Home / Customers / Discovering the ‘Unknown Unknowns’ of Shadow IT
Spreadsheet Errors

Discovering the ‘Unknown Unknowns’ of Shadow IT

March 14, 2024

We explore how a leading financial institution transformed its business with a comprehensive EUC governance program delivered by Apparity and Capco.

As regulators increase their scrutiny of end-user computing tools (EUCs), many financial institutions are scrambling to get a handle on their inventory of EUCs. This reactive stance means that gaps are only addressed when businesses are faced with financial, reputational, and legal consequences. So how can institutions review and reduce the risk from vast backlogs of EUCs in a repeatable, sustainable manner?

A critical piece often missing from EUC remediation efforts is ensuring a reliable, systemic way of discovering, detecting, and governing EUCs. Business users often assume they know of all the EUCs utilized in their processes, but there are almost always ‘unknown unknowns’ – elements that the business is not aware of and/or does not even know to look for. These unknowns pose substantial risks, particularly when embedded in processes related to financial or regulatory reporting, a frequent use case for EUCs.

To mitigate this risk, Capco recommends accelerating EUC discovery and strengthening EUC governance by using software that is fit for exactly that purpose. Below we examine how Capco helped a leading financial institution leverage Apparity’s EUC governance software to enforce continuous monitoring and to stay in control of its EUC applications.

Facing Up To The EUC Challenge

EUC regulation has increased steadily in recent years, driven by the growing reliance of business users on spreadsheets and custom scripts as well as a renewed focus by regulators on EUC and model risk programs within financial services.

To quantify the scale of the potential impact, it is estimated that the value at risk of EUCs among the 50 largest financial institutions is USD12.1 billion. The real-world impact is similarly large: in 2020, US federal regulators issued a USD400 million penalty against a Tier 1 American bank for deficiencies in its enterprise risk management and data governance that stemmed from the use of EUCs.

Working together, Capco and Apparity recently assisted a leading German financial institution overseen by Germany’s Federal Financial Supervisory Authority (BaFin), which has strict rules around EUC governance. This includes BaFin’s BAIT, KAIT, and VAIT regulations, which are now an integral component of IT risk management programs in the financial sector. Following an onsite audit, we organized the client’s challenges under three headings:

  1. BAIT compliance – BaFin requires institutions to identify, catalogue, and control high-risk EUCs. The client had a weakness in its overall framework, which hindered its ability to govern EUCs effectively. Central to any strong framework are policies and definitions, so it is critical for business and risk departments to have a shared understanding of what an EUC entails.
  2. Widening program scope – A new BaFin requirement broadened the client’s EUC definition, as did recent additions to the client’s technology portfolio. This greatly increased the volume of potential files, adding to an already daunting backlog.
  3. Limited resources – The client’s manual EUC program management was unsustainable. It urgently required reorganization and the integration of automated solutions for more effective EUC management.

Combining Expertise To Deliver An Effective Solution

Capco and Apparity combined our collective expertise in data governance, financial services regulation and compliance, and EUC risk management to address the client’s challenges.

Together we formed a team of technology specialists and experienced business consultants with domain-specific expertise. Apparity’s software accelerated the client’s compliance roadmap while strengthening resilience in the face of risk, redefining security and privacy standards, and transforming its business along the way.

Capco first analyzed the client’s existing governance framework to identify gaps in the setup. We then made best practice recommendations to strengthen the identification, cataloging, and control of EUCs. The gap analysis also covered regulatory requirements and defined next steps to achieve compliance.

Apparity’s EUC risk management software played a critical role across multiple channels. We used Apparity’s Discovery solution and its SmartFilters to automate the identification of new EUCs across high-volume storage locations. This resulted in a 96% reduction in noise (false positive results) compared to the client’s legacy solution. From this, Apparity generated an inventory of in-scope files to manage the risk lifecycle.

In addition, Apparity implemented standardized risk assessment processes that systematically categorize in-scope EUCs. This enabled the client to prioritize EUCs based on business impact and determine where EUCs require oversight, remediation, or mitigation.

Capco also supported EUC program management by defining milestones and monitoring timelines. This helped align both internal and external stakeholders and ensured that the program stayed on budget. A team of business analysts, data analysts, and quality analysts supported Capco’s program managers, scrutinizing the client’s situation from multiple perspectives.

Finally, Capco supported the transition away from a legacy SharePoint solution for tracking EUCs to Apparity’s automated and intelligent software. Building upon existing requirements, we defined new configuration needs and developed training materials. Additionally, Capco conducted hands-on trainings to ensure that users were familiar with the software and could use it easily from day one.

Business Benefits Plus Business Transformation

The deployment of Apparity’s software directly addressed the client’s challenges:

  • strengthened its overall EUC framework
  • minimized and focused the scope of its EUC remediation program
  • automated key aspects of the EUC management program

Through the dynamic partnership of Apparity and Capco, the client achieved the primary objective of the project: regulatory compliance and BaFin’s sign-off.

This positions our client for long-term success, providing:

  • reduced manual interventions
  • fewer overall mistakes
  • a sustainable governance framework

Above all, the client can continuously monitor its technology landscape, prevent the unsanctioned deployment of shadow IT, and address risks before they cause harm.

This approach is repeatable and customizable for other financial services organizations, especially those in highly regulated geographies such as the US, UK, and European Union. To learn more about how we can help transform your business please contact us.

Find out more about working with Capco

Contact Us

Subscribe for Updates

Subscribe to our newsletter for exclusive content.

Subtle White Feathers

Jason Noran, Jack Adam, Chris Trammell and Justin Lichtfuss

Related Articles

What is SR 11-7 Guidance?

What is SR 11-7 Guidance?

SR 11-7 provides supervisory guidance on model risk management (MRM). Initially published in April 2011, the...

Share This