End User Computing in AIB Capital Markets: A Management Summary

This paper is a management summary of how the area of End User Computing (EUC) has been addressed by AIB Capital Markets. The development of an effective policy is described, as well as the process by which a register of critical EUC applications was assembled and how those applications were brought into a controlled environment. A number of findings are included as well as recommendations for others who would seek to run a similar project.

💡 Research Summary

The paper provides a management‑level overview of how AIB Capital Markets tackled the challenges associated with End User Computing (EUC). It begins by articulating the business drivers that made EUC a risk‑management priority: the proliferation of spreadsheets, databases, macros, and other user‑developed tools that operate outside traditional IT control, combined with regulatory pressures such as Basel III and IFRS. In response, AIB drafted a comprehensive EUC policy that defines scope, ownership, risk‑assessment criteria, control levels, change‑management procedures, and audit reporting requirements. The policy was aligned with existing IT governance frameworks and regulatory mandates, and it established a clear liaison model between business units and the central IT department.

With the policy in place, the next phase focused on building a register of critical EUC applications. A mixed‑method approach—combining enterprise‑wide surveys, targeted interviews, log analysis, and review of existing documentation—was used to evaluate each tool against a set of quantitative and qualitative metrics: business criticality, data sensitivity, user count, automation degree, change frequency, and current control status. Out of roughly 250 identified EUC artifacts, 45 were classified as “critical” and earmarked for formal governance.

The migration of these critical applications into a controlled environment followed a three‑step process. First, the existing development and operational procedures for each application were documented, and a lightweight quality‑assurance regime (code reviews, automated testing, and regression checks) was introduced to raise baseline quality. Second, a detailed rights‑and‑access audit was performed, applying the principle of least privilege to strip unnecessary permissions and to tighten authentication mechanisms. Third, the applications were transferred onto a centrally managed platform—leveraging SharePoint‑based workflows, version‑control repositories, and integrated audit‑trail capabilities—to ensure that every change is tracked, approved, and auditable. Where necessary, legacy macros and scripts were rewritten or co‑developed with the IT team to embed security patches and standard coding practices.

During implementation, several practical challenges emerged. Business users exhibited strong attachment to legacy tools and feared operational disruption; AIB mitigated this through phased roll‑outs, pilot projects, and targeted training sessions that demonstrated the minimal impact on day‑to‑day tasks. A subset of EUC tools lacked proper documentation, making reproducibility difficult; the team responded by issuing standardized templates, development guidelines, and mandatory inline commenting rules. Finally, the project highlighted the need for ongoing monitoring and periodic re‑assessment; automated monitoring utilities and a scheduled audit calendar were therefore instituted.

The outcomes were significant: all 45 critical EUC applications were successfully migrated, with full change‑management visibility and auditability now in place. Business units reported that they retained most of their operational flexibility while benefiting from reduced risk exposure. To sustain these gains, AIB reorganized its governance structure by establishing an EUC Governance Board responsible for policy refreshes, risk re‑evaluation, and regular compliance checks. A comprehensive training program was also launched to raise user awareness about EUC best practices and the importance of adhering to the new controls.

In sum, the paper demonstrates a pragmatic, step‑wise methodology for bringing user‑developed applications under formal governance without stifling business agility. It offers concrete lessons—policy alignment, systematic inventory, risk‑based prioritization, phased migration, and continuous oversight—that can serve as a blueprint for other financial institutions or enterprises seeking to tame the EUC “wild west.”