Analytics, Automation and Spreadsheets: Who’s in control?

Many organisations continue to drive a digital agenda that is powering improved access to analytics and automation tools, putting emerging technologies in the hands of business users who are using them for novel and higher impact scenarios. But do you understand how creating, implementing, and using these tools across your business impacts your risk profile? Can they be trusted? Is your private and sensitive information protected? And do you know what to do about it?

This week we shift focus to take a look at what you can do to proactively address one of the common causes of data risk, End-User Computing (EUC). Whilst you may have heard about the spreadsheet challenge across your organisation, it’s likely there is also an increasingly complex landscape of tools and applications outside of the control of your organisation’s Information Technology (IT) control framework that needs your attention.

Analytics, automation, spreadsheets and more… 

The reality of today’s data rich business environment is that models, calculations, and other algorithms can be created, deployed, and relied on to make business decisions within applications controlled and owned under an organisation’s central IT framework or outside of it. End User Computing (EUC), also referred to as User-Developed Applications (UDAs), is a broad term used to describe applications controlled and owned outside of an organisation’s central IT framework by business users. It includes many analytics, automation and spreadsheet tools and is one component of a shadow IT eco-system that may be lurking in the background of your organisation.

EUCs can manifest themselves in many ways, from spreadsheets used for financial and regulatory reporting, to dashboards used for critical business and customer decisions built with one of many common analytics tools, to increasingly complex and inter-linked applications that automate all or a part of a business process. Understanding where your tool is implemented provides a basis for understanding whether it has been implemented as designed and if the control environment in which it is implemented is sound. 

Why understanding the EUC landscape matters

EUCs can be associated with inefficient and repetitive business processes impacting your productivity. And when implemented in an ad hoc or uncontrolled manner, EUCs can have an amplification effect on your operational risk profile – including data risks, the things that must go right with data  – because they are often integral to critical processes that inform decision making across the business. In addition, regulators such as the Australian Prudential Regulation Authority (APRA) expect organisations to understand and manage the risks in the EUC landscape¹ . Common impacts on your operational risk profile can include:

• Because many organisations fail to articulate when EUCs are appropriate or how they should be used, their use quickly proliferates, often because they’re seen as ‘quick and easy’ tactical fixes for problems that aren’t otherwise being addressed. Having myriad standalone EUCs in place adds complexity and confusion across the organisation, and what starts out as a small problem soon becomes a big one over time, contributing to data or technical debt.
• The impact of business or strategic change on EUCs, including the impact of new products and services, may not be considered timely, resulting in EUCs that are not reflective of the current business environment. This can mean the data outputs produced by the EUCs are also not accurate.
• EUCs can carry heightened inherent risk due to their existence outside of the central IT framework and potentially your data quality framework, increasing the importance of the need for a sound control environment across the EUC lifecycle. This is needed to limit the potential for the proliferation of private or sensitive data being accessible outside IT controlled environments and so that EUCs that use AI can answer the question “can the AI be trusted?”. 
• EUCs are often created in business siloes and the data outputs may not be readily available to all the relevant users, including across teams for use in reporting.

Setting up your organisation to manage the risks in EUCs and support your digital agenda

Organisations that take a technology-led approach to EUC discovery and control are better positioned for proactive, real-time management of EUC risks at scale. The right tool can also help to accelerate understanding of complex data dependencies and legacy issues to accelerate your digital journey. To get there, you need to:

1. Take stock of your EUC usage: Do you understand the full extent of EUC usage across your organisation? Have you inventoried your EUC landscape? Are your policy and control frameworks fit-for-purpose and does it meet the expectations of your stakeholders, including regulators? How effectively is your organisation responding to the risks and opportunities identified across the EUC landscape?

This is where technology can help to rapidly discover a view of the impact EUCs are having on your business processes, to understand the data dependencies between EUCs, assess the risks and maintain an inventory of the EUC landscape.

2. Build a strategy and plan: Now that you understand the EUC landscape and the gaps, build a strategy and plan to do something about it. Having a clear, sequenced, and funded roadmap demonstrates you have your arms around the opportunity and a plan to realise value from it.

3. Reset the foundation: A risk-based approach which sets out a pathway for EUCs based on the complexity of the tool and the materiality of the business outcomes it informs helps to embed a right-sized, effective, and efficient foundation. This sets you up so that control requirements for EUCs that are critical to achieving the objectives of the business or that process sensitive data are consistent with those for applications controlled under your IT framework.

Many organisations will have attempted to build an EUC framework in the past, but it may not be fit for today. Policies may need to be updated to accommodate new tools or requirements (including for AI) and to confirm the circumstances in which EUCs are appropriate or not, accountability for EUC risk ownership may need to be clarified, decision processes for new EUCs may need to be updated, monitoring may need to confirm EUCs are being decommissioned, EUCs may need to be integrated into the framework for data quality, and the control environment may need uplift so that it is sound across the lifecycle of the EUC.

4. Monitor, adjust, monitor: Monitoring and reporting on the aggregate impact of the EUC landscape on your operational risk profile demonstrates you know where you are against risk appetite and builds confidence in your plan across your stakeholders, including the Board. 

5. Measure and track value: Part of the value equation for having an inventory is that it can become part of your digital transformation pipeline. This includes identifying and tracking high impact digitisation opportunities to demonstrate that productivity and other benefits are realised over time. 

Key questions for your organisation

• Who’s in control of EUCs across your organisation?
• Do you know how important EUCs are for your critical business processes? Or where EUCs are using private or sensitive information?
• How rapidly is your EUC landscape changing? What are you doing to take control of it and build a transformation pipeline for your business?

References:
1. As outlined in APRA’s CPG 234 Information Security (para. 57-59) and CPG 235 Managing Data Risk (para. 45-46).
 

Co-Author: John Elter