Defining and Adopting An EUC Policy: A Case Study: Roger - Turner@wesleyan - Co.uk

Defining and Adopting an
EUC Policy:
A Case Study
Roger Turner
Wesleyan Assurance Society, Colmore Circus, Birmingham, B4 6AR

[email protected]
ABSTRACT
End User Computing (EUC) carries significant risks if not well controlled. This paper is a
case study of the introduction of an updated EUC policy at the Wesleyan Assurance Society.
The paper outlines the plan and identifies various challenges. The paper explains how these
challenges were overcome.
We wrote an EUC Risk Assessment Application which calculates a risk rating band based
upon the Complexity, Materiality and Control (or lack of it) pertaining to any given
application and the basis of assessment is given in this paper.
We find that EUC applications are clustered in certain business areas and this information
supports the need for addressing these risks on a wider scale with a view to improving
overall business efficiency.
The policy uses a risk-based approach for assessing and mitigating against the highest
risks first and obtaining the quickest benefit.
A Business As Usual (BAU) process has been put in place to monitor activity and we are
seeing an improvement in the quality of EUC in the Society.
1 INTRODUCTION
The paper gives the background and the case history of the introduction of an EUC policy
at the Wesleyan Assurance Society.
The Wesleyan Assurance Society is a UK based financial services mutual founded in 1841
that provides specialist advice and solutions to doctors, dentists, teachers and lawyers.
Wesleyan aims to build life-long relations with its customers, providing them with products
and services at every stage of their life from graduation to retirement and beyond.
The Wesleyan group of companies employs approximately 1,500 staff divided between the
Head Office in Birmingham, Oswestry, New Malden and Northwich as well as sales staff
located throughout the UK.
There are £7.6 bn assets under management and the Society is successful in passing on
good performance to its policyholders through its financial strength and long-term
investment policy.
Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

978-1-905404-56-8 Copyright © 2019, 2020, EuSpRIG European Spreadsheet Risks Interest
Group (www.eusprig.org) & the Author(s)
1
The EUC policy covers any application not supported by IT and 90% are spreadsheets. In
this paper we refer to them all as “applications” for complete coverage.
After the Action plan there are the two main sections. These detail the challenges and how
they are overcome, then an EUC Risk Assessment Application specially written as part of
the policy is described in section 10. At the end of this paper there is a graphic displaying
some research which was done at the outset of the project.
2 BACKGROUND
Before the 1980’s all serious computing was done under the control of the organisation’s
IT department where it was best practice for strict controls to be in place for the design,
development and maintenance of all the organisation’s systems and programs.
Any new systems or changes to systems which were required by the business would
frequently be done according to a lengthy development life cycle. Sometimes the
requirements would change while the system was being developed so that the new system
was not what the customer wanted. Business units doing their own thing was not an option.
Microsoft Excel first became available in 1985 (Wikipedia, 2018) and its gradually
increasing functionality and use provided opportunity for computing independently of the
organisation’s IT department to take place. EUC was born along with its associated risks.
By the end of 2017 the EUC policy had been successful in two pilot runs and had been
reviewed by the Chief Operating Officer (COO) as sponsor. He approved the policy being
rolled out starting Q2 2018.
EUC control is part of the Data Governance function at Wesleyan.
3 CASE HISTORY AT THE WESLEYAN – ASSOCIATED CHALLENGES
The Wesleyan Assurance Society updated its EUC policy in 2012 because of Solvency II.
Subsequently the Data Governance department reviewed the effectiveness of the policy
and determined that changes were required to enhance its use.
The Society had not experienced any problems with its spreadsheet and end user
applications but was keen to ensure it enhanced its policy to keep pace with best practice
and minimise the risk of issues arising in the future.
The business need which brought about the update of the policy was the potential risk of
an application causing a substantial loss event. We considered this to be enough to warrant
at least an investigation into how best to mitigate this risk.
The objective is to establish a clear plan of action, try it using at least one pilot and, once
proven, roll it out throughout the Society. Two pilot runs were successful and the Society
approved a phased roll-out on risk-based approach.
The main challenges which were faced were:
a. What to cover in the Policy (the Scope)
b. Where the EUC risks are (Identifying the business areas at greatest EUC risk)

2
c. Obtaining buy-in from each business area to adhere to and implement the EUC
policy
d. Establishing effective storage and retrieval of EUC application metadata
e. Getting managers to record applications which fall short on Magique (the Society’s
already existing risk management system) (Magique, 2018)
f. Regular review.
These challenges are not untypical across the industry. An example of this is the
experiences faced by Chambers and Hamill in respect of understanding where the EUC
risks are in a banking environment and assigning responsibility for them (Chambers &
Hamill, 2008).
4 PLAN OF ACTION
We considered the proceedings of a Hellenic American Union conference (Mallikourtis &

Papanikolaou, 2010) and attended a workshop run by The Corporate IT Forum (CITF,
2016). Resulting from this background we decided that the following steps should be taken:
a. Produce the first draft of the updated Policy Document which includes a means of
assessing applications (spreadsheets) for risk. The scope to cover “any computing
which is not supplied by, acquired by or supported by any of the Wesleyan’s formal
IT departments”. As to the applications, approximately 95% the EUC applications
are spreadsheets. The scope is not complete, however, without including local
databases (usually Access), Business Intelligence reports (e.g. SQL, Crystal,
Power BI), Mobile apps and some third-party apps.
b. Find stakeholders who are willing to co-operate in running at least one pilot.
c. Run the pilot(s) which involves collecting data about each submitted EUC
application, assessing it for risk and storing the details in a repository where it
could be accessed when the need arises.
d. Conduct “show and tell” sessions to demonstrate which applications already have
satisfactory controls and which might be deemed to fall short.
e. Agree an action plan to fix any errant applications.
f. Apply governance which will then become part of the EUC policy.
Several challenges and how they were overcome are documented here.
5 CHALLENGES FACING EUC ROLL-OUT & OVERCOMING THEM
5.1 Defining the Risk Metrics to assess the applications with
The Complexity and the Materiality of an application are the two main contributors to risk.
The more complex a spreadsheet (or for that matter any application) is, the greater the risk
is of the risk crystallising and creating an issue. Once the risk crystallises, how material is
the effect on the Society’s business operation?

3
Complexity
We used one of the simpler ways to measure Complexity and this is suggested by PwC
(PwC, 2004). A spreadsheet with low complexity is just for information logging and
tracking. There are no formulae or links. Medium complexity is where simple formulae are
used, for example to translate or reformat information. High complexity is the rest, where
complex formulae are used, there are links to external sources, macros and modelling.
The more complex an application is the less likely someone other than the author can
understand it and the greater is the spreadsheet risk.
Materiality
Materiality could be measured as the impact resulting from the risk crystallising. This could
be:
a. Inconvenient
b. Poor Customer Outcomes
c. Reputational
d. Loss of Business
e. Financial
f. Statutory / Legislative
Different areas of the business rank these in different orders so we used a different approach
instead.
Independent research done by Chartis suggests the following classification for materiality
(Chartis, 2016):
a. High – Application supports financial or regulatory reporting or private or

confidential information.
b. Medium – Application supports management reporting, calculation or input into a

core management information system, or used for making key business decisions.
c. Low – internal operations or day to day decisions, or contains outputs from core
management information systems.

4
Control
Following the Complexity and

Materiality metrics in this way
leads us to the front face of the
cube provided that the
application is well controlled.
The four colours on the cube

indicate the risk rating band,
and this identifies what
remedial action, if any, is
needed ranging from blue
(none) to red (urgent action Figure 1- Complexity, Materiality & Control Metrics
needed). Wesleyan uses the
Magique system to record the risks and track them through to a resolution. (Magique,
2018).
Control, when considered, defines how far back we go in the cube.
We wrote a Risk Assessment Application for the EUC policy. The SMEs or other experts
in the user department are provided with the application (which itself is a spreadsheet) then
they use the application to assess the risk. Complexity and Materiality of an application are
collected by the SMEs’ self-assessment because they have hands-on knowledge of the
applications and their context within the business.
By a series of yes / no questions the risk assessment application then gathers information
about:
a. How accessible the application is, whether its location is known and whether there
are operating instructions
b. Business Continuity, Back-up and Recovery
c. Version controlling, whether it needs reviewing and evidence of having been tested
d. Security, Privacy and Integrity, in other words unauthorised access to the system
e. The ability to fix the application if it breaks, including the existence of a second
person able to fix and the existence of technical documentation
f. Finally, whether the system contains personal or sensitive personal information (in
the context of GDPR, the General Data Protection Regulation, (IT Governance,
2018)).
The answers to the questions are recorded in the Risk Assessment Application and the
application calculates the risk rating band. The user then sends the result back to Data
Governance who records the results and ensures that there is an action plan to fix the
application if it falls short within the assessment.

5
5.2 Whether to use a Top Down or Bottom up approach
As regards knowing what to assess for risk, two approaches are available, one being top
down and the other being the bottom up. The bottom up approach means scanning the
whole of the file store for spreadsheets, databases and such like for likely candidates and
then finding owners. Even though there are tools which can scan for spreadsheets
(Microsoft (2013), Finsbury (2014)) this is a formidable task if one considers that there
could be several million files, only a few of these in current use and a few again requiring
assessment.
The other way is to use the top down approach where managers and subject matter experts
know where their applications are and can use the Risk Assessment Application to assess
their applications and return the results. This is what we believe to be a more practical
method.
5.3 Assimilation of the EUC policy
The full version of the policy document came to more than 80 pages and reading this is a
big ask. We considered that effective communication of the policy is important so we split
the document into smaller, more manageable amounts and put these on the intranet to draw
the reader’s attention to what action is needed based on their role, being one of the
following:
a. Executives
b. Senior Managers
c. Managers
d. Subject Matter Experts (SMEs)
e. Data Stewards
For example, if the reader is a manager, the manager is led to the screen in Table 1.
Instructions are on the left and the hyperlinks on the right reference the appropriate part of
the policy. The hyperlink for “Risk Assessment App” launches the application in Excel and
they save it so that the users can use this risk assessment application to assess their
applications.

6
Table 1 Sample Intranet page - EUC action required of managers
5.4 How to engage the Stakeholders
It was known that complex spreadsheets can contain many errors (Bregar, 2004) and the
challenge was to maintain the buy-in from the stakeholders to mitigate against potential
spreadsheet risk.
We decided to run pilots with two willing departments, chosen for the likelihood of having
material or complex applications. Both of these were in the Finance area, one being Middle
Office and the other Financial Accounting so we had to approach the department heads for
their cooperation.
It certainly helped to have a well-prepared presentation identifying the risks and benefits
surrounding EUC applications.
To facilitate buy-in we made and used a “horror slide” to highlight the risks in which some
firms have lost billions of dollars, because of a mistake in a spreadsheet. Ample evidence
is found on the (EuSpRIG, 2018) page.

7
We pointed out that writing a spreadsheet can be a quick and easy solution but the costs in
the event of a risk crystallising can be substantial.
Figure 2- Engaging willing but unknowledgeable users
Think of a situation where only one person knows how to run an application, and that
person is not there when the result is needed. The temptation is to get anybody to do the
job, not knowing what to do or how to do it. We made the point by using this picture from
the (Financial Times, 2013) showing this willing but unknowledgeable user.
Both pilots ran for five weeks during which the departments had each submitted 20
applications. We gave them the Risk Assessment application (see section 10 for the screen
shots) and we collected the details of all the applications submitted (they were all
spreadsheets). The collection for each application took around 10 minutes.
5.5 Assessment Results Returned to Data Governance
Each application returned had a risk rating calculated from details provided by the SMEs
and the opportunity was available to challenge some detail if thought needed. For the
complexity metric several tools are available.
Excel Inquire (Microsoft, 2016) is the easiest mentioned here and can report on links
between spreadsheets and worksheets, and identify errors, hidden sheets and such like.
5.6 The Show and Tell sessions
Even the users’ own assessment of the applications in the pilots gave a surprising
proportion of applications with a red rating meaning that urgent action is needed to fix to
mitigate potential risk. We looked at the reason why a poor rating was being produced and
if there were any quick wins to remediate. The applications concerned all had either the
materiality or complexity set to 3 with the other parameter at least 2. In these applications,
the main concern was expressed in the security section where the functions or data in the
spreadsheets could be open to accidental alteration or corruption (although we found no
evidence this has actually occurred), and in some cases there was lack of version control.

8
Fixing these was seen as a quick win because spreadsheets could be baselined and copies
made read only and before the next use a comparison could be made with the baseline.
Comparison against a baseline can be done using Excel Inquire (Microsoft, 2016).
After the quick wins several red applications became amber and the most frequent reason
for them remaining amber was the lack of evidence for testing and sometimes the lack of
technical documentation (as opposed to any ongoing concerns).
This is more of an ongoing issue, however, Finance asserted that the results of these
applications are subject to audit and there are many professionals who are equipped to
challenge the results should any be suspicious.
The outcome is that the Risk Assessment Application highlights areas where attention to
the control of an application ought to be focussed and it is up to the user department as to
what action to take. They are responsible for a truthful entry of data into the Risk
Assessment application and are accountable for whatever risks there are in the EUC
applications.
5.7 Where and how to store the assessment results of EUC applications
Wesleyan’s Group Reference Architecture provides for the use of Orbus’ iServer as a
repository for all the assets, whether an IT system or part of EUC. (Orbus, 2018).
Each application, (spreadsheet, other EUC application or IT supported system) can be

stored in a way whereby its relationships with others can be visualised, for example in terms
of the processes the application is used by, which department runs the process and which
technology or platform the application runs on.
Its use within EUC is to be able to report on applications which require remedial action and
to trigger action when an application needs to be reviewed. The policy states that each
application should be reviewed annually.
We defined the data dictionary for EUCAs and arranged for iServer to have corresponding
attributes for this metadata. It made sense to make iServer the master repository for EUCA
information.
iServer
(Stores EUCA metadata)
EUC Risk Assessment

New
Application (Calculates Inventory
EUCA
Risk Rating) & KPI
Reporting
User updates
EUCA metadata
Figure 3: EUCA Metadata Flow

9
The user records one or more EUCAs in the Risk Assessment Application which calculates
the risk rating band and advises if any remedial action is needed and why. The user passes
the completed Risk Assessment Application to Data Governance who uploads the metadata
into iServer. iServer exports metadata about a selection of or all the EUCAs for the
inventory, KPI reporting and re-assessment by the Risk Assessment Application. The user
can be given a copy of the Risk Assessment Application containing his or her own data for
updating and returning to Data Governance for upload again into iServer.
6 ROLLING OUT THE EUC POLICY
We rolled out the EUC Policy in several stages.
6.1 Head Office Managers Meeting, April 2018
This monthly meeting at the Wesleyan consists of approximately 200 managers and the
COO had given permission for us to deliver a short presentation on EUC at that meeting.
The presentation focussed the audience on the risks posed by EUC (Financial Times, 2013)
and by citing some of the public loss events (Chartis, 2016). Then the action was given to
everyone to
 Read the EUC policy (which was already on the intranet)
 Complete a short assessment template by 30 June 2018 which was issued to

everyone immediately after the meeting (See screenshot in Appendix B)
 Flag any high-risk applications to Data Governance as soon as possible.
The assessment template is an Excel spreadsheet which is applicable to the whole of the
manager’s department. The main point is that it is easy to complete and it asks for the
manager to identify the process which has the most complex calculations or which has the
most material impact on the business.
The spreadsheet asked the managers to assess that process according to the metrics already
established. Then they had to return the completed template to Data Governance by 30 June
2018. Very often the managers enlisted the help of their Subject Matter Experts and other
staff to select and assess their most complex processes. The spreadsheet provided the
manager with one of three possible messages:
 You are Green. Please return this spreadsheet to Data Governance - no further
action needed, however you are accountable for the results which you have
returned. Any incidents as a direct result of spreadsheet errors that impact on a
material process will need to be reported to Data Governance urgently.
 You are Amber. Action is needed. Return this spreadsheet to Data Governance.
Your spreadsheets and applications need to be assessed, errant ones recorded on
Magique and there needs to be an action plan to fix.
 You are Red. Urgent action is needed. Return this spreadsheet to Data Governance.
Your spreadsheets and applications need to be assessed, errant ones recorded on
Magique and there needs to be an urgent action plan to fix.

10
Figure 2 (right) shows the number of
assessments returned in each category. Forty-six
of the replies were to the effect that the
department had no EUCAs to assess. There were
an additional 69 replies (not included in Figure
2) saying that their area was within someone
else’s and to include it would be a duplication.
Figure 4: Assessment Returns by Department
6.2 Collating the returns and publicity, August 2018
By the end of July all the results were in (not without a certain amount of gentle persuasion
including walking the building and meeting the stragglers face to face)! This was the time
for publicising the importance of controls on EUC and having an agenda item on various
Data Governance meetings to update people on the progress. Publicity was helped by the
author of this paper being shortlisted for a CIR Risk Management award in the Newcomer
of the Year category (CIR Magazine, 2018).
The next important deadline was to table whatever remedial actions to be taken on
applications falling short of the controls at the Group Executive meeting in November 2018
so that remedial action could be put into each departments’ 2019 business plans.
6.3 Drilling down to expose further risks, September and October 2018
We identified those departments which had an assessment of red or amber and issued them
with the full EUC Risk Assessment Application to identify any applications which fall into
the amber or red category, therefore requiring remediation.
Chambers & Hamill sets out certain minimum controls (Chambers & Hamill, 2008). We
found that an important control is the ability to support an application once the author has
ceased to be available to provide that support, especially without leaving technical
documentation which the new incumbent would find virtually essential.
Figure 5: Applications Recorded on iServer

11
Figure 3 shows when EUC applications were created on iServer. All the assessment
templates were completed by department heads or their representatives between May and
July 2018 so those entered before this time had resulted from the pilots and other sources.
The presentation to the Executive (next section) covered everything on iServer up to
October apart from the pilot in Financial Accounting and Solvency Reporting in
recognition of the fact that they have separate controls.
During this period, we gave priority to ensure that iServer was kept up to date with all
changes to do with EUC applications and iServer became the master repository for this
data. The schematic in Figure 3 shows the flow of data between the Risk Assessment
Application, iServer and elsewhere.
6.4 Presentation to the Executive, November 2018
A short paper was presented at the Group Executive Meeting.
The paper included Figure 6, a table of risk rating v impact relating to the 158 EUC
applications extant at the time.
Figure 6: Distribution of EUCAs by Risk Rating and Impact
There were 8 applications in the red quadrant, 14 in the amber, 116 in the green and 20 in
the blue. The three highest risks in the paper were recommended to have the most urgent
programme for remediation are
(a) An Access database dating back to 2003 with no existing support and carrying
substantial value of business. This risk was immediately put on Magique and a
replacement system is being sought.

12
(b) The Complaints Compliance Operations Database, again in Access and without
supporting technical documentation. Again, this risk is on Magique and technical
documentation is being prepared.
(c) A cluster of spreadsheets used by HR for disciplinary, grievance and absence

management exhibiting poor data management in spite of the privacy and access
risks being well controlled. This issue, in addition to other business needs, has led
to another system being sought to replace these spreadsheets.
The Chief Risk Officer (CRO) approved the paper and this action enabled
 The revised EUC Policy to be included in the Company Controls Documentation.
 Remedial action to be put in each department’s business plan for action during
2019 commensurate with the level of risk.
The Executive require an update of the EUC situation in November 2019.
6.5 Amendments to the EUC Risk Assessment application
Two amendments were required to the Risk Assessment application and these were
discovered whilst preparing for the executive meeting and to streamline the process. They
were:
1. Risk Rating Band
The Risk Rating Band had been previously calculated from a numeric risk rating which
in turn is a function of the materiality, complexity and other controls on the EUC
application, but not the impact.
The impact which is collected by the Risk Assessment Application takes one of six
values, being
1. Inconvenient
2. Poor Customer Outcomes
3. Reputational
4. Loss of Business
5. Financial
6. Statutory / Legislative
The user who is assessing the application in question provides the highest number out
of these six governed by the outcome should the application fail to function correctly.
We realised that if an application was given a red rating the impact upon a risk
crystallising would be much less if the impact was classified as inconvenient than it
would be if it was (say) financial.
Therefore, we decided to amend the calculation of Risk Rating Band to say that if the
impact is “inconvenient” the risk rating band can only be blue or green, and the risk
rating band can be red only if the impact is “loss of business”, “financial” or “statutory
/ legislative”.

13
2. Streamlining the process
The requirement exists for producing the inventory, KPI reporting and re-assessing
each EUCA at least annually and iServer exports metadata about a selection of or all
the EUCAs to satisfy this need (see section 4).
6.6 Position at the end of 2018
We provided an EUC inventory to all department heads and asked them to keep it up to
date in line with the EUC policy.
Figure 7 shows the skew distribution of applications amongst departments, the point being
that 85% of the applications are contained within only 7 departments.
Appendix A lists the 7 departments in the left-hand side of Figure 5 and summarises the
use of each EUCA. This information is intended to help the reader to find similar EUCAs
in his own organisation.
Figure 7: How EUCAs are spread across departments
Those departments with a smaller number of EUCAs (right hand side of Figure 7) could
assess these within the time requested. For the remainder we adopted an understanding
approach whereby the assessment could be part of the 2019 business plan instead. The plan
for these is as follows:
 Accounting Operations: We received a sample of 8 assessments in 2018 and this

is the tip of the iceberg. They use thousands of spreadsheets as part of their
transaction processing function and one of each kind is up for risk assessment.
They are enthusiastic about implementing a phased approach during 2019 and by
May the number assessed reached 60.

14
 Financial Assumptions: This department provided a green rating from the Head
Office Managers Meeting the previous April (Section 6.1) so no action is being
taken for the time being because we see this as a lower EUC risk. This will be
reviewed at some stage in the future.
 With Profits and Capital Management: The manager has already provided
information about 62 spreadsheets and knows to submit more assessments as the
need arises. No further action needed for the time being.
 Financial Accounting and Solvency Reporting: Spreadsheets of high complexity

and materiality were part of one of the pilots in Autumn 2017 and 20 of these
revealed a red or amber rating when assessed. Solvency Reporting uses Finsbury
Spreadsheet Workbench to provide audit and version control in this area (Finsbury,
2014). Solvency Reporting also successfully uses a Spreadsheet Controls
Framework which ensures appropriate peer review whereby results are challenged
and locked down with financial and actuarial analysis as necessary. This is
achieved by having three tabs on every spreadsheet and these are recognised as
positive indicators within the EUC policy. They are:
- Control: Contains doer & checker evidence and sign-off of the spreadsheet
and version history.
- Validation: Describes the changes, what checks are done, who did them
and when, the checker and date and if necessary, the reviewer and date.
- Documentation: Outlines the purpose of the workbook, details individual
sheets, and gives instructions for how to use the spreadsheet.
The Head of Actuarial rigorously enforces the Spreadsheet Controls Framework

on every spreadsheet in the valuation folder by means of a macro to ensure that
elements have been completed. These three indicators are in line with the first three
items as recommended in the “initial remediation plan” (McGeady & McGouran,
2009, Page 3). Our control is retained within the business and not migrated to a
controlled IT environment.
In addition, audit work is done to ensure that accounts are prepared in line with
statutory rules and that regulatory responses are compliant.
In April 2019 we agreed a plan with the Head of Actuarial to identify any gaps in
the Spreadsheet Controls Framework where the EUC Policy is not met and then
plan how to amend both the framework and the EUC policy so that the objectives
of the EUC policy are still met. To be complete by the end of 2019.
7 MITIGATION OF EUC RISK
2018 gave us the opportunity to determine where EUC risk exists within the Wesleyan and
how it can be mitigated.
Firstly, why EUC? EUC applications (usually spreadsheets) are written to solve a problem
– otherwise why write the spreadsheet? For example, a business need has been satisfied by
a system run and supported by IT for years (sometimes decades) and the need is modified
or it changes.

15
Historically a change request takes too long for IT to implement so the department using
the system goes its own way and writes a spreadsheet or cluster of spreadsheets to fill the
gap. Thereupon the EUC risk arises if the control is lacking and due to any errors in the
transmission of data.
The options for areas where there are EUC’s are:
(a) To mitigate the risk – in other words to ensure that controls are in place to reduce
the likelihood of the risk crystallising. This is a major part of our EUC policy.
(b) To remove the risk – this is to completely avoid or bypass the EUC applications
which constitute the risk, sometimes by creating a new system.
(c) To accept the risk. When the risk crystallises, the cost is a better alternative than
either of the two options above.
Where EUC applications (especially if they have a red or amber risk rating) cluster in one
place we find that putting controls round the EUC applications may not completely solve
the problem and the EUC policy encourages and supports option (b) above, for example:
 In HR, errors due to manual transcription of data from one spreadsheet to another,
in addition to other business needs, has resulted in a new system for HR and Payroll
administration being sought.
 The risks indicated by EUC in Financial Accounting have supported the

requirement for an existing project to replace the Finance system and this is now
in progress.
 The Access database dating back to 2003 is an example where only option (b)
above is appropriate. The fact that it is isolated from our point of sale system means
that we are potentially missing out on cross-selling opportunities so a replacement
which will integrate with this system adds to the business case. This is also in
progress.
8 BAU ACTIVITY IN 2019
Activity is ongoing to continually improve the EUC control situation and ensure that a
society-wide awareness of the EUC policy continues.
KPI reporting on EUC has been incorporated within Data Governance from March and is
supported by monthly requests of each EUC application owning manager in two areas:
8.1 Annual review of applications
Each application according to the EUC policy needs to be reviewed annually so each month
when one or more applications have come up for review, these are listed and the owning
manager is simply asked to confirm that the application is still fit for purpose and in use.
The return of this information causes the next review date to be stepped forward a year.

16
If there are substantial changes to the use, materiality or complexity of the application or if
there are any new applications, the owner is asked to download the Risk Assessment
Application from the intranet and complete it, returning it to Data Governance.
Particularly in Q1, the returns have indicated that certain applications are no longer in use
and were retired and some others indicate a change in ownership. This all helps in keeping
the inventory up to date.
8.2 Risks entered on the Magique system
iServer keeps a record of whether each red or amber rated application has its risk recorded
on the Magique system. If there is no such record on Magique, the monthly communication
to the owning manager lists these, asking for the Magique Risk ID and the opening and
closing dates on Magique. When remedial action on the application has taken place, the
application is re-assessed and the assessment returned to Data Governance.
Where appropriate, risks are recorded on Magique and are tracked by Corporate Audit.
This focusses the user’s mind on remediating the EUC risk.
We use established methods for turning inherent risk into residual risk and expressing the
risk rating as a product of likelihood and severity (Herrera, 2017), (Xenon, 2019).
8.3 Monthly Key Performance Indicator (KPI) Reporting
Figure 9: KPI March 2019 Figure 8: KPI May 2019
Figures 8 and 9 show the progress made between March and May, the main points being:
 Accounting Operations have provided an influx of spreadsheets from the

Transaction Processing function, all of which having either a blue or green rating.
 Better control over certain applications having a red rating has been introduced
meaning that they now have an amber or green rating.
8.4 Reaction from the business to the introduction of the EUC Policy
The business has not been compelled to assess EUC risk for several years prior to the
introduction of this policy. Starting the communication at executive level has meant that
each department has known in advance that involvement and commitment was expected of
them.

17
Knowledge that a risk-based approach is being used provides an understanding that action
needs to be taken to identify and mitigate against, remove or accept the most serious risks
and this has certainly helped.
Reaction is mainly as follows:
 There is general acceptance of the policy because of the way in which it was
introduced.
 108 (81%) (see figure 4) indicated that there is negligible risk so no action is being
taken for the time being (or unless they get caught out)! When this happens, they
are only too keen to comply because they are made aware of the risks.
 The remainder had action to do, nearly everyone accepted and are using the policy
(see section 6.6). Some departments are quite enthusiastic in wanting to comply.
 Where there are existing controls (Actuarial) there was quite understandably
resistance from the point of view of having to change and because of the additional
work. We are working together to achieve the objectives of the EUC policy.
 Resistance is at its greatest where the policy demands that an EUC deficiency calls
for an entry to be made on Magique (the risk register) because this exposes the risk
to Internal Audit and eventually gets executive attention. Wherever possible we
encourage the department to introduce appropriate EUC controls which will avoid
an entry being made on Magique.
One of the most visible issues is the matter of communication. The policy is well
documented on the intranet and offers to help by showing what to do in various situations
is always accepted.
9 INTERESTING SURPRISES
It’s amazing what you find if you look (or what you miss if you don’t)! When we visited
one department, we were expecting to receive resistance to the governance which EUC
controls would apply. Instead we found that the manager was only too keen to cooperate
because this policy has allowed her to justify key changes to her department’s system. The
advent of the EUC policy has brought the matter to executive attention and a plan is now
in place to replace the system.
We adopted a top-down approach for identification which means that each manager
recognises his or her areas at risk. We were ‘tipped off’ concerning the administration of
one system. We discovered that it is administered using a cluster of spreadsheets which
overcome shortcomings in some very old IT systems. We saw the manager the same day
only to find that the sole person who could look after the spreadsheets was leaving within
a month. Somebody else was quickly brought in to be trained up to sufficient level to
mitigate the EUC risks.

18
10 THE EUC RISK ASSESSMENT APPLICATION
The two main screens are given here.
Figure 10- Risk Assessment Application screen - General Details
The top part of the screen is all about the people who interact with the application. We in
Data Governance use these people as a point of contact.
The next section is about the application itself, giving its name, description, version and
version history, where it is and which platform it runs on. This provides us with more depth
to the information we hold about the application. All of these details are recorded in iServer.
We learned from one of the pilots that users like to partly complete a batch of applications
and go back to them later to finish off. We needed to provide a “Restore Previous Input”
button which allows the user to call back information about any previously entered
application for completion.
Clicking on “Next” navigates us to the next screen.

19
Figure 11- Risk Assessment Application screen - Assessment
The second screen gathers information about the control of the application. The SME or
other expert in the User Department enters the Complexity and Materiality ratings first and
then answers mostly “yes” or “no” to the other questions, divided into the categories as
described above.
The last (General) box is to include any free-form information about the application which
might be useful, for example “We are currently training a second person who can fix this
application if it breaks”.
At the end of entering all the data, the user clicks on the “Calculate” button and the Risk
Assessment application calculates the risk rating band according to the details entered.
The green box near the bottom is then populated with the next action required, according
to whether the rating is blue, green, amber or red. It is coloured appropriately. The possible
outcomes are:
a. Blue – No action needed.
b. Green – An awareness of this application is needed. This is the minimum rating

band for applications which hold customer data (GDPR) and applications which
are Green and above are reported to Data Governance and subject to annual review.
c. Amber – Falls short of acceptable control and an action plan is needed to fix. An
entry is made in the Magique system. We would expect the plan to be implemented
within three months.

20
d. Red – As Amber but urgent action is needed to fix – within a month or before the
application is next run if later.
The last box is for free-format information about the risk which might assist in mitigation.
The Risk Assessment application calculates the next review date as being a year from the
previous review and the applications which carry the most significant degree of risk are
known.
We updated the EUC policy having run the pilots.
Already some areas see the policy favourably. In rolling the policy out a risk-based
approach will be used so that areas where there is a greater risk will be worked with first.
11 CONCLUSION
Wesleyan started with an EUC policy which required updating. After we had written a new
policy and the EUC Risk Assessment Application we successfully ran pilots in two areas
of Finance. The assessment results from these pilots enabled some quick wins to be done
and from the learning points gained we were able to improve the policy and the Risk
Assessment Application.
We have worked successfully during the last year to increase the exposure and awareness
of EUC to the Wesleyan. We have used a top-down approach to identify areas of greatest
risk. Buy-in at Executive level from the start of the year was essential because only by this
means can meaningful resource be devoted to areas of need.
A flexible and understanding approach has yielded dividends. EUC control generally takes
a back seat in relation to business priorities and if an action to remediate an application
cannot be completed immediately because of lack of resource then we have been able to
agree a plan of action.
KPI reporting has started and the Executive are looking to see an improvement in the EUC
estate by the end of 2019. At the time of writing this is already evident. Now that the
momentum is established, it is important not to let it go to waste in subsequent months or
years.
Any models or information contained in this paper are intended for educational purposes
only. To the extent permitted by law, the author and Wesleyan Assurance Society shall not
be held liable for any liability or loss suffered by a third party who uses the models or
information within this document for purposes for which they were not intended.

21
REFERENCES
Bregar, (2004), ‘Complexity Metrics for Spreadsheet Models’, Online [available]

https://arxiv.org/ftp/arxiv/papers/0802/0802.3895.pdf, accessed 13/11/2020
Chambers & Hamill, (2008), ‘Controlling EUC Applications – a case study’, Online [available]
https://arxiv.org/ftp/arxiv/papers/0809/0809.3595.pdf, accessed 13/11/2020
Chartis, (2016), ‘Quantification of EUC Risk in Financial Services’, Online [available],

http://www.clusterseven.com/wp-content/uploads/2016/07/Quantification-of-EUC-Risk-Final.pdf , accessed
13/11/2020. Source: Chartis Research, Quantification of EUC Risk in Financial Services, June 2016.
CIR Magazine, (2018), ‘Shortlist 2018’, Online [available]

http://www.cirmagazine.com/riskmanagementawards/shortlist18.php, accessed 13/11/2020
The Corporate IT Forum, (2016), ‘Generating Business Benefit from Shadow IT’, Online [available]
https://www.corporateitforum.com/event/workshop/1216-citizen-itshadow-it, accessed 28/03/2018. CITF
aims to provide effective platforms for discussion and exchange of information between technology peers,
and aims to provide a base for developing common views and processes on business and technology issues.
EuSpRIG, (2018), Horror Stories, Online [available] http://www.eusprig.org/horror-stories.htm accessed

13/11/2020
Financial Times, (2013), January 21st, 2013 edition of the Financial Times, Online [available]
https://ftalphaville.ft.com/2013/01/21/1344742/can-haz-spredshetz/ , accessed 13/11/2020 by putting ‘can-
haz-spredshetz’ into Google.
Finsbury, (2014), ‘EUC Enterprise’, Online [available], http://finsburysolutions.com/products-overview/,

accessed 13/11/2020
George Mallikourtis CISA, CISM & Efthimis Papanikolaou, CISA, ISMS IA, Hellenic American Union
Conference, (2010), ‘EUC (EUC) Risk: From Assessment to Audit’, Online [available]
http://conferences.hau.gr/resources/aifs2010/proceedings10/mallikourtispapanikolaou-2.pdf , accessed
13/11/2020
Herrera, (2017), ‘What is Residual Risk (& How Do You Calculate It)?’, Online [available]
https://bcmmetrics.com/what-is-residual-risk-and-how-to-calculate-it/, accessed 13/11/2020
IT Governance, (2018), ‘The EU General Data Protection Regulation (GDPR)’, Online [available],
https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation, accessed 13/11/2020
Magique Galileo Risk Management, (2018), Online [available] http://magiquegalileo.com/ , accessed

13/11/2020. Magique is a Risk Management system that covers the recording, assessment and approval of
risks, controls and events. The system also covers monitoring, trend analysis and reporting. Hosted on a
Microsoft Windows 2012 Server.
McGeady & McGouran, (2009), ‘EUC in AIB Capital Markets: A Management Summary’, Online
[available] https://pdfs.semanticscholar.org/189b/e31ecc2cedc26c78a6d3818ba9cdcd564203.pdf, accessed
13/11/2020
Microsoft, (2013), ‘Discovery and Risk Assessment Server 2013’, Online [available],
https://technet.microsoft.com/en-us/library/jj612849.aspx, accessed 13/11/2020
Microsoft, (2016), ‘Spreadsheet Inquire in Excel 2016 for Windows’, Online [available]
https://support.office.com/en-gb/article/what-you-can-do-with-spreadsheet-inquire-in-excel-2016-for-
windows-5444eb12-14a2-4d82-b527-45b9884f98cf, accessed 13/11/2020

22
Microsoft (2018), ‘Business Intelligence’, Online [available] https://powerbi.microsoft.com/en-us/, accessed
28/03/2018. Power BI is provided by Microsoft and has a desktop application which allows you to connect to
data from a multiple of sources, to shape that data through queries and use the results to create reports using a
range of standard and bespoke visuals. The resultant report files can be shared like any other or can be
uploaded (and shared) on the Power BI Service which is cloud based.
Orbus Software, (2018), Capabilities, Online [available] https://www.orbussoftware.com/business-

architecture/business-capability-view, accessed 13/11/2020
PwC, (2004), ‘The Use of Spreadsheets: Considerations for section 404 of the Sarbanes-Oxley Act’, Online
[available] http://www.spreadsheetdetective.com/main/PwC-SpreadsheetsSoX.pdf, accessed 13/11/2020
Wikipedia, (2018), ‘Microsoft Excel – Early History’, Online [available]

https://en.wikipedia.org/wiki/Microsoft_Excel#Early_history, accessed 13/11/2020
Xenon Group, (2019), ‘The Risk Formula – How to calculate the level of risk to your business’, Online
[available] http://www.xenongroup.co.uk/knowledge-centre/risk-management/the-risk-formula-how-to-
calculate-the-level-of-risk-to-your-business, accessed 13/11/2020
APPENDIX A – USE OF SPREADSHEETS IN BUSINESS AREAS
This appendix is a brief summary of the use to which spreadsheets are put, in the areas
which use the most spreadsheets.
 With Profits and Capital Management, and Solvency Monitoring – Actuarial –

keeps the Society’s financial position up to date and provides information to
support Solvency II legislation.
 Financial Accounting and Accounting Operations – Accounting – Preparation of

the Wesleyan’s accounts, receipts and payments.
 Field Support and Proposition and 1st Line Risk – Support for the Financial
Consultants and logging of brokered business
 Human Resources – Joiners, Movers, Leavers, Benchmarking, employee

relationship activity, workflow
 Risk & Regulatory – Work management, Regulatory changes

23
APPENDIX B – ASSESSMENT TEMPLATE
Screenshot of the Assessment Template provided to those attending the Head Office
Managers Meeting, April 2018 (See section 6.1)
Figure 12: Departmental EUC Risk Assessment Template

24
1. Business change introduces a 3. Value and Costs of EUC
End User Computing gap between what the Corporate
System provides and what the
user needs. Limitations of
existing corporate
Source:
ClusterSeven,
Direct Costs
Errors - always there in the design of the spreadsheet or as a
result of subsequent activities
Inactivity - Omitting to refresh the data for a new instance -
Inconsistent use of passwords - password adinistration arduous
and Risks
Information Gathering
2. Business might find a quicker, The Business maybe deliberate to surpress bad news Powerful capabilities of data users may compromise the use of data sources
cheaper and easier solution via systems Case for
EUC than having a change to the Managing End Lack of awareness by systems administrators about the potential importance of
corporate system. User Computing, Single point of dependency - The author moving on
3rd May 2017

the firm's EUC population. Should they grant or withhold access rights?
July 2016
3. The EUC solution (usually Security
Excel) then becomes part of the Regulatory Data leakage inside and outside the organisation
business process. Inefficiency - Manual processes may be needed to
Requirements supplement the EUC application
The Value of EUC
Solvency II
An extract from the ORIC database provided by the Loss Data 1. The Business User does not
know his requirement exactly so
Consortium Service reveals nearly 100 incidents over the last five BCBS 239
needs to implement something
years attributable to End User Computing with a total final loss on a trial basis. Model Risk Management (SR 11-7)
amount in excess of £18M. The average is £239K per incident. 2. The sponsor is unwilling to Being agile
Indirect Costs
throw money at a corporate Reputational Loss
Information from Wesleyan’s Master Incident Database reveals 8 solution which may not satisfy
the needs. Asset Investment
incidents which could be attributed to End User Computing.
The aim of unified workspaces is to provide the right applications
Most of these are spreadsheets and whilst most of these were 3. Note that the transition from IT road map and implementation and data, to the right users, on the right devices, at the right
near misses there is substantial risk of a loss being realised. trial to production use needs to 1. Security timeand location,safely.
be controlled.
2. Data Encryption There is no one single technical platform for unified workspaces —
they will be achieved using a variety of tools.
EUC loss events & their effects The Costs of EUC
3. Mobile Apps The foundation of unified workspaces is composed of user
1. To avoid confusion, ensure centricity, application independence, contextualization, and the
that divisions of ownership and Possible 4. The Cloud convergence of traditional EUC and mobilestrengths.
responsibility are set out clearly Cause Event Effects
in the organisational EUC Policy Trust
5. Complexity & Materiality

and Procedures $2.6 Bn loss by Fidelity Typing Errors Accidental mistyping
Investments in 1995
2. Make the effort to talk Engagement
personally to all involved that it is Accidental leaving data Complexity
vitally important to ensure the Data Omission out, often at start & Spreadsheet Complexity Classification
success of EUC in the end of range.
Be Proactive Copied to incorrect
organisation. Copy / Paste Low: Spreadsheets which serve as an electronic logging and
errors location, sometimes
2. Relationships with people overwriting existing. information tracking system.
When the cell format is
Format errors incorrect, changing the Direct Financial Moderate: Spreadsheets which perform simple calculations such as
value of the data. Loss; Fines, using formulas to total certain fields or calculate new values by
repayments & multiplying two cells. These spreadsheets can be used as methods to
When the spreadsheet sanctions;
$7.1 Bn loss by JP autocorrects, setting translate or reformat information, often for analytical review and
Morgan in 2012 Correction errors Reputational analysis, for recording journal entries or for making a financial
values contrary to damage
intent statement disclosure.
Start
Overlooking changes Materiality
$2.8 Bn loss by National Failure to update which should be made, High: Spreadsheets which support complex calculations, valuations
Australia Bank in 2001 data so using out of date and modelling tools. These spreadsheets are typically characterised
data. by the use of macros and multiple supporting spreadsheets where
Multiple users; no Supports Financial cells, values and individual spreadsheets are linked. These
Multiple single master document or regulatory reporting, spreadsheets might be considered “applications” (i.e., software
Source: The Working Yes High Risk
Documents where all data is up to or Private or confidential programs) in their own right. They often are used to determine
European date information? transaction amounts or as the basis for journal entries into the
Spreadsheet
Risks Interest Often used on raw data Source: Chartis general ledger or financial statement disclosures.
to improve clarity to Leak of
Group (EuSpRIG) Hidden Data confidential Research,
focus on data of information No Quantification of
interest End User Computing Source: Pric eWaterhouseCoopers, The use of Spreadsheets: Considerations for
Risk in Financial Section 404 of the Sarbanes-Oxley Act, July 2004
Direct Financial
Obscuring or misuse for Loss; Fines, Services, June 2016
Cluster Seven / Chartis RACI People and $691M loss self-benefit. Altering repayments & Materiality Supports
by AIB/ Intentional Potential Risks and Issues with Spreadsheets
Research data. Selectively sanctions; Loss Management reporting,
Definitions from ITIL, the Information
Relationships Allfirst in misuse omitting data for of staff; calculations input to core Medium
When evaluating the risk and significance of potential spreadsheet
Corporate IT Forum 2002 Yes issues, consider the following:
Technology Infrastructure Library. analysis. Reputational Management Information Risk
Deloitte damage  Complexity of the spreadsheet and calculations
http://itsmtransition.com/category/ Systems, or Key Business
itil-basics/  Purpose and use of the spreadsheet
Finsbury Descisions?  Number of spreadsheet users
Gartner  Type of potential input, logic and interface errors
 Size of the spreadsheet
Hellenic American Union No  Degree of understanding and documentation of the spreadsheet
Institute of Internal Auditors requirements by the developer
Microsoft  Users of the spreadsheet’s output
Sources Supports  Frequency and extent of changes and modifications to the
Orbus
Internal Operations and spreadsheet
PwC day-to-day decisions, or Yes Low Risk  Development, developer (and training) and testing of the
Society of Actuaries
Wesleyan
1. Information Sources The Business Case for
contains outputs from
core MIS?
spreadsheet before it is utilised
Because spreadsheets can easily be changed and may lack certain
controlled activities, they are subject to increased inherent risk and
1. Governance (Define & Identify EUCs, Policies & Standards, EUC Management error. Some of these errors include:
Ownership, Monitor & Report) No  Input error: Errors that arise from flawed data entry, inaccurate
referencing or other simple cut-and-paste functions
Not an  Logic error: Errors in which inappropriate formulae are created
2. People (Roles & Responsibilities, Training & Awareness) EUC Risk
Solving the 
and generate improper results
Other errors: Errors include inappropriate definition of cell ranges,
3. Process (Risk Ranking & Prioritisation, Inventory, EUC Controls, Inconvenient
Template, Baselining, Monitoring) Problem Spreadsheets (usually
Poor Customer Outcomes
inappropriately referenced cells or improperly linked
Excel) spreadsheets.
Reputational
4. Technology (Support Strategy, Define Requirements) Use Data Security Governance to Balance local
Business User IT (BUIT) Growth Objectives
Local databases (usually
Access)
Materiality Loss of Business
against the Risk of Data Breaches and Financial Financial
Liabilities Business Intelligence
Reports (e.g. SQL, Crystal)
Risk Statutory / Legislative
Deploy Shadow IT Discovery and Data
Protection Tools to Enable the Safe Selection, Mobile Apps There is a risk with EUC
Deployment and Notification of unauthorised that no single source of
Cloud services
Other, e.g. 3rd party apps Fragmented Data data tells the full story
Use Data Security Governance to Develop and (top). There should be a
Orchestrate consistent security policies across single master record
all BUIT for each prioritised dataset (bottom)
End User 1. Acknowledge the EUC Issue
Computing Scope 2. Establish a register of key EUC Applications
8. Increasing Benefit (any computing activity developed

and/or managed outside a Framework for
3. Remediate existing critical EUC Applications
Process Improvement recognised formal IT)
4. Scope Control
4. Implement a controlled environment for housing such
applications
5. Develop guidelines and templates consistent with EUC Policy
Capability Level Capability Description Capability Indicators for future EUC development
 Continuous Process Improvement Mitigation EUCA Policy & Control

Define the responsibilities and processes surrounding EUCAs with the
 Rapid Development Create and Source: Hellenic Standards
CONTINUOUS IMPROVEMENT  Flexibility to respond to changing business
American Union aim of placing responsibilities for the risks and understanding and
Protect Conference, End reducing these risks through inventory and mitigation processes.
Optimised Continuously improving requirements
Shareholder User Computing Access Controls Define and restrict user access, rights and privileges
 Knowledge databases of reference material & best
controls enterprise-wide (EUC) Risk: From
practices Value Assessment to
Audit, 2010
Change Controls Define the process to be followed whenever specific types of changes
 Pre-defined, structured documentation are performed
Version Controls
Ensure accurate identification of the current production files
 Automated spreadsheet management tools in place
QUANTITATIVE  Formal, Clear and well-understood methodology Development Controls Control development, testing and approval of new critical EUCAs prior
 Formal design and specification process to deployment into production.
Risks managed quantitatively
Managed Enterprise-wide “chain of
 Process for Requirements Documentation
Controls
Documentation Require that EUCAs are adequately documented with regard to their
 Process for Testing use and design.
accountability”  Consistent approach Input Controls
Employment of data validation to control or restrict input to valid data.
 Positively used by staff Data Security & Integrity
Balancing input data with totals from data sources.
QUALITATIVE / QUANTITATIVE Output Controls
Use of cross checks, balancing to ensure all input has been accounted
 Documented Development and Maintenance Processes for and reflected in the outputs and to prevent or highlight potential
Policies, processes and  Attempt to consistently apply process calculation errors
Defined standards defined and  Process is often inflexible and hard to apply Segregation of Duties Define duties, roles and responsibilities regarding the use of EUCAs and
 Piecemeal development and implementation design changes.
institutionalised. “Chain of  Maintenance is often time-consuming and inefficient EUCAs should be maintained on a secured server that is backed up on a
certification” Backup & Archival regular basis. Prior versions of critical files should be moved to a secure
archive folder to prevent data corruption and ensure that they are not
INTUITIVE  Similar processes for developing and maintaining accessed or used in error.
spreadsheets
Process established and
Repeatable repeatable, reliance on people


Based on users’ expertise rather than documented
approach
Success depends on users’ skills and experience
6. Mitigation & Controls Lack of Control
continues – Control Complexity

 Maintenance is problematic, due to knowledge being
documentation lacking. lost from organisation
Assessment
 No consistency of approach
AD-HOC / CHAOTIC  Unstructured development / developed in isolation
3
Initial / Ad- Control is not a priority –  Minimal / varying degrees of documentation and Discovery & Risk 2
1
Assessment Server Materiality
hoc Unstable environment leads to

control
Legacy problems Risk of Failure
1 2 3
dependency on heroics. Excel Inquire

 No testing Microsoft eDiscovery
Excel 97-2003 (xls)
O365 SharePoint Online spreadsheets need
Properties – Name / Description
to be upgraded first)
Common Attributes – Version / Version Controlled /
Owner
Best Practice from this sheet
Basic Attributes – Last & Next Standard Review
Maintenance and Periodic Dates / Application running the functionality
Identify & get buy-in from stakeholders Review
Obtain scope from overview of applications fropm previous work Release Attributes – Date of last release
Tools Enterprise Characteristics – Recoverability / Locatability,
Map required attributes against those in iServer. Arrange to be brought in line
0. Create Policy Document
Repository Security / Privacy / Integrity
Determine risk and impact for most critical applications
Application Fit – Business Dependence
Organisational Unit
Write document
Orbus BPMN Process
APM – Vendor / Department / COTS v Bespoke /
Number of Users
Get sign-off
Finsbury iServer Wesleyan Support Dates – Lifecycle Status
1. Gather information about EUC 1. Identification (Understand the 7. Process Logical Application Component
GDPR Asset Inventory – Business Name / Business
Unit / Data Stewards / Data Owners / Processes /
applications - store in the repository estate and business impacts) Personal Data / Sensitive Personal Data / IT Support /
EUC Enterprise - Spreadsheet Discovery Physical Application Owner / Decision making or Profiling /
Process and Registration
Application Servers running on / DR plan / Backup and Recovery
2. Review critical applications with 2. Review (Show & Tell, Sessions
Action Plan
stakeholders with key partners, Financial Lens) EXChecker - Spreadsheet Validation
Component End User Computing – Materiality / Complexity /
Application Creator / Impact
Spreadsheet Workbench - Control and
Automation - Version History Governance,
3. Instigate policy for reviewing 3. Action (Policy for controls, Risk &
periodically Inventory of Criticality / Impact)
Central Repository for Governance, Risk Compliance
1. Identfy Potentially Critical & Compliance Capabilities
EUC Files
4. Review (Group Risk / Legal / Streamline Regulatory Compliance
4. Review for risk / impact etc Procurement / Architects) Physical Technology
2. Define Risk Profile
Identify & Assign Process Ownership Component
5. Reporting (Overall Criticality v 3. Assess Existing Controls
Impact, Version Mgt, View of all Clarify Business Strategies
5. Report software) 4. Calculate Risk Exposure
Increase Audit Efficiency
5. Recommend Remedial
6. Governance (Centralised IT Actions Assess & Manage Risk
Budget, Understand the impact, New
apps reviewed prior to spend, Policy 6. Implement Control Solutions
6. Apply Governance rolled out / Signed off by business)
© Wesleyan Assurance Society May 2018 All Rights Reserved
Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN : 978-1-905404-56-8 Copyright © 2019, 2020, EuSpRIG European Spreadsheet Risks Interest Group
(www.eusprig.org) & the Author(s)
25

Defining and Adopting An EUC Policy: A Case Study: Roger - Turner@wesleyan - Co.uk

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Defining and Adopting An EUC Policy: A Case Study: Roger - Turner@wesleyan - Co.uk

Uploaded by

Copyright:

Available Formats

Defining and Adopting an

Wesleyan Assurance Society, Colmore Circus, Birmingham, B4 6AR

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

EUC control is part of the Data Governance function at Wesleyan.

3 CASE HISTORY AT THE WESLEYAN – ASSOCIATED CHALLENGES

The main challenges which were faced were:

a. What to cover in the Policy (the Scope)

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

d. Establishing effective storage and retrieval of EUC application metadata

We considered the proceedings of a Hellenic American Union conference (Mallikourtis &

e. Agree an action plan to fix any errant applications.

5 CHALLENGES FACING EUC ROLL-OUT & OVERCOMING THEM

5.1 Defining the Risk Metrics to assess the applications with

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

b. Poor Customer Outcomes

a. High – Application supports financial or regulatory reporting or private or

b. Medium – Application supports management reporting, calculation or input into a

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

Following the Complexity and

The four colours on the cube

Control, when considered, defines how far back we go in the cube.

b. Business Continuity, Back-up and Recovery

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

5.3 Assimilation of the EUC policy

d. Subject Matter Experts (SMEs)

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

5.4 How to engage the Stakeholders

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

Figure 2- Engaging willing but unknowledgeable users

5.5 Assessment Results Returned to Data Governance

5.6 The Show and Tell sessions

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

Each application, (spreadsheet, other EUC application or IT supported system) can be

EUC Risk Assessment

Figure 3: EUCA Metadata Flow

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

6 ROLLING OUT THE EUC POLICY

We rolled out the EUC Policy in several stages.

6.1 Head Office Managers Meeting, April 2018

 Read the EUC policy (which was already on the intranet)

 Complete a short assessment template by 30 June 2018 which was issued to

 Flag any high-risk applications to Data Governance as soon as possible.

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

Figure 4: Assessment Returns by Department

6.2 Collating the returns and publicity, August 2018

Figure 5: Applications Recorded on iServer

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

6.4 Presentation to the Executive, November 2018

A short paper was presented at the Group Executive Meeting.

Figure 6: Distribution of EUCAs by Risk Rating and Impact

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

(c) A cluster of spreadsheets used by HR for disciplinary, grievance and absence

 The revised EUC Policy to be included in the Company Controls Documentation.

The Executive require an update of the EUC situation in November 2019.

6.5 Amendments to the EUC Risk Assessment application

1. Risk Rating Band

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

6.6 Position at the end of 2018

Figure 7: How EUCAs are spread across departments

 Accounting Operations: We received a sample of 8 assessments in 2018 and this

Proceedings of the EuSpRIG 2019/2020 Conference “Spreadsheet Risk Management” ISBN :

 Financial Accounting and Solvency Reporting: Spreadsheets of high complexity

The Head of Actuarial rigorously enforces the Spreadsheet Controls Framework