0%
 

How to Reduce EUC Risks (ERMTP-Intermediate)

Welcome

Course Navigation Tips

The Menu button provides access to the individual sections.

The Home button at the end of each section takes you to the start of the course.

The Resources button provides a list of useful links.

The Switch Language button lets you switch to a different language.

The Close button ends your training session and closes the course window.

If you are accessing the course from a personal device directly over the Internet (outside of the Citi network), some links may not work if they link to content within Citi’s network. This will not impact your ability to complete the course.

How to Reduce EUC Risks

This intermediate course provides a comprehensive understanding of End User Computing (EUC) roles and responsibilities throughout the EUC Lifecycle for those who manage EUCs.

You will gain knowledge about the importance of controls in EUC risk management, and the collaborative efforts required to maintain a secure and compliant EUC environment.

Additionally, you will learn about the IT-enabled Smart Solutions (ITeSS) lifecycle, which is an alternative solution to EUCs in a controlled environment to reduce EUC risk.

This training will take approximately 25 minutes to complete.

Scroll down to continue.

Meet the EUC Team


In this course, you’ll be introduced to EUC Owner Jared and EUC Champion Priya, who will guide you through case studies illustrating the EUC and ITeSS Lifecycle. They’ll collaborate with the following other key team members:

Images of key EUC team members, which include: Jared: EUC Owner, Priya: EUC Champion, Roger: EUC Owner’s C15+ (or Delegate), Karen: Business & Function IT

Course Structure

This course is divided into nine sections, each of which covers a different topic:

  1. Introduces the course and provides the option to test-out
  2. Explores the EUC Lifecycle phases
  3. Guides you through a case study that illustrates how the EUC Lifecycle is applied in practice
  4. Introduces three Risk Reduction methods, along with the roles and responsibilities associated with each
  5. Describes the Quality Control and Assurance Review process
  6. Outlines the ITeSS Lifecycle, an alternative solution to EUCs
  7. Guides you through a case study that illustrates how ITeSS can be used to mitigate EUC risk
  8. Provides a summary of the course content
  9. Concludes with an Assessment to test your understanding

Citi’s Enterprise Risk Management Training Program

Enterprise Risk Management Training Program Risk And Controls Policy Knowledge Common Risk and Controls Skills Specialized Risk and Control Skills

Why This?

This course is part of Citi's Enterprise Risk Management Training Program (ERMTP), a series of courses which will build your understanding of your risk and control responsibilities.

Why Now?

The Enterprise Risk Management Framework (ERMF) is Citi’s standard for managing risk. As part of Citi’s Enterprise Risk Management Framework (ERMF) supporting capabilities, we are committed to equipping all Citi staff with knowledge and training to carry out day-to-day risk and control responsibilities.

Why Us?

Managing risk is everyone’s job at Citi. We are all risk managers. Risk is inherent to Citi’s business and cannot be avoided. Everyone must be vigilant and manage risk with consistency and accountability, including compliance with applicable laws and regulations.

What’s the Win?

Awareness and consistent understanding of risk and controls policy knowledge, roles and responsibilities across all lines of defense.

Introduction to the ERMF


The ERMF establishes an overarching, integrated, and consistent approach to risk management firm wide.

The ERMF has four pillars, as outlined in the following diagram:

Please note: To better understand how Citi manages certain risks, this training will specifically focus on Control within Pillar 3 (Risk Management) of the ERMF. The remaining pillars are addressed in other ERMTP training programs.

The four pillars of Citi’s ERM Framework.
Pillar 1: Culture includes Values, Behaviors and Leadership Principles, and Performance Management
Pillar 2: Governance includes Board and Management, Board Oversight, Delegation, Executive Management, Committees and Escalation, Lines of Defense, and Policies, Standards and Procedures.
Pillar 3: Risk Management covers the Risk Management Lifecycle (Identify, Measure, Monitor, Control, Report), Financial Risks (Credit, Market (Trading), Market (Non-Trading), Liquidity), and Non-Financial Risks (Operational, Compliance, Strategic, Reputation).
Pillar 4: Enterprise Programs covers Enterprise Risk Identification, Risk Appetite and Limits, Stress Testing, Strategic Planning, and New Activities Approval.
Supporting Capabilities are: Talent, Performance Management and Compensation; Communication and Training; Technology and Data; and Models and Analytics.

Course Learning Objectives

Upon completion of this course, you will be able to contribute to the effective governance of the EUC and ITeSS control environment at Citi.

Specifically, you will be able to:

  • Describe the distinct phases of the EUC Lifecycle
  • Describe the key roles and responsibilities associated with each phase of the EUC Lifecycle
  • Describe the approved EUC Risk Reduction methods
  • Describe the key roles and responsibilities in EUC Risk Reduction
  • Identify the phases of the ITeSS Tool Lifecycle
  • Explain the key roles and responsibilities associated with each ITeSS Tool Lifecycle phase
  • Demonstrate how the ITeSS Tool Lifecycle can reduce EUC risks using a given scenario

Completion Criteria

This course contains a final assessment. You must score 80% or higher on the assessment to receive credit for this training.

This course also includes an optional test-out. If you pass, you can bypass the course content and final assessment and receive credit for completion.

If you prefer you can skip the test-out and go straight to the content.

The End User Computing (EUC) Lifecycle

Understanding the EUC Lifecycle and Your Role

This section will guide you through the End User Computing (EUC) Lifecycle, emphasizing its importance in reducing risk and enhancing controls within the firm.

We will revisit Jared's experience from the foundational course to illustrate practical application of these concepts.

Scroll down to continue.

EUC Risk Management: A Shared Responsibility

At Citi, managing EUC risk is a shared responsibility. Business units and functions play a crucial role in minimizing our reliance on EUCs and strengthening the overall control environment.

As an employee who creates or uses EUCs, you are accountable for managing the risks associated with those tools.

Remember Jared? In the foundational course, Jared discovered that a Microsoft Excel spreadsheet he used for regulatory reporting qualified as an EUC and could potentially introduce risk. As the creator of this EUC, Jared assumed the role of an EUC Owner.

EUC Lifecycle Phases

As you may recall from the foundational course, the EUC Lifecycle has five phases shown here and is designed to:

  • Enhance the control environment and
  • Reduce the risk associated with EUCs by providing a structured framework for their management.
Image of the EUC Lifecycle, listing the following five phases: 1. Identification and Pre-Creation 2. Registration 3. Risk Assessment 4. Control Implementation 5. Risk Reduction

Coming Next

Ideally, as an EUC Owner, Jared should have performed due diligence to assess whether an alternative approved IT solution existed to meet the business need prior to creating the spreadsheet.

Prior to creating a new EUC, an EUC creation request must be submitted for review to validate there is a need for it.

Next, we’ll see how Jared can accomplish this by exploring the EUC Lifecycle.

The End User Computing (EUC) Lifecycle in Action

EUC Life Cycle Case Study

Let’s break down the EUC Lifecycle phases and their associated roles and responsibilities through the lens of a case study. Each EUC Lifecycle phase must be completed.

Scroll down to continue.

Infographic of the EUC Lifecycle, which lists the following phases: 1. Identification and Pre-Creation 2. Registration 3. Risk Assessment 4. Controls Implementation 5. Risk Reduction

Identification and Pre-Creation

As an EUC Owner, Jared knows what EUCs are and how to evaluate all applications that might cause risk to the firm.

There are three key activities to perform to identify EUCs:

  1. Self-Identification: Jared identifies that the spreadsheet he already created is an EUC by answering the EUC and ITeSS Decision Tree.
  2. Annual Identification Review: Jared completes the annual process for the identification of unregistered EUCs. This process is integrated within the Manager’s Control Assessment (MCA).
  3. Discovery Process: Designed to identify and inventory potential End User Computing (EUC) applications using the Discovery Tool within the organization.
Image of EUC Lifecycle Phase 1. Identification and Pre-Creation

Reduce Reliance on Uncontrolled EUCs

The purpose of the Pre-Creation phase is to confirm that an assessment has been performed to evaluate an alternative technology solution prior to creating a new EUC.

To proceed, select each button to learn more about the EUC creation request process.

Evaluation of Alternative Solutions

Evaluation of Alternative Solutions

EUC Owner, Jared, in partnership with Business and Function IT, is responsible for evaluating alternative technology solutions and advising on appropriate technology choices such as:
EUC Creation Request Submission

EUC Creation Request Submission

If an approved IT solution was not available, Jared must submit this request to Roger, his C15+ (or Delegate) for review and approval. Jared may seek guidance from Priya, his EUC Champion, during this process.
EUC Creation Request Approval

EUC Creation Request Approval

EUC Owner’s C15+ (or Delegate), Roger, is responsible for approving EUC creation requests (from Jared, the EUC Owner).

Registration

The EUC Registration process initiates the formal inventory of your EUC. As the EUC Owner, Jared will register the EUC and conduct an initial risk assessment. This process begins after Roger, his C15+ (or Delegate) approves the EUC Creation Request.

Jared will then proceed to register the EUC in the EUC Inventory Tool.

To proceed with the registration and initial risk assessment, select each step below.

Image of EUC Lifecycle Phase 2. Registration
 

Step 1: Complete the Registration Fields

Jared confirms the EUC & ITeSS Decision Tree responses and then populates the registration fields within the EUC Inventory Tool.

These fields capture essential details about the EUC, including:

  • Purpose: A clear description of what the EUC is designed to do.
  • Inputs: The data sources used by the EUC.
  • Outputs: The results or reports generated by the EUC.
  • Logic: A summary of the calculations or processes performed by the EUC.
  • Business Process Automation: The specific business activities that rely on the EUC.

Step 2: Initial Risk Assessment Questionnaire

Jared completes the initial Risk Assessment Questionnaire, which will establish the baseline Risk Level based on the EUC’s inherent characteristics at the time of Registration.

The EUC Risk Assessment Questionnaire identifies the EUC Risk Level of Critical, High, Medium and Low. Each risk level determines the required EUC File Level Controls and Risk Reduction criteria to adequately manage EUC risk.

Step 3: Submission and Approval of the Registration

Jared attests to the accuracy of the provided details and submits the registration and initial Risk Assessment for approval.

Jared’s C15+ (or Delegate), Roger, reviews the submitted information, ensuring the registration details are complete and the initial risk assessment is reasonable.

Approval must be granted within 30 calendar days of submission.

Risk Assessment

Upon Registration, Jared categorizes the EUC as High Risk due to its impact on financial reporting and potential data integrity issues after completing the initial Risk Assessment.

After the initial risk assessment is approved, there are ongoing monitoring and periodic reassessments triggered by changes. This ensures the EUC's risk level remains current. These reassessments are crucial to account for changes in the EUC's usage, data, or the business environment.

To proceed, select each button to learn more.

Image of EUC Lifecycle Phase 3. Risk Assessment
Periodic Risk Assessment
Risk Assessment Following Material Changes
Submission and Approval of Risk Assessments

Periodic Risk Assessment

The frequency of periodic risk assessments is determined by the EUC's risk level established in the initial assessment. For example:

  • Critical and High Risk EUCs, Semi-Annual
  • Medium and Low Risk EUCs, Annual

Due to the high-risk classification of Jared's EUC, he is required to complete the Risk Assessment Questionnaire semi-annually.

go to next button

Risk Assessment Following Material Changes

When material changes are identified during Change Control review, Jared must complete the Risk Assessment within 30 calendar days of the Change Control completion date.

Refer to Risk Assessment Questionnaire in the End User Computing (EUC) Standard document for further information.

go to next button

Submission and Approval of Risk Assessments

Jared attests to the accuracy of the Risk Assessment responses and submits the Risk Assessment for approval.

Roger, EUC Owner’s C15+ (or Delegate), reviews and approves the Risk Assessment within the periodic review due date or within 30 calendar days of material change.

Refer to Risk Assessment Questionnaire in the End User Computing (EUC) Standard document for further information.

Controls Implementation

As an EUC Owner, Jared mitigates EUC risk while the EUC is in use by:

  1. Implementing the minimum required EUC File Level Controls based on the High Risk level of the EUC, as outlined in the EUC Controls Implementation section of the End User Computing (EUC) Procedure document.
  2. Retaining evidence for the design and operation of controls for the EUC.

Roger, Jared’s C15+ (or Delegate), is accountable for the adequate implementation of the minimum required controls.

Image of EUC Lifecycle Phase 4. Controls Implementation

Knowledge Check

Who is responsible for approving EUC creation requests?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Coming Next

Jared now needs to reduce the EUC Risk through an approved Risk Reduction method.

Next, you’ll examine how Jared can use three Risk Reduction methods and discover which ones are appropriate for the EUC Risk Level.

Risk Reduction

Risk Reduction

While EUC Risk Reduction in acceptable forms is always the goal, the ultimate objective for the firm is to eliminate Critical and High Risk EUCs as much as possible.

Note: Before Jared proceeds with the EUC’s Risk Reduction, he must ensure that supporting documents are complete and the EUC is about to be discontinued.

Refer to EUC Documentation Requirements in the End User Computing (EUC) Procedure document for further information.

Scroll down to continue.

Image of EUC Lifecycle Phase 5. Risk Reduction

Three Risk Reduction Methods

As you may recall from the foundational course, Jared can reduce reliance on his EUC by using one of the three risk reduction methods.

To proceed, select each method to learn more.

Business re-structuring/​Process
re-engineering
Migration/​Enhancement to Non-ITeSS Technology Platform
IT-enabled Smart Solutions (ITeSS)

Business re-structuring/​Process re-engineering

The need for the EUC is eliminated because of a change in the business process(es) resulting from, but not limited to, business transformation, organizational restructuring, process simplification and process optimization.

go to next button

Migration/​Enhancement to Non-ITeSS Technology Platform

An EUC is eliminated via Migration/​Enhancement to Non-ITeSS Technology Platform when the IT system or application is managed by Business and Function IT and the application complies with Citi Information Technology Management Policy (CITMP) and all applicable Citi IT policies.

go to next button

IT-enabled Smart Solutions (ITeSS)

An EUC is eliminated by migrating to an ITeSS where development is guided by Business and Function IT and has a lower risk exposure than an EUC because of increased level of controls.

How Can Jared Reduce EUC Risk?

Let's explore how Jared, as an EUC Owner, can leverage one of three approved Risk Reduction methods to mitigate EUC risk. The EUC Standard mandates that EUCs assessed as Critical or High risk must be risk reduced through a Non-ITeSS Technology Platform or Business re-structuring/Process Reengineering within 12 or 18 months, respectively. Jared's spreadsheet has been classified as a High Risk EUC.

Karen, representing Business & Function IT, has communicated to Jared and Roger (Jared's C15+ or Delegate) that the best solution to support the business need is to migrate the EUC functionality to ITeSS.

Consequently, Jared's Risk Reduction Plan must incorporate an ITeSS as the Risk Reduction method. This will ensure the spreadsheet operates within a controlled environment, effectively reducing EUC risk. You'll find detailed information about this specific solution in the ITeSS — An Alternative Solution to EUCs section.

Images of Jared: EUC Owner, Karen: Business & Function IT, Roger: EUC Owner’s C15+ (or Delegate)

Jared’s Risk Reduction Plan

EUC Owner, Jared, must develop and submit the EUC’s Risk Reduction Plan and obtain approval within 90 calendar days of Risk Assessment approval for EUCs that are risk rated Critical and High.

For Medium Risk EUCs, a Risk Reduction Plan is required only if it is included in the Annual Risk Reduction Commitment. For Low Risk EUCs, monitor that EUC remains Low Risk via periodic Risk Assessment and monitor EUC controls.

To proceed, select each item to learn how Jared collaborates with his team to implement an EUC’s Risk Reduction.

 

Identify an ITeSS as an Alternative Solution

EUC Champion, Priya, supports Jared in identifying a suitable ITeSS as a potential alternative to the spreadsheet.
Image of Priya: EUC Champion

Submit the EUC Risk Reduction Plan for Approval

EUC Owner, Jared, submits the EUC Risk Reduction plan to C15+ (or Delegate), Roger for approval.
Image of Jared: EUC Owner

Review and Approve the EUC Risk Reduction Plan

EUC Owner’s C15+ (or Delegate), Roger, reviews and approves the EUC Risk Reduction plan within 90 calendar days of Risk Assessment Approval.
Image of Roger: EUC Owner’s C15+ (or Delegate)

Risk Reduction Execution

As the EUC Owner, Jared must execute the Risk Reduction Plan according to the selected Risk Reduction Method (Business re-structuring/​Process re-engineering, Migration/​Enhancement to Non-ITeSS Technology Platform, or ITeSS).

To proceed, select the arrow on the right to learn more.

 

Migrate the EUC Functionality into the ITeSS Tool

EUC Owner, Jared, in partnership with Karen, the Business & Function IT, has successfully migrated the EUC functionality into the ITeSS Tool as per the approved Risk Reduction plan.
 
Images of Jared: EUC Owner, Karen: Business & Function IT

Provide Evidence of the Execution

EUC Owner, Jared, confirms the Risk Reduction completion and provides evidence of the execution of the EUC Risk Reduction in the EUC Inventory Tool.

Refer to EUC Documentation Requirements in the End User Computing (EUC) Procedure document for the set of requirements for Risk Reduction Execution and follow the steps in the EUC Inventory Tool User Guide for more information on how to complete the Risk Reduction Execution.

He submits the evidence to his C15+ (or Delegate), Roger, for approval.
 
Images of Jared: EUC Owner, Roger: EUC Owner’s C15+ (or Delegate)

Review and Approve Completion of the EUC Risk Reduction

EUC Owner’s C15+ (or Delegate), Roger, reviews the accuracy of the evidence and approves the completion of the EUC Risk Reduction in the EUC Inventory Tool.

Follow the steps in the EUC Inventory Tool User Guide for more information on how to approve the Risk Reduction Execution submitted.
 
Image of Roger: EUC Owner’s C15+ (or Delegate)
 

Knowledge Check

Which one of the following methods is guided by Business and Function IT and has a lower risk exposure?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Coming Next

Next, you’ll learn about Quality Control and Quality Assurance Review and Effectiveness, which are overarching steps that ensure the requirements are executed and documented accordingly.

Quality Control and Assurance Review and Effectiveness

Quality Control and Assurance Review Effectiveness

Quality Control and Quality Assurance Review and Effectiveness are integral parts of the EUC Lifecycle.

They contribute to the ongoing monitoring, evaluation, and improvement of the EUC Lifecycle.

Scroll down to continue.

Quality Control and Assurance Review

The EUC Enterprise Governance QA Team conducts periodic, centralized Quality Assurance Reviews (QARs) to assess effectiveness of key controls.

EUC Champion, Priya, conducts periodic, in-business Quality Control (Sector QC) reviews to ensure adherence to EUC Policy.

EUC Owner, Jared, is responsible for providing timely responses to all Quality Assurance Reviews (QARs) and in-business Quality Control (Sector QC) requests from the EUC Enterprise Governance QA Team and EUC Champion.

Any fails identified in the QC or QA reviews must be remediated by the EUC Owner within 30 calendar days and evidence must be retained for remediation.

Images of EUC Enterprise Governance Team, Priya: EUC Champion, Jared: EUC Owner

Effectiveness

The EUC Enterprise Governance Team supports the ongoing compliance of Policy through metrics and reporting, along with tooling and training and sustaining it.

Coming Next

As we confirmed earlier, Jared’s Risk Reduction plan will need to use an ITeSS Tool because his spreadsheet is a High Risk EUC.

Next, you’ll learn about ITeSS, an alternative solution to EUCs, including the ITeSS Tool Lifecycle phases.

ITeSS — An Alternative Solution to EUCs

ITeSS Lifecycle Phases

Now that you’ve learned about the EUC Lifecycle phases to reduce EUC risk, let’s learn more about ITeSS, an alternative solution to EUCs used within a controlled environment to reduce EUC risk.

As noted earlier, this solution must be implemented when Critical and High Risk EUCs cannot be migrated within a specified timeframe (12 and 18 months respectively).

Like the EUC Lifecycle, the ITeSS Lifecycle outlines defined roles and responsibilities to support the management, control, and Risk Reduction of EUCs within Citi’s business processes.

The ITeSS Lifecycles consists of six phases.

Scroll down to continue.

Infographic of the ITeSS Lifecycle, listing the following Phases: 1. Opportunity Identification 2. Define and Design 3. Develop and Unit Test 4. Testing and Deployment 5. Operate and Implement Controls 6. Continuous Improvement

ITeSS Lifecycle Roles and Responsibilities


Several key roles contribute to the successful implementation of ITeSS, as listed here.

Image of Jared: ITeSS Tool Owner

Jared: ITeSS Tool Owner

As you learned earlier, Jared's spreadsheet has been classified as a High Risk EUC. His Risk Reduction plan involves the migration of the EUC functionality to ITeSS. Therefore, Jared has become the ITeSS Tool Owner, and his responsibilities now include:

  • Managing the ITeSS Tool throughout its lifecycle
  • Identifying the opportunity for the ITeSS Tool and defining its scope
  • Developing, testing, deploying, and maintaining the Tool

Image of Roger: ITeSS Tool Owner’s C15+ (or Delegate)

Roger: ITeSS Tool Owner’s C15+ (or Delegate)

As you learned earlier, Roger has approved Jared’s EUC Risk Reduction plan. He continues his role as Jared’s C15+ (or Delegate) and is accountable for the ITeSS Tool. His responsibilities now include:

  • Providing approvals required for the creation and change of ITeSS Tools
  • Approving the development, design, and deployment of the solution

Image of Priya: EUC Champion

Priya: EUC Champion

As you learned earlier, Priya helped Jared to identify a suitable ITeSS as a potential alternative to the spreadsheet. Her responsibilities now include:

  • Providing guidance and support to the ITeSS Tool Owner and C15+ (or Delegate)
  • Ensuring adherence to the ITeSS Standard
  • Performing quality assurance reviews

Image of Karen: Business and Function IT

Karen: Business and Function IT

  • Provides and manages the approved ITeSS Platforms
  • Supports the development, deployment, and maintenance of ITeSS Tools

Image of EUC Enterprise Governance Team

EUC Enterprise Governance Team

  • Establishes the framework for ITeSS risk management
  • Maintains oversight and monitors compliance with the ITeSS Standard
  • Provides approved software to manage the ITeSS Tool Inventory and ensure its completeness and accuracy

Knowledge Check

Which ITeSS Lifecycle phase involves monitoring and maintaining the Tool in the production environment?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Coming Next

Next, the case study continues and follows Jared through the ITeSS Lifecycle steps for his EUC spreadsheet.

ITeSS Lifecycle in Action

ITeSS Case Study

Our case study involving Jared will guide you through the lifecycle of an ITeSS Tool, highlighting the key players and their contributions at each step.

Scroll down to continue.

Infographic of the ITeSS Lifecycle, listing the following phases: 1. Opportunity Identification 2. Define and Design 3. Develop and Unit Test 4. Testing and Deployment 5. Operate and Implement Controls 6. Continuous Improvement

Jared Reduces EUC Risk with ITeSS

In the Risk Reduction Methods section of this course, Jared confirmed he must migrate his EUC (a High Risk spreadsheet tool) to an ITeSS Tool, after consulting with his EUC Champion, Priya.

To proceed, select each ITeSS Lifecycles phase to learn more.

 

1. Opportunity Identification

The first phase is Opportunity Identification.

Jared, as the ITeSS Tool Owner:

  1. Identifies the need for an ITeSS Tool suitable for development
  2. Uses the EUC & ITeSS Decision Tree to identify ITeSS Tools, and
  3. Identifies an ITeSS Platform based on suitability to execute the business need.

EUC Champion Priya reaches out to Karen, representing Business & Function IT, to help Jared identify a suitable ITeSS Platform on which to develop the ITeSS Tool. This decision must consider factors like data security, functionality, and compliance with Citi policies.

Roger, Jared’s C15+ (or Delegate), reviews and approves the ITeSS Tool development assessment and artifacts.

2. Define and Design

Next, Jared works with the EUC Champion Priya and Karen, who represents Business & Function IT, to:
  1. Define the scope of the solution, and identify impacted stakeholders, and
  2. Document the requirements, including data sources, process workflows, and critical success factors.

Key Stakeholders review and approve the design, ensuring it aligns with business needs and Citi's IT policies.

Note: ITeSS Tool Owner’s C15+ (or Delegate), Roger, is required to approve the artifacts in the Inventory Tool.

3. Develop and Unit Test

With the design approved, Jared, with the support of EUC Champion Priya:
  1. Obtains access and develops the ITeSS Tool on the designated Platform; and
  2. Conducts unit testing, documenting test scenarios and expected results.

Note: ITeSS Tool Owner’s C15+ (or Delegate), Roger, is required to approve the artifacts in the Inventory Tool.

4. Testing and Deployment

After successful unit testing, Jared's ITeSS Tool is deployed to User Acceptance Testing (UAT). Jared and the Business users involved, test the solution and provide feedback in adherence of the requirements.

Once UAT is complete, ITeSS Tool Owner’s C15+ (or Delegate), Roger, must approve the test results and document them in the ITeSS Inventory Tool.

After approval of the test results and documentation, Jared must register the ITeSS Tool and complete the Risk Assessment Questionnaire in the ITeSS Inventory Tool. This request must be approved by Roger, his C15+ (or Delegate) within 30 calendar days of submission.

Jared needs to submit a change ticket for deployment to production. Karen, the Business & Function IT, deploys the solution to the production environment, following Citi's Change Management procedures.

Jared must validate the deployment into production in partnership with Business and Function IT.

5. Operate and Implement Controls

Once in production, Jared is responsible for the day-to-day operation of the ITeSS Tool. He monitors performance, manages user access, and addresses any issues that arise.

Karen, of Business & Function IT, ensures the ITeSS Platform's stability and security, while EUC Champion Priya provides ongoing support and guidance to Jared.

Business and Function IT provides ongoing support for the ITeSS Platform.

6. Continuous Improvement

The ITeSS Lifecycle is continuous. Jared, with support from EUC Champion Priya and Karen, the Business & Function IT, regularly reviews the Tool, seeking opportunities to enhance functionality, improve efficiency, and further mitigate risk.

To ensure compliance and improvement of ITeSS Tool, Karen, the Business & Function IT, reviews Software and Platform level controls to assess conformance with the latest Standard and approve re-certification.

Knowledge Check

What type of testing environment is Jared's solution deployed to after successful unit testing?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Coming Next

Up next is a summary of key takeaways from this training.

Key Takeaways

Key Takeaways

In this section, we’ll review what you learned in this course.

Scroll down to continue.

Recap of What You Learned

  • EUC Lifecycle has five phases: Identification and Pre-Creation, Registration, Risk Assessment, Controls Implementation and Risk Reduction. These phases are designed to enhance the control environment and reduce risk associated with EUCs by providing a structured framework for their management.
  • As an EUC Owner, you are responsible for identifying and registering EUCs, performing a risk assessment to determine the risk level, performing file level controls, and submitting the Risk Reduction plan and execution.
  • There are three Risk Reduction methods for EUCs which are Business re-structuring/ Process re-engineering, Migration / Enhancement to Non-ITeSS Technology Platform and IT-enabled Smart Solutions (ITeSS).
  • The ITeSS Lifecycle consists of six phases: Opportunity Identification, Define and Design, Develop and Unit Test, Testing and Deployment, Operate and Implement Controls and Continuous improvement.
  • ITeSS Tool Owners are responsible for managing the ITeSS throughout its lifecycle together with their C15+ (or Delegate) who approves of creation and any changes to the ITeSS Tools. They are guided by the EUC Champions as they perform their roles.

Remember, our goal is to manage, prevent and reduce EUC risk by implementing approved EUC Lifecycle Controls and risk reduction strategies, including ITeSS - a governed alternative that enables safer execution in a controlled environment.

With any existing EUC, consult with your EUC Champion or Business and Function IT for any potential ITeSS Tool.

Coming Next

Now it’s time to check your understanding of the content by completing a short assessment.

The first three phases of the EUC Lifecycle are Identification and Pre-Creation, Registration, and Risk Assessment. What are the final two phases?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Jane, a potential EUC Owner, created a spreadsheet to automate financial reporting. What is the first step she should take in the EUC Lifecycle?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

You have just received approval to create a new EUC. As the EUC Owner, you’ve already registered the EUC and confirmed the decision tree responses. What are the remaining steps?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Who is responsible for supporting and advising the EUC Owner and providing oversight by performing in-business Quality Control (Sector QC) to verify compliance with the EUC Policy?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

What is required of an EUC Owner after a Critical or High Risk Assessment rating is approved?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Business has decided to migrate a Critical Risk to a Non-ITeSS Technology Platform. However, the migration will take 2 years to complete.

What is the Business team’s best solution?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Which phase of the ITeSS Lifecycle involves monitoring and maintaining the Tool in the production environment?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

What is the primary responsibility of the Business and Function IT during the Opportunity Identification phase of the ITeSS Lifecycle?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Who is responsible for identifying the need for an ITeSS Tool in the case study?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Ricardo is transitioning a High Risk database EUC to an ITeSS Platform. He works with his Business and Function IT to define the scope of the solution and identify impacted stakeholders.

What should Ricardo do next in the Define and Design phase?

Select the best response from the four options and then select Submit.

Please use the Space key only when selecting a radio option with the keyboard. The Enter key is not fully supported. If the Enter key has been used to select a radio option, please use the Escape key. Then you will be able to use the Space key again to select a radio option.

Submit

Copyright © Citi and/or its affiliates. All rights reserved.

Select the Home button at any time to return to this menu.

Welcome

The End User Computing (EUC) Lifecycle

The End User Computing (EUC) Lifecycle in Action

Risk Reduction

Quality Control and Assurance Review and Effectiveness

ITeSS — An Alternative Solution to EUCs

ITeSS Lifecycle in Action

Key Takeaways

Assessment

Home
Welcome
The End User Computing (EUC) Lifecycle
The End User Computing (EUC) Lifecycle in Action
Risk Reduction
Quality Control and Assurance Review and Effectiveness
ITeSS — An Alternative Solution to EUCs
ITeSS Lifecycle in Action
Key Takeaways
Assessment

go to close menu button

 

go to close button