Tip

Fannie Mae's approach to taming end-user computing applications

Today's spreadsheet is a dangerous beast. It might look innocent enough: a series of rows and columns, numbers and formulas. But if that spreadsheet isn't properly controlled, if the data rolling into and out of it isn't adequately monitored, the effect on a company can be devastating. This is true for any application that employees use to track, calculate, store and report information.

    Requires Free Membership to View

Leon Nisenfeld,
director, risks and controls,
Fannie Mae

Most enterprises rely heavily on end-user computing applications, otherwise known as EUCs. These applications are built by employees using common tools like Microsoft Excel and Access and SAS and can execute anything from simple addition to complex formulas. They also execute calculations that help determine financial results, develop strategy and analyze business decisions.

Unfortunately, EUCs inherently lack controls. Even at the most tightly managed firm, EUCs can be developed and used in production with little or no documentation, testing or control measures.

In 2010, Fannie Mae began taking steps to shore up its EUCs. With Fannie Mae's complex infrastructure, we found that traditional, ad hoc approaches to managing EUCs would fall short of our goal. We knew that trying to limit or prevent end users from creating EUCs, trying to force all EUC development through the technology organization, or implementing a one-size-fits-all approach to EUC controls would not work. We had to balance the value and risk of EUCs, each of which is substantial.

Even at the most tightly managed firm, EUCs can be developed and used in production with little or no documentation, testing or control measures.

End user computing application quality and risk controls

We recognized that end users need to continue creating EUCs and that Fannie Mae's technology organization needs to work with them on an approach to development, testing and controls that make sense for their business needs and for the company. Our approach serves as an alternative and effective model for companies in similar circumstances.

We employed three simple concepts:

  • know your environment and culture,
  • make the rules straightforward and risk-based, and
  • provide new tools and services that help end users be compliant and process the information they need more easily.

To begin, we took a complete inventory of end-user computing applications so we could understand and quantify our challenge. Then, working closely with our business units, we assigned risk levels to each EUC and identified appropriate controls for each risk level. For example, EUCs that play a role in developing our financial results have a higher risk and require more stringent controls than those that process data for an internal report.

We also broadly communicated steps to be taken to develop and manage EUCs. To take our support of the end users one step further and provide them with enhanced capabilities and automated controls, we worked with IBM to set up a centralized EUC "factory" in East Lansing, Mich. The factory is a team of IBM employees, overseen by Fannie Mae IT, that evaluate, develop, enhance and support EUCs.

More on application management and development

Five steps that simplify the application development process

Focus application development on the mobile user

GEs move from waterfall to Agile practices

At the factory, EUCs are built according to our standards, fully tested before they go into production, and supported by IBM during operation. Routing EUCs through the factory is not required, but we have worked to build the business case for why it is advantageous to do so: fewer errors, better controls, increased efficiency.

We are also simplifying our EUC environment by working with IBM to determine where EUCs can be combined, replaced, built into larger applications or enhanced. Additionally, we are helping end users upgrade from basic software programs to better analytical and reporting tools, which by design provide strong controls for the underlying data.

Overall, by focusing on EUCs, we have made Fannie Mae a more efficient and better controlled organization. So far, we have strengthened 25% of all end-user computing applications. We've been able to better manage risk for a minimal investment.

Companies with a large and diverse set of customers and partners would do well to consider a new approach to the EUC issues that challenge so many of us. With the right EUC strategy, you can maintain the flexibility the business needs, establish necessary controls and simplify your environment. And your bottom line will be better off if you can tame the spreadsheet beast.

Leon Nisenfeld is director, risks and controls, at Fannie Mae.

This was first published in January 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

Do you have a plan in place to manage apps built by employees?

Leon Nisenfeld
What's your opinion?
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.