Implementing an effective governance framework to manage end user computing (EUC) model risk using a lifecycle approach

Implementing an effective governance framework to manage end user computing (EUC) model risk using a lifecycle approach

Sanjay is the Founder and CEO of CIMCON Software, a company specializing in reducing risks from spreadsheets and other End User Computing tools.  Sanjay will be delivering key insights at the 5th Annual Risk EMEA 2016, and ahead of the Summit, we interviewed Sanjay on some of the challenges currently facing Risk professionals.

Sanjay, can you tell the Center for Financial Professionals readers about your background, expertise and experience?

I have over 24 years of experience in risk management, data governance, and compliance. Early in my career, I performed risk assessments for large enterprise data management systems, to determine areas of high risk.  Around this time, I discovered that while a lot of time and resources were focused on enterprise systems, no attention was being paid to the unstructured information stored on shared drives that contained critical data and regulatory information, creating grave business and regulatory risk for the firm.  Spreadsheets were a big part of this unstructured landscape, and CIMCON was founded to reduce EUC risks.  Over the last 20 years, much of my time has been dedicated to developing and advancing the End User Computing (EUC) market, and in developing innovative tools and technologies that improve data quality and compliance.

For readers that are not familiar with End User Computing GRC, could you provide some background and context on why it is important?

End User Computing (EUCs) refers to powerful computing applications that are easily available to users on their desktops without the traditional controls that are applied when using source code.  These include spreadsheets, Access databases, and other reporting and querying applications.  Spreadsheets are used heavily to develop stress testing models, determine capital requirements, and many core financial processes.  Many of these processes, data, and outputs are subject to regulations such as Stress Testing, Basel, Solvency II, Sarbanes-Oxley, and hence are of interest to regulators, internal auditors and external auditors.  Further, EUC errors have resulted in major financial losses to firms in millions or even billions of dollars. Hence, implementing an adequate Governance, Risk and Compliance (GRC) framework over the use of these EUCs is very important. 

What is your response to those that say that spreadsheets will go away?

We don’t hear that much anymore for several reasons.  The business and regulatory climate has become more dynamic, data sources have become more complex, and the reporting requirements have increased, all of which have increased the dependency on spreadsheets. Spreadsheets also serve as vital connecting links between disparate enterprise systems and data sources to perform final consolidation.  Even if they can be replaced at any given point of time, new spreadsheets will come up to meet market, management and regulatory pressures.

What are the key challenges in the area of EUC Management?

A major challenge is the lack of awareness of EUC Management technology – it is still very much a young and emerging market.  The second is end user adoption as users mistakenly assume that any such tool will take away the flexibility and simplicity of using their spreadsheets.

Currently, EUC governance, if implemented at all, is done manually and overly dependent on users.  This creates additional overhead for the users, losing momentum over time, and is not sustainable.  However, a practical, well thought out governance framework can help firms identify, assess and reduce EUC risks with no end user impact.  

At our 5th Annual Risk EMEA conference, you will be presenting a Governance Framework to Manage EUC Model Risk.  How does this framework reduce risk?

After 20 years of experience in the field, the only way to manage EUCs is to develop a life cycle approach since EUCs are constantly being created, copied or changing.  Our EUC governance approach is based on a 3 step process that enables end user adoption, helps compliance with BCBS 239 and SR 11-7, and is sustainable.   

Step 1: Spreadsheet Inventory, Risk Assessment and Data Lineage.  Create an automated inventory of all your EUCs, and then perform a risk ranking based on user defined criteria.  We also create an enterprise data map that shows how data flows in and out of spreadsheets, your enterprise databases, and other file types.

Step 2: Spreadsheet Analysis and Error Detection.  Once the high risk spreadsheets are identified, visual diagnostic and documentation tools quickly identify any errors or inconsistencies.

Step 3:  Monitoring.  Now that the high-risk spreadsheets have been verified to be error-free, these can be monitored for changes.  High risk changes are displayed in an Exception dashboard for review.  There is no end user impact – users access, open and use spreadsheets exactly as they did before.  

How are technical capabilities of software affecting regulatory expectations?

Regulators and auditors are increasingly becoming aware of EUC management tools and technologies. Many recent regulatory reports have specifically called out EUCs as an area of concern.  Hence, this is an area where lack of a sustainable governance framework will likely invite greater regulatory scrutiny and comment.