The Most Ignored Technology Risk

In conversations regarding risk, particularly technology risk, there has long been one risk ignored by all of us. Recently, bank regulators have been taking a hard look at this risk. In fact, one large bank received criticism and financial fines because of poorly managing this risk. So what do we call this risk that is common, prevalent in some companies and pretty much ignored by everyone? End User Computing Risk!

End User Computing Risk (EUC) is often defined as a system in which users are able to create and rely on work applications created outside of risk management oversight. In other words, risk exists in all organizations that use spreadsheets or databases that are not reviewed or managed by risk management departments.

While regulators in financial services will continue to highlight weaknesses when found this is not a risk that management needs to wait on external oversight to address. The risks are easy to understand and recognize and steps can be taken now to address those risks.

EUC RISK

The risks associated with EUC’s include:

• Competing spreadsheets: departments often create their “own” spreadsheets that may compete with other departments for exposure and recognition.
• Linkage errors: this occurs when spreadsheets or databases are linked to other like information spreadsheets that later can be used for board reporting or strategic decision-making.
• Errors: mistakes within the spreadsheet itself whether in the assumptions, the formulas or the cells themselves. Worse, data itself may have errors because of integrity or accuracy concerns.
• Version control processes may be weak or non-existent
• Lack of documentation or audit trail making it impossible to determine how some formulas are designed and where data originates
• It may seem to be a difficult task to address or establish the right controls with so many risks associated with EUC’s. That is not the case. Recent technical developments have resulted in state of the art technology that can help recognize and manage EUC risk. In addition to technology, management can implement the following to jump start EUC risk management:
• Understand the EUC population! Completing a comprehensive inventory of spreadsheets, databases and desktop application used throughout the organization does this.
• Risk rank the EUC inventory. Make sure to identify critical EUC’s and establish the proper oversight based on risk ranking.
• Draft, approve and implement a comprehensive EUC policy.
• Map out the impact of EUC’s in your organization so that management is aware of process and other risk linkages that are impacted by EUC’s.
• Detail all critical EUC’s and ensure controls and commensurate with the risk associated with these EUC’s.

There is no reason for any financial services company to risk censure and fines because of EUC’s. For all those companies in other market segments, this is a great opportunity to learn from financial services and address these risks before they negatively impact your business.