Setting the Stage
In our article “What is an EUC and Why Are There Risks?”, we defined what an EUC is in today’s world. We then asked if it was important to understand the scope of EUCs as questioned by regulators and bankers. We concluded that it is more important than ever to understand the scope and impact of EUCs and in particular spreadsheets.
Regulators have a more fluid definition of what constitutes an EUC, while bankers are more rigid in their definition. To them, an EUC is only synonymous with a spreadsheet. However, their collective understanding is beginning to shift towards the more inclusive view. While on this topic, it is worth noting that anecdotal evidence suggests that EUC policy is becoming a much higher-level issue in many organizations than before. For example, I am aware of several banks that were approached by central banking authorities such as the Fed and the ECB to discuss precisely this issue. I have also heard of auditors taking a tougher line, especially in the States, around EUC management and governance.
Purpose
Regulators and auditors are cracking down on the use of EUCs. This is specifically true for spreadsheets in highly regulated industries where organizations are required to identify their EUCs and specify how they manage risk. This article proposes a radical approach to these challenges, as this problem continues to grow in size, complexity, and risk. In summary, we will cover the identification, re-engineering and retirement of all high-risk spreadsheets.
The article will not be focusing on the actual re-engineering process itself, meaning the potential languages (R and Python for example) or the technology vendors (Caspio, Appsilon, Spreadsheet Converter et al) that would be used to replace the spreadsheet. Instead it will focus on what processes and supporting technology a company must have in place to drive an EUC Retirement project.
Notes of Caution:
Spreadsheets are ubiquitous and carry an entrenched sense of personal ownership. This will challenge even the most culturally robust organization. Considering the following:
- First, this is not an easy task. For this kind of project to be successful, there are at a minimum, three critical phases. Each phase comes with a number of prerequisites that must be agreed and then acted upon before beginning the individual spreadsheet retirement cycles.
- Second, the success or failure of the project will depend on everything being clearly defined from start to finish. Senior management must be firm in their sponsorship and support during this change.
EUC Retirement Methodology
Phases and Prerequisites
Phase 1: Discover, Recover, and Inventory
A successful EUC Retirement project requires a company to have a complete view into its spreadsheet population. Because retirement cycles can be lengthy, this view must also be continuously updated to find new spreadsheets created during the EUC Retirement project.
These three prerequisites must be in place before the Re-Engineering Prioritization phase begins.
- Discover: Every financial institution or publicly traded company will need to ‘Discover’ and identify every version and copy of a spreadsheet that is either currently being used or is currently being developed.
- Recover: In addition, the organization must also identify all versions and copies of spreadsheets that are no longer used. A time-based line in the sand helps define how far back to search.
- Inventory: All Discovered and Recovered spreadsheets must then be added to an inventory that is capable of being configured to monitor the Retirement process.
Phase 2: Re-Engineering Prioritization
The next phase is to assess and prioritize the risk the inventory of spreadsheets present to the company. The Prioritization Assessment is essential to ensure senior management buy-in. It also provides a coherent, manageable, and accountable project framework. The Prioritization Assessment must be configurable to the unique needs of the organization and its EUC Retirement plan. This is important because each organization will have their own governance policies, business model(s), and on-going audit events.
The following prerequisites must be implemented in parallel to ensure that the Re-Engineering Prioritization phase remains in sync with the Discover, Recover and Inventory phase:
- Before the spreadsheet discovery effort gets underway, the rules used to determine a spreadsheet’s risk level must be defined. These rules should be both systematic and heuristic. Systematic rules include complexity, interconnected mappings, groupings, organizational segmentation, etc. Heuristic rules require users to provide data on operational impact, review frequency, business process(es), ownership and review structures, attestation history, and audit outcomes to name a few examples.
- Once defined, these rules should be set in the Discovery system. Immediately use the Discovery system to do an initial scan. The results should be automatically added into the Inventory system while notifying the appropriate user to provide their input.
- Once complete, the combination of system and human-entered data should then provide a Prioritization ranking.
Next, this Prioritization ranking will be used to drive the third and final phase of Spreadsheet Re-Engineering and Retirement.
Phase 3: Spreadsheet Re-Engineering and Retirement
This phase begins with identifying which spreadsheets should be scheduled for immediate retirement.
Note: Remember, this newly created ‘view’ of a company’s spreadsheet population is not static. In large organizations, spreadsheets are created, changed, and copied continuously. It is critical to update this ‘view’ regularly, typically weekly or biweekly. It is equally important to take immediate action when any changes are identified in the Prioritization assessment.
However, the process of retiring spreadsheets is not as simple as going down the list and re-engineering and retiring those spreadsheets one by one. It is actually a process composed of two key elements driven by the same regulatory concerns that must be in place before the process can begin.
- The ability to continually track and enforce the appropriate level of regulatory compliance controls for all spreadsheets queued for retirement.
- The ability to report and verify compliance oversight for all prioritized spreadsheets, both before and during the re-engineering and retirement process.
Conclusion
In summary, any company looking to replace their spreadsheets must find and implement technology that can support this effort. For companies with hundreds or thousands of spreadsheets, the failure to deploy this critical infrastructure will result in a chaotic and inefficient process. This will ultimately lead to an expensive and unsuccessful attempt to address the growing concerns of the regulators around EUC governance and control.
In closing, unless correctly planned and executed, failure of an EUC Retirement program will only have one outcome: further entrenchment of spreadsheet usage in the organization and an inevitable increase in the number of significant audit events.