What I learned from Walmart’s CIO about EUC Risk Management

Earlier this year, Peter High wrote on Forbes.com about an interview he had with Clay Johnson who currently is the CIO of Walmart.  Although the topics of discussion weren’t specific to end-user computing risk management, I found Clay’s lessons learned from his early experience at FedEx to be very applicable to my work focused on Model risk and EUC risk management.

What I learned from Walmart’s CIO about EUC Risk Management . . .

Clay explained that the first of his lessons learned in that entry level IT role was that you need to “understand the business better than the business itself”. 

In other words, you need to understand the work process before you can utilize technology to improve it.

 In that first project he didn’t have that knowledge and, in his words, “the project failed miserably”. “Nobody took the time to learn the business” and “we made assumptions” that in the end proved to be “not even close”. When working towards reducing end user computing risk, one will be affecting a work process that has evolved to be exactly what the business needs/wants. If you don’t understand that process, and your controls or other governance initiatives degrade rather than improve that process, your initiative will probably fail as well.

His second takeaway was to “learn from your failures”. In my career, that means try not to make the same mistake twice.

Although this experience is somewhat generic, I believe it is very relevant to EUC risk management as I continually see companies repeat the same mistakes over and over. We see this not only between companies, but within the same company itself. In regards to reducing the inherent risks of models and other end-user controlled applications, these repeated mistakes usually take the following forms;

• The needs of those in the first line of business (who ultimately own the risk) are ignored in the second line’s independent pursuit of policy/compliance or standards enforcement.
• Risk management procedures add little if any value to the person who actually has to do the work. There is almost nothing in it for those in the business.
• Given that most companies have millions if not tens of millions of end-user controlled files, technology has a key role in helping facilitate enforcement. However, most companies develop their policy/standards with no regard as to how technology can help operationalize those controls. The end result is a policy that’s not practical and usually doesn’t become operational.
• Having a somewhat sanctimonious belief that people in the line of business should comply with a policy just because the policy says one should. In reality, it is end-user controlled (or developed) for a reason. If your risk management objective conflicts with the core business purpose, then keeping the business functioning efficiently will usually win and the policy will fade in importance.

On one hand, these lessons learned represent simple, common sense. Nonetheless they are often forgotten when it comes to establishing more effective controls in order to reduce model and end-user computing risk. My two adaptations of Clay’s lessons to the risk world can be summarized as follows;

1. Understand how your governance and risk management framework impacts the day to day life of the people in the business. Find ways to minimize their compliance burden. Ideally, find ways that add value and help their productivity. No one wants to make an error so in that sense your objectives should be aligned. Strive to keep them aligned.
2. Don’t develop your policy/standards in isolation from the automated risk management tools that can be used to help implement them. You don’t have to select a vendor, but be aware of what technology is available.  Understand how it can enable and automate the processes that are unique to your organization’s policy. Don’t try to implement controls that aren’t operationally practical.