| Background. In 1988, the Comptroller of the Currency sanctioned a joint issuance by the Federal Financial Institutions Examination Council on the risks associated with end-user computing activities. The intent was to create awareness of risks resulting from end-user computing and to encourage the development of policies to guide end-user computing practices. As centralized control is increasingly dispersed throughout organizations, additional risks are introduced to financial institutions. The failure of banks to adequately measure and manage risk can produce regulatory problems, monetary losses, legal problems, competitive disadvantage, inadvertent disclosure, management error, and other problems.;Dissertation synopsis. Risks resulting from end-user computing practices is a phenomenon that has developed only recently as non-data processing professionals use computers to perform business functions integral to organizational operations. Prior to the emergence of end-user computing, responsibilities were clearly delineated within Information Systems departments in companies. The advent of end-user computing has shifted the focus of responsibility from Information Systems to the users themselves, as well as creating additional responsibilities for senior management and Internal Auditing.;In the effort to provide technology to end users as quickly as possible, important issues such as quality controls and standards were ignored. As end users gain more access to information through computers, and as they exploit the ability to develop complex systems and applications, end-user computing becomes complex and difficult to manage. If the risk of disaster is not assessed in organizations, management will not be able to balance the cost and benefits of minimizing risk.;After extensive interviews with California financial institutions, the author developed a statistical model to assess end users' practices and attitudes regarding their use of computers. The model measures the level of risk resulting from end-user practices and indicates specific problem areas for future prevention. This information will aid management in deciding whether to devote attention to training, security, or policy development. Additionally, the model identifies the level of control and support needed for segmented groups of end users within companies. |
