Get Started Managing Spreadsheet Risks Today - It's Easier Than You Think!!

Everyone knows it – Spreadsheets and other end-user controlled models and applications are risky. Errors, data loss, deliberate tampering/fraud – these are just a few of the risks.

Similarly, EUC risk is very real and it’s become routine & readily accepted. It shouldn’t be!

Hundreds of software companies preach the evils of Excel. But the solution isn’t to get rid of spreadsheets or other EUCs. Sure, some of them could or should be moved to more formally managed applications. However, it’s futile to try and eliminate all EUCs in an attempt to mitigate the risk. And realistically, the business people would never stand for it.

So then, what can those of us who are responsible for information risk management and data governance do to help the line of business reduce these EUC risks? How can we test the effectiveness of controls when there are literally millions of these end-user controlled files? The ocean of EUCs is so large it’s difficult to even imagine it can be controlled, never mind envisioning where to start. It seems like an impossible challenge. One source of guidance for managing the risk from your EUCs is newly emerging regulations in the field.

Regulatory Landscape

The regulatory landscape around EUCs is rapidly evolving, especially since EUCs can also contain models and leverage Artificial Intelligence. Key regulations include:

Sarbanes-Oxley Act of 2002 (SOX):

Requires public firms to implement effective internal controls over financial reporting to ensure the integrity of the public markets. Where EUCs are often an integral part of this reporting, it is necessary that outputs from EUCs are accurate and error-free.

Stress Testing (CCAR/DFAST)

Implemented by central banks in the US and Europe to ensure bank capital adequacy, any EUCs used in the process of implementing specific stress scenarios must be accurate and contain high-quality data.

Basel Framework

The “Supervisory Review Process, Risk Data Aggregation, and Risk Reporting” document (SRP 36) specifically calls out the need for EUC controls.

SR 11-7

This Supervisory Guidance on model risk management was jointly developed by the Federal Reserve System as well as the O.C.C. and has been in effect since 2011.

SS 1/23

This Supervisory Statement is the most recent one from the PRA that sets out to define what is a model, how to categorize its risk level, and what the standards for proper model validation and controls are. Models that leverage artificial intelligence are specifically called out in this statement.

CP 6/22

This consultation paper also from the PRA was published on June 21st, 2022 and serves as an earlier outline of the expectations for identifying and addressing model risk within banks.

AI Risk Management Framework

Released by NIST from the U.S. Department for Commerce on January 26, 2023, this framework guides organizations on how to govern, map, and measure risk to the organization.

5 Steps to More Effective EUC Controls

So, how do you manage the risks from these EUCs and navigate the ever-changing Regulatory Landscape? It doesn’t have to be so hard! Here are 5 Steps to More Effective EUC Controls:

1. Keep Your Model Inventory Up to Date with Periodic Scan

Implement regularly scheduled scans to uncover hidden areas of risk and automatically keep the Model Inventory up to date. This approach aligns with SS1/23 Principle 1.3, which mandates a firm-wide model tiering approach to assign risk-based materiality and complexity ratings to models.

2. Standardize Risk Assessment Policies based on type of EUC

There are increasingly different kinds of EUCs that pose different risks to the organizations such as Python and R models as well as 3rd Party Applications that are all covered under the definition of new regulations. Therefore, having custom risk assessment approaches that measure risk in Excel through Number of Formulas, Macros, & Hidden Sheets, 3rd party applications through the presence of AI, and models through fairness, bias, explainability, and validity is crucial to understanding which EUCs you need to control.

3. Understand how EUCs relate to your organization and each other

Leverage the use of Interdependency Maps which are visual maps that illustrate the relationships between EUCs, data sources, and models. Understanding these interdependencies is crucial for assessing aggregate model risk, as per SS1/23 Principle 1.2.

In addition, understanding the frequency of use of different EUCs through an Audit Trail can also highlight EUCs that are high impact and should be monitored and this is also a recommendation called out in new regulations.

4. Comprehensive Documentation Management

Ensure that qualitative EUC information such as purpose, owner, and impact, as well as the most recent quantitative risk scores and testing documentation, are automatically generated and recorded.

5. Proper Controls and Approval Workflows

Implement policies to restrict and track changes to models, enhancing security and accountability.

Establish automated approval workflows that send alerts and notifications to the appropriate authorities, tracking the stages of model approval. This helps identify organizational bottlenecks and areas for process improvement.

Additional Advanced Best Practices

The 5 steps above cover the fundamentals, but if you want to be comprehensive in managing your risk here are additional best practices to consider:

AI Model Testing & Documentation Generation

Increasingly EUCs are being developed with the use of AI and so it can be crucial to test the AI models within these EUCs or that are created leveraging data from EUCs, including tests for data drift, validity, reliability, fairness, interpretability, privacy, security vulnerabilities, and code quality. This helps keep EUCs in compliance with recommendations such as the NIST AI Risk Management Framework in the U.S.

Third-Party Risk Management

As outlined in many current as well as emerging regulations, it is important to apply the same rigorous testing standards to third-party applications as to internally developed EUCs. One specific use case that can be important to consider is identifying AI use within third-party applications.

CIMCON Software

CIMCON Software has been at the forefront of managing AI, EUC, and Model Risk for over 25 years, trusted by over 800 customers worldwide. Our EUC risk management platform directly supports the automation of best practices and policy including an EUC & Model Inventory, Risk Assessment, identifying Cybersecurity & Privacy Vulnerabilities, as well as an EUC Map showing the relationships between EUCs and Models.

Setting Up for Success

Overall, EUC Risk Management can be a tedious process that is difficult to get right. However it is an incredibly important process to get right as errors and regulatory penalties for lack of proper controls can be costly to firms. With the right tools and experience, this risk becomes manageable and risk policies can be implemented that not only reduce errors, but reduce effort, and help future proof your organization from the proliferation of AI and the use of models within EUCs.

To learn more, download our white paper --> Taming the Spreadsheet Menace This white paper will help you to scope out the technology and processes to help you avoid the high costs & losses that result from poorly controlled spreadsheets and EUCs.