All news
August 2024

Let’s get visible: your guide to mitigating shadow IT and de-risking operations

Imagine knowing exactly what’s going on in your operations. Being able to see where your data is, what’s happening to it, who’s using it and how it’s changed. Think about the impact that would have on operational risk, on how much safer and more resilient your firm would be.

This may be the vision for a Chief Operating Officer, but the reality is very different. Most financial firms have operations that are highly fragmented, opaque and full of hidden risks. While other areas of the firm have acceptable thresholds for credit or market risk, for instance, there is zero room for operational risk.

According to McKinsey, operational risk incidents caused 65,000 “loss events” for the global banking industry between 2016 and 2021. Direct financial losses for the period as a result reached $600bn.

Operational risk has long been an unfortunate fact of life for capital markets firms. Traditional front and back office systems, from trade capture to accounting, have all played a key role in creating these problems. The data stored in these systems needs reconciling, against both internal and external sources. The requirements of firms are complex, as is the data itself, and older reconciliation systems haven’t kept up with these demands. This has led to the rise of “shadow IT” as teams look to put controls in place quickly.

Shadow IT refers to processes or applications that are developed and maintained outside of the control and knowledge of your IT organisation. In the case of data management, it includes forms of end-user computing (EUC) and end-user developed applications (EUDAs) such as spreadsheet reconciliations, databases, scripts and so on.

For a long time these workarounds were necessary. They were tactical builds designed to support broader growth and innovation initiatives for the firm. But these band aids accumulate technical debt and create a snowball effect where risk and opacity propagates throughout the Operations function.

Now, though, the evolution of technology has made it possible to bring these hidden processes back under control.

But before we explore the solution, we need to understand why shadow IT is so prevalent in Operations in the first place.

Shadow IT for data: the speed/risk trade-off

The existence of shadow IT processes is a clear sign that users need more agility from your technology to do their jobs. The systems they’re using aren’t able to overcome the five key data challenges of variety, change, scale, lifecycle and control.

Teams in functions like Operations and Finance resort to shadow IT like spreadsheets to carry out mission-critical tasks. Your organisation may have very strict change management policies in place to ensure governance, but these are often time-consuming and stymie agility. On top of this, outdated, on-premise reconciliation systems require IT to hardcode every new process and change. Teams could be left waiting months for the processes or adjustments they need – but the business needs the controls today.

Once someone starts spinning up workarounds to get things done quickly, it kicks off a vicious cycle:

  1. Manual intervention, EUC and EUDAs, point solutions and offline processes reduce visibility.
  2. You can’t audit them properly, they create opportunities for human error, you have multiple copies of data sets floating around, data is inconsistent and untrustworthy.
  3. This introduces risk and delayed risk identification, given that these processes are often known only to a few and rely on self-reporting.
  4. To combat this, you try and introduce more processes or further workarounds to manage the outcomes and associated risk, and so the cycle continues.

Remember, these are mission-critical processes. And they’re often being run on spreadsheets.

The risks of EUC and EUDAs

Shadow IT introduces risk across multiple fronts of your business, including people, processes and systems.

People risk

EUC and EUDAs create key-person dependencies. Spreadsheet knowledge is stuck with the person who created it. If they’re sick, on holiday, move jobs, or retire, so does the knowledge of what that spreadsheet does and how it works.

You also have the twin problems of identity and access management (IAM) and change. There are no guardrails on a spreadsheet – it’s difficult to control who can access it and who can make changes to the macros inside. These are mission critical processes that anyone can access and amend with limited, if any, oversight.

Additionally, there’s a lot of manual work involved in pulling data out of systems, putting it into a spreadsheet and finding and flagging the exceptions. Each manual step in a process introduces greater risk of human error. This is clearly something you want to avoid, given that even a single error in a spreadsheet can have disastrous consequences.

Process risk

Shadow IT processes are opaque and the more of them you have, the less of a consolidated view of your data you’re able to achieve. This hampers risk identification and escalation, because processes such as spreadsheet-based reconciliations rely on users manually describing the root causes of exceptions. There’s no standardisation of terms, which makes activities like bulk categorisation difficult or impossible, hampering not only investigation and resolution, but insights and reporting. It means you’re left without a consolidated view of your data.

And, of course, it means that vital business tasks with mission-critical data are happening outside of your governance and control framework.

System risk

At a system level, shadow IT such as EUC and EUDAs lack redundancy, availability and reliability. There are no failovers, and access is limited to the people who built the process – few even know it exists. On top of this, the fact these processes have limited governance and don’t follow best practices makes them vulnerable to change. When you make business or technology changes, it’s impossible to know what’s going to break in your shadow IT estate until it has happened.

Mitigate risk by bringing shadow processes back online

As we mentioned before, the existence of shadow IT is a clear sign that the technology used in Operations isn’t enabling people to both do their jobs and follow your governance framework.

You need to have controls in place between internal front and back office platforms and external sources. Data must be reconciled to ensure its accuracy. But most reconciliation platforms are:

  • On-premise, making it slow to update and innovate (if at all; we know of firms running versions of reconciliation software that are ten years old…).
  • Hard-coded, so only IT has the skills and knowledge necessary to build new processes or change existing ones.
  • Schema-reliant, so data has to be prepared in a certain way before being loaded into the system.

These are just some of the limitations forcing users to resort to shadow IT like spreadsheets. These processes are invisible and therefore carry a lot of risk. You have to rely on people self-reporting exceptions and there’s also concern about people hiding risk – remember, that spreadsheet may be the only way they can do their job.

All this means that you can’t understand what’s going on across your business. It’s impossible to extract insights from a spreadsheet to build dashboards or other forms of reporting. You lack the real time insights into your operations.

This means you don’t have a holistic picture of the business: which areas are performing well, which aren’t, where the risk and cost and inefficiencies lie, or who’s causing you all these operational headaches (e.g. is a certain counterparty particularly bad for data quality?)

You don’t even know that the risk is there, let alone how to mitigate it.

Clearly, a COO looking to combat risk needs to replace shadow IT, bring their processes fully online and unlock transparency. It’s the only way you can see exactly what’s going on and ensure that your governance best practices are being followed.

For that, you need a different breed of technology.

How data automation helps beat shadow IT

Data automation is a transformational approach to automating the front-to-back processing of data throughout your organisation. It leverages the latest technology to break free of the limitations of older, legacy platforms, removing the manual work, cost and risk associated with managing data.

Firms using data automation can simplify their application landscape, consolidate and standardise their processes, increase visibility and transparency and – of course – reduce operational risk.

Data automation platforms like Duco are:

  • Cloud-based, so you are always up-to-date and everyone across your organisation who needs to can build and manage controls on the same platform (assuming they have the necessary permissions).
  • No-code, so business-users can rapidly build, test, four-eye check and deploy new processes or changes to existing ones, all while following best practices. These processes are all built in plain English using Natural Rules Language. This means other team members, internal auditors and regulators can all understand exactly what’s happening to the data and why.
  • Self-documenting, giving you a full audit trail of what changes have been made to processes and how data is handled.
  • Schema-free, making it easy to bring all structured or unstructured data onto the platform quickly.
  • Secure and controlled – IT remains in control of managing the system from a governance perspective. Access and user permissions are granular, meaning you have total control over who can see what data and what they can do with it.

All this enables you to replace spreadsheets and other forms of shadow IT, because the platform is agile and accessible. It easily integrates into your existing tech stack and provides the ‘connective tissue’ between your systems, allowing you to automate all of the controls you need to ensure the accuracy of your data.

Some Duco clients have replaced hundreds of EUC and EUDAs in a single year. One client eradicated all EUDAS (600) from their operations, including automating over 400 Excel spreadsheets in just 18 months. We’re currently working with a top global bank on replacing 2,200 EUDAs with fully-automated, transparent controls.

Duco’s data automation platform not only enables you to replace spreadsheets, but also to remove any outdated reconciliation platforms whose shortcomings created the need for EUCs in the first place. You can simplify your operations by consolidating processes, removing the need for disparate point solutions that make it hard to get a global picture of your business.

Additionally, you are able to consolidate processes to reduce the complexity of your controls. For example, one client was able to run the same data checks using just 9 processes on Duco that required 159 on a competitor system; another consolidated 610 processes on a legacy system down to just 23 on Duco. It’s a lot easier to have oversight of a few processes than hundreds.

Yet at the same time, Duco’s ease of use makes it possible to add more controls. One customer had 40 reconciliations on their on-premise system. Building more was too difficult, but they told us that if they’d been able to, there were another 100 they would have liked to build. Duco makes it possible to add all the controls you need, without overwhelming your operations with a deluge of reconciliations.

In other words, we can give you a stronger, more robust control framework with fewer processes.

Shining a light on hidden processes

Duco’s data automation platform enables you to cut operational risk by removing the vicious cycle that spreads shadow IT throughout your operations. It enables you instead to build a virtuous cycle:

  • Consolidate processes onto one platform
  • Create transparency
  • Identify risks early
  • Generate insights and analysis, identifying opportunities to further consolidate and automate.

Find out more about our data automation platform here.

You may also be interested in

Back