Preventing EUC Operational Risk in Banking

Many banks rely heavily on user-developed applications (UDAs) and end-user computations (EUCs) to perform a wide range of functions that are beyond the capabilities of their core systems. These UDAs and EUCs are associated with tools such as spreadsheets, macros, legacy forms, local databases, and email. They play a crucial role in data adjustments that impact key areas such as U.S. GAAP, inter-company consolidation, CCAR, trade settlement, accruals, and stress testing in risk management.

Despite their flexibility and user-friendliness, UDAs and EUCs often operate without adequate governance and traceability. This lack, coupled with the absence of specialized personnel to manage them, poses significant risks to financial institutions. These risks include potential regulatory penalties and fines, which can severely damage a bank's reputation.

For example, relying on manual risk controls and a cumbersome risk assessment process can inflate operational costs, requiring additional verification steps. This situation can compromise the accuracy of risk calculation reports, impacting critical financial documents and adherence to regulatory frameworks such as FFIEC 101, 102, and 103; FR Y-14s; and SOX 1, 5. The integrity of U.S. GAAP filings may also be at risk, requiring adjustments in accounting, taxation, capital plans, and balance sheet configurations. The challenges extend to data management, where data quality, privacy, and governance could be compromised, highlighting the need for a risk-based approach to managing critical data elements (CDEs) and ensuring proper data lineage.

Mitigating the risks associated with EUCs can be daunting and time-consuming, but for some banks, it is now a critical imperative. EUCs will persist if enterprise applications lack the agility to keep pace with evolving business and regulatory demands. Frequent regulatory updates and tight deadlines, for example, necessitate the creation of EUCs since directly accessing and reporting from main business applications to comply is usually not feasible.

Proper controls, governance, and platform support can help financial institutions reduce the risks associated with EUCs. Meanwhile, advancements in AI and Generative AI (GenAI) make this complex yet critical process more accessible.

A Comprehensive Approach to EUC Remediation

Financial institutions should adopt a comprehensive strategy for EUC remediation to achieve optimal results, rather than relying on quick-fix solutions. This approach ensures that all aspects of EUC management are addressed, reducing the risk of oversight and potential issues.

1) Create a governance framework: Formulate new or improve upon current policies, standards, and controls to provide a uniform structure for EUCs throughout the organization. Key controls include:

• Data integrity: Maintains the integrity of data throughout its entire progression from the source to computation and ultimately to output generation.
• Version control: Assures that the bank can recognize the most recent updates, while previous iterations are disposed of following verification.
• Change control: Tracks modifications to EUC systems by both business and IT departments.
• Access control: Only authorized users can access EUC resources with appropriate privileges (view, modify, delete).
• Availability: In a disaster situation, essential use cases must be accessible and integrated into a business continuity plan.

2) Discovery and catalog: Conduct the EUC discovery process to develop an exhaustive inventory throughout the corporation.

3) Evaluate risk: Use an EUC risk framework to pinpoint where controls might be lacking.

4) Prioritize, remediate, and migrate to a centralized platform: Pinpoint the most crucial EUC assets with the most significant risk. Prepare for repairs, then plan and execute new procedures to improve and replace current EUCs. 

Centralizing EUCs onto a unified platform enables business users to improve or develop new EUC applications while effectively managing associated risks. To construct this platform, teams should select the appropriate low-code/no-code platform (e.g., Appian, Pega, Xceptor, or KNIME) based on their discovery outcomes. (Depending on the use cases and scenarios, constructing a unified platform composed of several LCNC platforms as an integrated EUC platform might be required.) 

This integrated EUC platform should incorporate essential governance controls and be equipped with standard reusable tools such as data retrieval processes, integration APIs, output templates, and processors for handling unstructured content. Additionally, it involves migrating and restructuring critical business logic and data from files to the platform's core database, ensuring a seamless transition and enhanced operational efficiency.

5) Incorporate sophisticated analytics and cutting-edge technology: Enhance and revolutionize complex situations with AI solutions to achieve effortless transformation and full automation.

6) Attain digital operations: Enable the capability to continuously make significant process adjustments with no coding intervention, ensuring swift adaptability.

Much of this EUC remediation process is concerned with three essential components: input files, working files, and output files. The working files consume data from input files, which contain calculations per business logic. The working files, in turn, deliver output files. While this sounds simple on the surface, anyone who has spent time in the financial sector understands the complexities that quickly crop up due to the uniqueness of the business logic for each process and the various systemic needs in output files.

While many current processes have reduced the risks posed by EUCs, it's important to be aware that some significant challenges still need to be addressed. These include unusual input and output file extensions, complex macros across file types, complex MS Access files, poor integration with external applications, and limited data scalability. Being prepared to tackle these challenges is key to successful EUC remediation.

The AI/GenAI Advantage in EUC Programs

The potential for AI, GenAI, and data analytics to revolutionize the core process of EUC remediation is immense. GenAI can now augment the role of low-code/no-code applications and integrated EUC platforms to address some of the more complex problems related to EUCs, offering a promising future for risk management in financial institutions.

• Data Cleaning and Transformation: Tools enhanced by GenAI technology have the potential to streamline the data sanitization process across diverse file formats and correspondence. By detecting and rectifying inaccuracies, populating empty fields, and converting data to different formats as needed, GenAI can significantly reduce the time and effort required for data cleaning and transformation, offering a more efficient future for EUC remediation.
• Macro replacement: Manually decoding macro logic can be highly complex and time-consuming, especially in cases like intricate decision-making, loops, cursors, and iterative data generation. It often takes 4-5 weeks of manual work to get from decoding to development. GenAI can analyze macros, generate documentation explaining the VBA code, and even automate code refactoring in medium-to-complex cases.
• Converting MS Access operational files to GenAI-enhanced apps: Many EUCs use MS Access databases for operational data handling, allowing organizations to apply filters based on business rules for data retrieval and storage. The complexity of MS Access, with its various forms, macros, and queries, makes translating the existing business logic into new systems a significant task. Data scalability issues and feature inadequacies further complicate the task. GenAI presents solutions to decipher and migrate the business logic from forms and VBA contained within macros.
• Streamlined calculations with advanced AI: Increasingly, AI will become the driving force behind complex calculations, optimizing procedures while reducing inaccuracies. Banks can harness the power of AI to automate intricate accounting tasks such as prepaid expenses, depreciation, accruals, and amortization, using every relevant detail available. Moreover, AI can classify data points into distinct groups following established business protocols, carrying out computations on certain sections of historical data when dealing with forecasting, estimations, and analysis in financial planning and analysis — a task traditionally reliant on comprehensive macros.
• Connectivity to external systems: GenAI offers smooth integration capabilities with SharePoint, shared drives, and various external databases, utilities, and services through API connections. This streamlines the automation of data transfers and processes, cutting down on manual tasks like reading an email and subsequently dispatching data through email.
• Enhancing data management and speed: AI handles vast datasets more effectively than conventional end-user computing tools.

The steady advancement of AI and GenAI technologies is poised to elevate data management and analytics in the finance sector and transform how organizations approach the modernization of macros, forms, legacy code, and MS Access databases. With the proper strategy and support, financial institutions can harness the full power of these technologies to address the foundational challenges of EUCs, enabling a future where digital and operational resilience is not just envisioned but achieved.

About the Authors                          

Venkatesh Balasubramaniam
DMTS, Principal Member, Consulting Partner, Financial Crime Compliance & GRC Domain Practice Head

Venkatesh has over 28 years of industry experience, specializing in compliance, GRC, operational risk, financial crime, fraud and sanctions. A Principal at Wipro, he focuses on AI/GenAI solutions for client challenges. He is a member of the compliance fraternity – OpRisk, CAMS and CFCS.

Aviroop Dasgupta
Digital Automation Leader, Low-Code No-Code Practice Head

With 20+ years of experience in large-scale digital transformations, Aviroop works with clients to enhance operational efficiency and customer experience through the adoption of cutting-edge technologies like AI, low-code/no-code, and cloud.

Yugendhar Gannapally
Chief Technologist for Americas – Banking and Financial Services

Yugendhar specializes in driving digital and business transformations, shaping cloud strategies, and applying emerging technologies. Always on the pulse of the latest industry trends and technologies, he infuses fresh innovations into strategies to fuel growth for Wipro and its clients. 

Bhavik Soni
Head of Risk & Compliance – Banking and Financial Services

Bhavik has 23 years of experience in risk management for banking and financial services. He specializes in consulting and covers all aspects of risk management, governance, financial crime, and regulatory compliance, working with large, small and regional banks, FBOs, and GSIBs.