How are end user computing (EUC) applications and files a risk to insurer operations?
EUCs usually take the form of models, tools and spreadsheets, and are used in critical business processes such as finance, actuarial and premium calculations, to name just a few.
Senior managers are loathe to admit to the critical nature and prevalence of EUCs in their businesses in running key day-to-day processes – and this remains a concern. As one example, we have found that companies are likely to underestimate the number of spreadsheets used in their businesses by a factor of ten.
EUCs are highly prone to error, owing to their complexity and heavy inter-dependence on other EUCs. If something goes wrong it can go wrong in a material way with financial losses in the tens of millions or front page headline news. An example of the latter occurred in July 2016 when Marks & Spencer announced an incorrect headline sales figure in an earnings call which later had to be revised and the blame attributed to spreadsheet error.
Indeed the complexity of EUCs has grown exponentially in recent years. Large insurers can have Excel models with millions of formulas in them. Most senior managers are not aware of this nor are many aware of the degree to which they are embedded in their critical business processes.
How well equipped is the insurance industry to manage its EUC risk right now?
In its Solvency II data review findings in February 2016 the Bank of England describes that most insurers are still struggling with issues such as data flows, ownership, data quality and classification. Many companies have met the minimum regulatory standard using manual methods. They have "ticked the box". However, due to the compliance burden on end users and the inability to scale a manual process, few have addressed their EUC risks in a comprehensive way – firms remain very exposed.
What regulations are there around EUCs and what, in particular, does Solvency II say?
The Bank of England 2016 report said that the Prudential Regulation Authority (PRA) will be looking for appropriate controls for data quality such as reasonableness checks, input validations, peer reviews, systems environment configuration, logical access management, ongoing change controls and documentation where EUC is material to the internal model data flow.
EUC risk management is also related to the internal control requirements of Sarbanes-Oxley (SOX), but being compliant with SOX doesn't necessarily reduce the risk of errors, fraud or disruption. CIMCON solutions help companies lower their EUC risks beyond what general SOX compliance mandates.
How have insurers sought to meet the EUC challenges posed by Solvency II?
Many firms are still struggling with understanding and documenting their data flows – this is a critical step to determine where and how the EUC-related controls need to be applied. On a broader scale, EUC risk is not exclusive to Solvency II. Solvency II is a large and encompassing regulation. Controlling EUC risk is but one part of that and it is usually focused on model risk management and validation processes as well as ensuring data integrity. If an EUC is part of the critical supply chain of data, then managing that inherent EUC risk is required.
More importantly, the bigger EUC risks lie outside of the regulatory purview of Solvency II and rest in everyday business processes where the consequences of an error, or loss of availability (business disruption), would be high. This includes actuarial, accounting, tax, treasury, compensation controls and pricing models.
What kind of solutions do you offer insurers to manage their EUC risks?
We provide desktop tools for end users to self-check for errors and automatically document objective evidence like complexity or data connectivity for later use in the risk management/internal audit processes. We offer an enterprise EUC discovery capability to systematically identify and risk assess EUCs stored on shared network drives. These capabilities work seamlessly with our enterprise control framework, which puts the appropriate level of controls consistent with a company's risk appetite. These controls can be frictionless and invisible to the end user – for example, automatically documenting an automated audit trail – or can be more extensive and put limits on what end users are able to do, like not changing formulas.