and mitigate the associated risks, the key is control. As discussed by the PRA in its report on Solvency II, spreadsheets and other end-user applications are a form of IT which is commonplace in all organisations and as a result, they need to be under tight control, particularly where the content is material to the internal model data flow. In these situations, the PRA and other regulatory bodies will be looking for appropriate data quality controls, such as:
This is just one regulator’s take on the use of EUC. It is in fact a much bigger issue that needs to be considered by all organisations, even those outside of the financial services sector if they are to survive with both their bottom line and reputation intact. EUC+ addresses all of the above issues and is here to help.
[2] Information security Updates
Contact us for more information and how EUC+ can help revolutionise your business, email [email protected] or call +44 203 693 2605.