Today's spreadsheet is a dangerous beast. It might look innocent enough: a series of rows and columns, numbers and formulas. But if that spreadsheet isn't properly controlled, if the data rolling into and out of it isn't adequately monitored, the effect on a company can be devastating. This is true for any application that employees use to track, calculate, store and report information.
Most enterprises rely heavily on end-user computing applications, otherwise known as EUCs. These applications are built by employees using common tools like Microsoft Excel and Access and SAS and can execute anything from simple addition to complex formulas. They also execute calculations that help determine financial results, develop strategy and analyze business decisions.
Unfortunately, EUCs inherently lack controls. Even at the most tightly managed firm, EUCs can be developed and used in production with little or no documentation, testing or control measures.
In 2010, Fannie Mae began taking steps to shore up its EUCs. With Fannie Mae's complex infrastructure, we found that traditional, ad hoc approaches to managing EUCs would fall short of our goal. We knew that trying to limit or prevent end users from creating EUCs, trying to force all EUC development through the technology organization, or implementing a one-size-fits-all approach to EUC controls would not work. We had to balance the value and risk of EUCs, each of which is substantial.
Even at the most tightly managed firm, EUCs can be developed and used in production with little or no documentation, testing or control measures.
End user computing application quality and risk controls
We recognized that end users need to continue creating EUCs and that Fannie Mae's technology organization needs to work with them on an approach to development, testing and controls that make sense for their business needs and for the company. Our approach serves as an alternative and effective model for companies in similar circumstances.
We employed three simple concepts:
- know your environment and culture,
- make the rules straightforward and risk-based, and
- provide new tools and services that help end users be compliant and process the information they need more easily.
To begin, we took a complete inventory of end-user computing applications so we could understand and quantify our challenge. Then, working closely with our business units, we assigned risk levels to each EUC and identified appropriate controls for each risk level. For example, EUCs that play a role in developing our financial results have a higher risk and require more stringent controls than those that process data for an internal report.
We also broadly communicated steps to be taken to develop and manage EUCs. To take our support of the end users one step further and provide them with enhanced capabilities and automated controls, we worked with IBM to set up a centralized EUC "factory" in East Lansing, Mich. The factory is a team of IBM employees, overseen by Fannie Mae IT, that evaluate, develop, enhance and support EUCs.
More on application management and development
Five steps that simplify the application development process
Focus application development on the mobile user
GEs move from waterfall to Agile practices
At the factory, EUCs are built according to our standards, fully tested before they go into production, and supported by IBM during operation. Routing EUCs through the factory is not required, but we have worked to build the business case for why it is advantageous to do so: fewer errors, better controls, increased efficiency.
We are also simplifying our EUC environment by working with IBM to determine where EUCs can be combined, replaced, built into larger applications or enhanced. Additionally, we are helping end users upgrade from basic software programs to better analytical and reporting tools, which by design provide strong controls for the underlying data.
Overall, by focusing on EUCs, we have made Fannie Mae a more efficient and better controlled organization. So far, we have strengthened 25% of all end-user computing applications. We've been able to better manage risk for a minimal investment.
Companies with a large and diverse set of customers and partners would do well to consider a new approach to the EUC issues that challenge so many of us. With the right EUC strategy, you can maintain the flexibility the business needs, establish necessary controls and simplify your environment. And your bottom line will be better off if you can tame the spreadsheet beast.
Leon Nisenfeld is director, risks and controls, at Fannie Mae.
This was first published in January 2013