The experts weigh in on an enormous challenge
Policy management, enforcement, and reporting is an extra challenge for compliance teams where staff use EUCs. While the policies around using, updating, and retiring EUC will undoubtedly exist, identifying who is using EUCs and ensuring they are aware of the EUC policy and are applying it is an enormous challenge.
From my perspective, managing EUCs is not new; we have been involved in projects for over 15 years. All the institutions we engage with understand the need to manage their EUCs. The challenge lies in keeping tabs on where they are used, and working proactively with users to understand the value of the EUCs, and the risks they pose to the business. Then you can work with end-users to manage them properly and ensuring they are ‘in policy.’
Sam Lee, Head of Operational Risk Europe at SMBC concurs, saying “There is not much new under the sun when managing your EUCs, it is just the stakes now are so much higher. With issues like Operational Resilience in the UK, and the OCC clearly looking anew at this whole area, there is ample justification for business managers, risk teams and compliance teams to review how they manage their EUCs and identify any gaps that have developed.”
Ian Cleaver, VP Professional Services at Mitratech, outlines the approach he recommends to clients when implementing Mitratech’s EUC management solution. “The first step is to identify your most important EUCs, and then to create an inventory of them, so you can proactively monitor them. You can also benefit from using an alerting capability to show when changes are made and where problems of missing data, calculation errors, or other problems that could drive issues for an institution.
“The results of this activity can be integrated into a consolidated Governance, Risk, and Compliance (GRC) framework to provide transparency of the EUC risk to the business,” he explains. “When I used the platform at a global bank, we ensured that the EUC management reports were featured in the monthly Board meeting – very much belt and braces, but it worked. We had no issues.”