• Brett Krasner, Jason Noran and James Musgrave
  • Published: 08 November 2021

Financial services’ IT budgets and capacity have not grown comparably with the business/operations application needs. As a result, these non-IT organizations often develop their own applications – called end-user computing applications (EUCs). EUCs are systems that non-programmers can access, create, and customize to quickly suit their needs. They aim to better integrate end users into the computing environment and usually are Excel spreadsheets or comprised of Access databases and queries – that sit on shared drives or individual desktops.

These EUCs possess many benefits and drawbacks for their organizations – they reduce dependency on IT timing constraints for application development and are flexible enough to allow users to deploy solutions tailored to their needs. However, EUCs lack proper governance and proliferate across an enterprise as a bandage over improving core systems – without IT being made aware. This shadow IT can become a significant concern as EUCs are often utilized in processes with financial or regulatory impacts. For example, financial and regulatory reporting often requires an employee to pull and manually process significant NPI data from internal and client-based sources through EUCs. Since EUC spreadsheets are built outside IT, they often lack proper planning for edge-cases and field validations. A simple mistake that the EUC does not catch could cost a firm millions of dollars. 

In addition to the potential for operational risk, EUCs that process NPI receive regulatory scrutiny and fines due to improper data controls. An analyst that processes loan IDs with client information could easily print the data or have their laptop stolen. Considering these benefits and weaknesses of EUCs, Capco’s goal is helping our clients put into place a model that allows and encourages lines of business to meet their own needs, but with more oversight that puts them under the same governance and controls applicable to other applications, achieving a balance of flexibility and risk management. There are several main ways we can help our clients to address our above goal – setting up a governance model to maintain control and risk assessments of EUCs, discovering EUCs across an enterprise, assigning prioritization of remediation onto EUCs based on risk profiles, and remediation of those EUCs.

For the governance model, the core functionality of the model that Capco implements includes 1) managing the EUCs that already exist, 2) determining which EUCs should be decommissioned, left alone, or remediated, 3) determining which new EUCs can/should be built and what tools should be used to build them, 4) monitoring and scanning for unauthorized EUCs, and 5) enforcing common standards across the enterprise for monitoring and measuring risk. This governance model also sits above Capco’s EUC discovery, risk prioritization, and remediation model.

For discovery of EUCs, we recommend a two-pronged approach. The first step top-down, reviewing existing operational processes and determining which use EUCs, focusing on any business areas that have already been shown to have compliance issues or heavily use other EUCs. Second, go bottom-up and try and find unknown EUCs across the enterprise – there is software that will scan infrastructure like network drives, user drives, and document management systems for EUCs – not just Excel files and Access databases, but also Python and SAS scripts. It is key to utilize software that can evaluate complexity factors like references to external data, heavy use of computational macros, etc. – to determine that it resembles an EUC more than a simple spreadsheet. In addition to helping with discovery, such a tool can also be used on an ongoing basis to review new, unauthorized EUCs that might be created after the governance model is put in place. 

Following discovery, the risk framework is utilized to determine priority of addressing EUCs and to ensure the future state solution doesn’t replicate any existing data quality issues. The risk framework leverages a FS EUC-specific risk taxonomy. An EUC risk assessment process is used to evaluate EUC assets and establish risk ratings. Control gaps are also uncovered and use to inform remediation efforts. Once the risk ratings and control gaps have been established, prioritization is conducted to prepare assets for remediation – which is based on assets that require immediate control remediation to address potential business/data effects.

For the remediation and migration, a remediation factory is setup to manage the end-to-end process to drive efficiencies across remediation. For EUCs without existing dispositions for retirement or migration into an existing IT application, this remediation factory takes demos and walkthroughs of each EUC/grouping of EUCs to understand the functions and integrations. In conjunction with business and IT stakeholders, the remediation factory then recommends a holistic strategy for a given business unit’s EUCs as to what their target end-state can be – combining EUC functions and integrations as much as possible to drive efficiencies. For EUCs that are not migrating onto existing applications, EUCs are strongly encouraged to migrate to a no-code platform to 1) federate development across citizen developer configuration units and 2) re-use configuration and other integrations from other EUCs as microservices, to speed up development. The remediation factory brings in business and IT stakeholders for EUC configuration, testing, and acceptance to ensure future state EUCs address business needs and IT guidelines. Finally, the new EUCs that are on no-/low-code platforms (and not in existing IT systems) are then added to the governance catalog, to ensure regulatory sign-off and future compliance.

Due to regulatory trends across multiple countries and the fact EUC prevalence increases despite increasing the amount of dollars spent addressing the problem, EUCs are becoming an increasing priority to be dealt with. Based on Capco’s approach that manages and establishes governance, discovery, risk evaluation, and mitigation structures – financial services firms can finally get a handle on the issue and guide it in a direction that keeps business users and their ever-changing needs as central.