What is an EUC?
An EUC, which stands for End User Computing software, refers to any software solution which is directly created by its end user, rather than from professional software developers. Common examples of EUCs include spreadsheets, access databases, results from reporting systems, and many many other types of applications. EUCs can also commonly be referred to as:
- UDA (User Developed Applications)
- EUDA (End User Developed Applications)
- EUA (End User Applications)
- EUCA (End User Computing Applications)
The complexity of these applications can scale exponentially and errors in even simple or seemingly harmless applications can carry through into models and lead to poor decisions made from inaccurate information. In several industries such as the banking and financial services industry these applications are also highly regulated and a lack of controls and responsible EUC Risk Management has already cost major banks hundreds of millions of dollars.
Regulatory Landscape
The regulatory landscape around EUCs is rapidly evolving, especially since EUCs can also contain Models and leverage Artificial Intelligence. The primary regulations surrounding EUCs include:
- The Sarbanes-Oxley Act of 2002 (SOX): Bringing EUC risk management into the mainstream, SOX requires public firms to implement effective internal controls over financial reporting to ensure the integrity of the public markets. Where EUCs are often an integral part of this reporting, it is necessary that outputs from EUCs are accurate and error-free.
- Stress Testing (CCAR/DFAST): Implemented by central banks in the US and Europe to ensure bank capital adequacy, any EUCs used in the process of implementing specific stress scenarios must be accurate and contain high quality data.
- Basel Framework: The “Supervisory Review Process, Risk Data Aggregation and Risk Reporting” document (SRP 36) specifically calls out the need for EUC controls.
- SR 11-7: This Supervisory Guidance on model risk management was jointly developed by the Federal Reserve System as well as the O.C.C. and has been in effect since 2011.
- SS 1/23: This Supervisory Statement is the most recent one from the PRA that sets out to define what is a model, how to categorize its risk level, and what the standards for proper model validation and controls are. Models that leverage artificial intelligence are specifically called out in this statement.
- CP 6/22: This consultation paper also from the PRA was published on June 21st, 2022 and serves as an earlier outline of the expectations for identifying and addressing model risk within banks.
- The AI Risk Management Framework: Released by NIST from the U.S. Department for Commerce on January 26, 2023, this framework guides organizations on how to govern, map, and measure risk to the organization.
Why Managing EUC Risk can be Difficult?
Years of academic research has shown that more than 90% of spreadsheets with 150+ rows contain errors. Reasons that EUCs are so error prone:
- Complexity: EUCs while simple to get started using can quickly become complex and tight deadlines can produce an environment ripe for producing errors
- Lack of Security: EUCs like spreadsheets can have wide usage, but lack the kinds of security controls that might be standard for other applications.
- Model Interdependencies: EUCs often contain models that leverage data or models from other EUCs and errors from one EUC can easily cascade into another EUC
- Collaborative Nature: EUCs are often passed around the organization and can have multiple contributors. With different versions, different assumptions, and multiple people editing the same application, the risk of errors grows quickly.
- Inadequate Testing: EUCs are often not tested rigorously and testing requires constant updates as the functions and use cases of the EUC expand. This can become a tedious and cumbersome process that is difficult to maintain.
How to Manage EUC Risk?
- EUC & Model Inventories: Directly required by many new regulatory guidance, firms should maintain a complete and accurate inventory that is consistently up to date.
- Automated Risk Assessment: Uncovering hidden risk through Automated Risk Assessment can highlight EUCs not currently in your inventory that seem high risk.
- Model Interdependency Maps: Mapping out the relationships between EUCs can help trace errors through EUCs.
- Periodic Testing Procedures: A comprehensive testing suite ensures that all the major potential risks highlighted by regulations like NIST are detected and mitigated.
- Consistent Standardized Documentation: Without proper documentation of testing it can be difficult to record what changes need to be made in the future to mitigate risk.
- AI Detection: As AI proliferates and firms are held responsible for results generated by AI, understanding the use of AI within an organization in EUCs is key.
- 3rd Party Risk Management: AI and other risk from vendors and other 3rd parties can be more difficult to detect, but just as important to monitor.
- Proactive Vulnerability Detection: Proactively scanning for security vulnerabilities can help prevent leaks from happening.
- Audit Trails: Recording who makes what changes within an organization through electronic signatures helps provide transparency and accountability for teams.
- Automated Approval Workflows: Sending alerts to the proper team members helps formalize and streamline the approval of risk mitigation from EUCs
CIMCON Software
CIMCON Software has been at the forefront of managing AI, EUC, and Model Risk for over 25 years, trusted by over 800 customers worldwide. Our EUC risk management platform directly supports the automation of best practices and policy including an EUC & Model Inventory, Risk Assessment, identifying Cybersecurity & Privacy Vulnerabilities, as well as an EUC Map showing the relationships between EUCs and Models.
Setting Up for Success
Overall, EUC Risk Management can be a tedious process that is difficult to get right. However it is an incredibly important process to get right as errors and regulatory penalties for lack of proper controls can be costly to firms. With the right tools and experience, this risk becomes manageable and risk policies can be implemented that not only reduce errors, but reduce effort, and help future proof your organization from the proliferation of AI and the use of models within EUCs.
E.U.C Risk Management Framework
The Business Case and Best Practices for End User Computing (EUC) Risk Management
Managing the enormous risks from End User Computing (EUC) applications is probably not on the top of the agenda for your C-suite. Nonetheless, you can be assured that they would care deeply if a material error related to EUCs were to occur or become public. It has cost a CEO their job.