22.11.2024

Risk management for end-user computing applications

Risk management for IDV applications made easy How risks from non-IT-managed applications can be reduced

Whether it's an Excel tool for analyzing financial data, a dashboard in Power BI or a script that connects different data sources, end-user computing (EUC) is an integral part of everyday work.

However, these EUC tools harbor considerable risks, as they are developed and operated by the users themselves and are not managed and monitored by the IT department like standard business applications. This is associated with the risk of not being able to provide such an EUC with the necessary protective measures that would be required for its use. For this reason, every company should identify EUC applications in order to be able to manage and reduce the associated risk.

What are EUC applications?

EUC IDV tools are applications that are not developed/operated by the IT department like standard software, but by employees of a specialist department themselves and support a business process. Responsibility for development and operation therefore lies solely with the respective department. The criterion of data processing is also used to define EUC applications. EUC applications aggregate, manipulate and/or model data using formulas, scripts, workflows or similar.

Examples of IDV applications:

An Excel tool that analyzes financial data using complex calculations
An SQL script that aggregates customer data from various sources
A Power BI dashboard that models potential investment decisions

Safety first: Why should EUC applications be monitored?

Numerous controlling, finance or IT processes in companies are supported or fully executed with the help of Excel tools. A recent study published in Frontiers of Computer Science¹ shows that 94 percent of all Excel spreadsheets used for business decisions contain errors. Such errors, or even the failure of an EUC application, can have a serious impact on business processes, leading to poor decisions and financial losses.

By monitoring EUC applications and implementing appropriate protective measures, these risks and their effects can be significantly minimized. At the same time, the confidentiality, availability and integrity of the processed data is increased and errors can be detected at an early stage. Critical EUC applications can also be transferred to standardized business applications.

Effective risk management of EUC applications is essential for financial service providers, as it is prescribed by specific regulatory requirements (DORA/VAIT/BAIT/KAIT) of the German Federal Financial Supervisory Authority (BaFin). However, the risk posed by EUC applications affects not only the financial sector, but all data processing industries.

For this reason, every company should implement a robust governance structure for EUC applications in order to effectively manage and minimize the associated risks.

How can the risk of EUC applications be managed?

1. Create guideline
- Definition of EUC applications: Criteria for the classification of EUC applications including decision tree
- Development of a lifecycle for EUC applications
- Define roles and their responsibilities within the EUC lifecycle
- Define criteria for risk classification and protection requirements
Result: Comprehensive governance structure including lifecycle for EUC applications
2. Register and inventory EUC tools
- Development of a process to identify existing EUC applications
- Creation of a registration form to register future EUC applications prior to development
- Collection and documentation of all relevant information for each EUC application. This includes (1) name of EUC application, (2) person responsible for EUC , (3) EUC creator, (4) software used, (5) functional description, (6) department/division, and so on.
Result: Inventory of all EUC applications
3. Risk assessment
- Creation and individualization of a questionnaire to assess risk based on various parameters (confidentiality, availability, integrity, authenticity)
Result: Criticality / specific risk of each EUC application
4. Determination of protection requirements and monitoring
- Creation of a catalog with specific protection requirements for EUC applications
- Determination of threshold values at which protection requirement measures must be implemented
- Process for regularly assessing and monitoring the implementation of protection requirements measures
Result: Specific protection application for each EUC application

→ Minimization of risks

How can Intero Consulting help you with efficient risk management support your IDV applications?

Intero Consulting supports you in developing an EUC governance structure that is individually tailored to your company.
Intero Consulting has an in-depth regulatory understanding and numerous best practices for implementing EUC risk management.
Intero Consulting accompanies the entire process from the identification of EUC applications to risk assessment and the implementation of protection measures.