Title: Controlling End User Computing Applications - a case study
ArXiv ID: 0809.3595
Date: 2008-09-23
Authors: ** - Jamie Chambers - John Hamill **
📝 Abstract
We report the results of a project to control the use of end user computing tools for business critical applications in a banking environment. Several workstreams were employed in order to bring about a cultural change within the bank towards the use of spreadsheets and other end-user tools, covering policy development, awareness and skills training, inventory monitoring, user licensing, key risk metrics and mitigation approaches. The outcomes of these activities are discussed, and conclusions are drawn as to the need for appropriate organisational models to guide the use of these tools.
💡 Deep Analysis
Deep Dive into Controlling End User Computing Applications - a case study.
We report the results of a project to control the use of end user computing tools for business critical applications in a banking environment. Several workstreams were employed in order to bring about a cultural change within the bank towards the use of spreadsheets and other end-user tools, covering policy development, awareness and skills training, inventory monitoring, user licensing, key risk metrics and mitigation approaches. The outcomes of these activities are discussed, and conclusions are drawn as to the need for appropriate organisational models to guide the use of these tools.
We report the results of a project to control the use of end user computing tools for business
critical applications in a banking environment. Several workstreams were employed in order to
bring about a cultural change within the bank towards the use of spreadsheets and other end-user
tools, covering policy development, awareness and skills training, inventory monitoring, user
licensing, key risk metrics and mitigation approaches. The outcomes of these activities are
discussed, and conclusions are drawn as to the need for appropriate organisational models to
guide the use of these tools.
INTRODUCTION
The purpose of this paper is to share our experiences of a project which attempted to
address the problems associated with the use of end user computing tools in a banking
environment.
There was little published work to guide us. PricewaterhouseCoopers [2005] and
Microsoft [2006] are useful on the processes to apply to spreadsheets, but do not look at
the whole organisation. We believe that end user computing risk is first and foremost an
example of operational risk so took our approach from that discipline.
Also, the scope of our project needed to be wider than the area of spreadsheet use. End
users – that is to say, business users lacking professional IT training – now have many
sophisticated computing tools and much computing power to deploy. So reporting
programs, spreadsheets, databases and programming languages were all in scope and are
generally referred to in this paper as End User Computing Applications (EUCAs). Given
that the bulk of our critical EUCAs were spreadsheets, however, over the course of the
project we concentrated primarily on this area of risk.
In addition, we felt that focussing solely on risk was only looking at half the picture. Our
experience, reinforced by presentations at previous EuSpRIG conferences, has been that
use of these tools is depressingly inefficient. We therefore also wanted to address the
productivity aspects of end user computing, with the hope that those not overly concerned
by the risk arguments might be at least be interested in potential benefits.
Our starting point was to show that we recognised both the risks and the productivity
benefits that these tools bring. EUCAs are now a fundamental and useful part of the
business environment, and there is no sense in attempting to eliminate them completely.
By the same token, we had to recognise that the pervasive nature of end user computing
meant that controlling these risks was likely to require considerable cultural change.
Much of the project was therefore aimed at bringing about this change, no easy task when
appreciation of the risks in these tools was not widespread.
ORIGINS OF THE PROJECT
The Bank is a mid-sized international bank which had experienced rapid growth in its
balance sheet and its use of structured instruments. While core systems were robust there
154
was a constant need for systems to catch up with innovation and growth, which,
combined with the general inclination amongst staff to use EUCAs, led to their
proliferation.
An external audit comment was the primary stimulus for the project: the auditors
remarked that there was a high level of dependency on complex spreadsheets particularly
in the production of financial accounts. While the spreadsheet which was the primary
focus of the comment was replaced, the general issue remained. As the audit point touched several departments there was a need for central coordination
to ensure a consistent organisation-wide approach. The Operational Risk department
began to gather information about the use of EUCAs around the bank and the IT
department started a dedicated project to address all the issues involved in end user
computing activity.
We felt it was important to involve senior management to guide the project, approve the
work and make recommendations to the executive, so we formed a Steering Committee,
made up of heads of departments, with representation from both Front and Back Offices,
and Internal Audit. This met monthly, and proved a useful source of ideas and support.
Much was achieved, as described below, but unfortunately during the course of the
project there were some far-reaching executive changes, which led to a withdra