Losses at financial institutions (FIs) are often attributed to corruption, greed, or poor investment decisions. This is reflected in many of the established regulations and subsequent investment in risk management, and through the historical focus on managing credit risk, operational risk, liquidity risk, market risk and financial crime.
However, there is another key, but far less publicized, area where FIs invariably suffer significant losses: errors and misuse of computer applications developed by end users. With the exception of the infamous ‘fat finger’errors that make headline news, losses due to end users within FIs are startlingly common, but under-reported and under-addressed. FIs invariably rely on collections of interlinked systems, documents and spreadsheets. Within these, a single discrepancy can change a key trade, or propagate throughout a system and generate potential losses in the billions of dollars.
EUC risk is the risk of financial losses due to improper use of end user systems. EUC refers to systems in which non-programmers can develop working applications , including but not limited to, spreadsheets, databases, and end user developed code and models. Chartis estimates that the current End User Computing (EUC) Value at Risk (VaR) for the largest 50 FIs is $12.1 billion (bn) (at a confidence interval of 97.5%, over a one-year period). The estimated annual average VaR for large FIs is $285 million (m) per institution. The results of our methodology applied to publicly disclosed loss events gave an estimate of the VaR that large FIs are exposed to, though it does not take into account secondary effects such as regulatory fines, reputational damage, loss of customers etc. Chartis believes there is a strong qualitative argument that the potential secondary impact of EUC risk is significantly larger than the direct losses covered in this paper.
Current uptake of EUC risk management solutions is low and uneven. The rarity of large publicized EUCrelated loss events, coupled with the difficulty in quantifying EUC risk has led to the lack of uptake for EUC risk solutions. Many firms consider EUC risk something of an unknown, and are unwilling to put aside adequate time and resources for its management. Firms that do adopt EUC controls often do so either as part of a ‘check box’ approach, to appease regulators, or as a direct result of significant loss events, at which point the damage has already been done.
We propose a new methodology that offers a quantitative approach to calculating EUC risk. The methodology uses metrics covering a range of business lines as proxies for factors that cause EUC risk, which are difficult to individually quantify. The methodology offers a highly customizable approach, and is currently the only methodology for quantifying EUC risk that does not use qualitative analysis. It offers a high level of customization, allowing EUC risk to be calculated for the sector as a whole, specific business lines, or even finer scales, if firms have appropriate datasets.
This report details the risks associated with EUC, as well as the potential consequences to financial institutions. It then highlights the importance of a quantified approach to EUC risk, details the stages and inputs involved in the new methodology, and describes an example use of the methodology, from public data of loss events. Firms and consulting services will be able to apply the methodology described in this report to their own private datasets of historical EUC-related losses, allowing them to analyse their own EUC risk, and use the results of the methodology as part of a business case for implementing EUC risk management systems and processes.