End User Computing: What it is and why you should care
EUC stands for end user computing, and it’s any non-tangible (that is, not hardware) computing resource that lives, or may live, on the desktop of an end user. And why should you care? The answer to that question depends on your industry. If you’re in financial services, pharmaceuticals, healthcare, or if you are subject to regulations such as GDPR or CCPA, you should care because regulators examine these EUCs for regulatory compliance. If you are in a public company, then you will know that EUCs are crucial to auditors. Even if these categories are not directly applicable to your business, EUC management and governance are good practices and will save your company money in the long run.
Let’s dig a little deeper. The term EUC has been around for a long time. Originally it was used to encompass primarily Access databases and Excel spreadsheets. It was then extended to other Microsoft Office products and comparable products from other vendors, such as Adobe Acrobat or Google Sheets. More recently, it has become apparent that the definition of an EUC should be further expanded to include things such as Tableau reports, applications created by “citizen developers” or “citizen data scientists,” and even chatbots.
Why should the definition of EUCs be so all-encompassing? The short answer is that regulators are increasingly asking companies to prove that only the people permitted to see relevant data, especially sensitive information, are the only people who view that data. If you have a Power BI report on your desktop with that data in it, then your company needs to be able to prove that you didn’t forward that report to someone who doesn’t have access rights to that data. An efficient and effective remedy for this is to prove that the report cannot be forwarded, copied or printed. These actions would demonstrate (to regulators) that the company has a well-structured policy to secure sensitive data and ensure its integrity.
It is important to understand this background on the nature of EUCs because their scope is contested, especially between regulators and bankers. Regulators have a more fluid, broad-based definition of what constitutes an EUC, while bankers tend to be narrower and more restrictive. To them, an EUC is only synonymous with a spreadsheet. However, under pressure from regulators, their collective understanding is beginning to shift towards the more inclusive view. While on this topic, it is worth noting that anecdotal evidence suggests that EUC policy is becoming a much higher-level issue in many organisations than before. For example, I am aware of several banks that were approached by central banking authorities such as the Fed and the ECB to discuss precisely this issue. I have also heard of auditors taking a tougher line, especially in the States, around EUC management and governance.
Leaving aside the actual process of managing EUCs, which is a topic for another day, there are several interesting aspects to this definitional expansion. Firstly, if there are far more EUCs to manage than before, then actually inventorying them will be a significant issue, not just as a one-time project but on an on-going basis. Secondly, with more senior executives taking an interest in governing EUCs, there is going to be a greater demand for company-wide capabilities rather than simple departmental implementations. Given the growing number of EUCs that need to be inventoried and governed, vendors seeking to address these issues need to be able to scale to handle probably millions of EUCs, and without adversely impacting on the performance of those EUCs. And finally, the increasing acknowledgement of the importance of EUCs has implications for spreadsheet management vendors. While spreadsheet governance is and will remain an important sub-component of EUC management it is precisely that: a subset of the overall required functionality.
It is fair to say that spreadsheet management vendors, or at least some of them, have been moving to a broader understanding of EUCs over the last few years, while newer entrants have recognised the issues involved from the outset. Needless to say, some suppliers are transitioning more successfully than others, while some have architectures that do not lend themselves to the sort of scalability that is required for large-scale EUC governance. It will be interesting to see how the market evolves in response to EUCs and how that impacts across industry sectors.