End-user computing (EUC) refers to systems in which non-programmers can create working applications.[1] EUC is a group of approaches to computing that aim to better integrate end users into the computing environment. These approaches attempt to realize the potential for high-end computing to perform problem-solving in a trustworthy manner.[2][3] (Source: Wikipedia).
EUC was an important topic from 2010 and onward. It was mentioned briefly latter also as a subject of regulatory focus (eg. EBA-GL-2017-05 – ICT RISK ASSESSMENT UNDER SREP; EBA/GL/2019/04 – EBA Guidelines on ICT and security risk management). EUC was used as a buzz word until today, however it has matured and is not separately emphasised or regulated.
It is expected that “A financial institution’s processes for acquisition and development of ICT systems should also apply to ICT systems developed or managed by the business function’s end users outside the ICT organisation (e.g. end user computing applications) using a risk-based approach. The financial institution should maintain a register of these applications that support critical business functions or processes.” Source: EBA/GL/2019/04
EUC is disappearing as a buzz word.
What is the status of EUC and AI consumption from end users today in organisations and how will this domain evolve in the future?
End user applications and ICT devices in 2025 offer many functionalities that allow users to process large amount of data locally. Users can create complex rules, automations, embed AI capabilities and even write data back to corporate databases if allowed. Many decisions, reports and vital data is analysed, processed and distributed by end users – “developed or managed by the business function’s end users outside the ICT organisation” (plan, develop, test, use, update, leave) where corporate ICT risk management framework does not “see” or have the visibility.
By adding new AI capabilities to existing tools and introducing new AI supported architectures and concepts, managing risk and retaining control has to be, not only adjusted on the regular basis, but embedded in any change and use case.
Some risks related to “consumption” of ICT capabilities by the business function’s end users outside the ICT organisation (ex EUC) are:
- Wrong version – Was the version of the EUC tool approved?
- Unauthorised Change of parameters and logic – Was the change authorised and tested?
- Lack of ownership and visibility – Was the ownership assigned and linked to business functions, processes and other information assets to allow visibility, transparency and risk management (GRC)?
- Unauthorised Data manipulation (extract, store)
- Unauthorised Data Change (write to corporate database)
- Unauthorised access control (to EUC tool & data)
- Unreliable availability of EUC tool or product (not included in the redundancy or resilience programs)
(Image source: AI generated – Copilot)
What are key controls to address consumption of EUC and AI capabilities?
While there are many suitable controls to address specific risk and use case, I have outlined a few steps that will help raise the maturity of any organization dealing with the risk of end user computing and related technologies:
- Understand where, how, what is done = inventory: tools, use cases, functions supported
- Evaluate existing risk
- Educate users on expected and forbidden practices
- Help users address existing, high risk, end user computing practices
- Implement tools to auto discover high risk practices
- Enhance data governance, risk and compliance programs
- Enhance capabilities of ROC (Risk Operations Centres) and SOC (Security Operations Centres)
- Coach leaders and employees on modern ICT capabilities and risks from the end user perspective
- Build awareness and culture to support responsible and secure use of ICT capabilities for end users.