How to define and categorize EUC risks based on organizational impact
Any application supporting a critical process that is developed or managed by end users rather than an IT department or professional software engineering team falls under the purview of End-user computing (EUC). And though these applications can be wildly useful in helping teams boost efficiency in their everyday work, IT teams seldom manage them with the same governance protocols or security checks that they have for their custom applications .
That means, especially in today’s environment, it’s highly likely you’ll be asked about your EUC management program. But which answers do you need to have at the ready to confidently say, “I have an effective EUC policy in place?”
Before you can effectively mitigate EUC risks through a combination of controls and business decisions, you need to be able to define and classify them.
Poorly Managed EUC Applications – what’s the real cost?
The financial world was jolted by the “double counting” incident at Marks and Spencer, which resulted in the erroneous announcement of a 1.3% rise in sales when, in reality, sales had plummeted by 0.4%. Likewise, the support services giant Mouchel experienced a catastrophic meltdown after an accounting mishap cost them £8.6 million, causing their shares to nosedive by 30%. While the financial repercussions of these EUC errors were substantial, the broader market perception of inadequate financial control proved to be even more detrimental than the costs themselves.
But even though the risks associated with EUCs can have a huge impact on your organization, they don’t have to keep your team up at night. Instead, a programmatic framework for managing EUC risk ensures that you know what your risks are, have proper controls in place to mitigate them, and can make recommendations to your IT team. For example, if a high-risk, high-use EUC ought to be transformed into an IT-owned application with better oversight, or if it makes more sense to leave it alone. A gap in your EUC risk management program can have reputational ripples that last generations, which is why it’s important to build it on a solid foundation. That means taking the time to identify and categorize every level of EUC risk impacting your organization.
4 types of EUC risk
For any EUC falling under your department’s purview (especially those considered high risk), you’ll need to ensure the appropriate controls are in place, that they are documented, and that they are subject to annual review and roadmapping. And to do that properly, you’ll need to define and categorize these EUCs based on organizational impact and risk level.
As you review all the EUCs in your organization, categorize the risks they present into the following key areas:
Financial risk
- Data Accuracy and Loss: Inaccurate or incomplete EUC data causes financial miscalculations, potentially leading to financial losses or regulatory compliance issues.
- Resource Utilization: Inefficient use of resources, including hardware, software licenses, and personnel, results in unnecessary expenses.
- Vendor or Supplier Risks: Dependence on specific vendors or suppliers exposes the organization to financial risk if these entities fail to deliver or experience financial instability.
Operational risk
- Downtime: EUC system downtime can disrupt business operations, causing productivity losses and revenue reduction. Downtime can result from technical issues, software glitches, or cyberattacks, and causes issues with business continuity.
- Service Level Agreements (SLAs): Failure to meet SLAs can result in penalties, contractual breaches, and damage to customer relations.
Regulatory risk
- Non-Compliance: Failure to adhere to regulatory requirements, such as BCBS 239, SR 11-7, Solvency II, or industry-specific standards, can lead to legal penalties, fines, and reputational damage.
Reputational risk
- Negative Public Perception: Any issues related to EUC, such as data breaches, system failures, or regulatory violations, can tarnish the organization’s reputation. This can result in crashing share prices, executive churn, and difficulty gaining and keeping customers.
- Customer Confidence: EUC-related problems can erode customer confidence and loyalty. Rebuilding trust always requires significant effort and resources, if it is even possible.
While categorizing risk provides a solid start to your EUC risk management strategy, you’re not done yet. You’ll then need to implement the appropriate controls — based on the risk level — for each EUC.
Not to mention, maintaining controls, regulatory compliance, and effective stakeholder communication are ongoing challenges. And even if you have the best EUC policy in the world, you still need to be able to provide evidence that it’s in place and effective.
[View source.]