Q&A: Fannie Mae reins in end-user developed applications
A couple years ago, when it appeared that the worst of the financial meltdown was behind us, mortgage finance company Fannie Mae decided it was time to get a handle on the applications that non-IT employees were developing for themselves--which they call end-user computing applications (EUCs). The company discovered that a lot of non-IT employees were developing applications without any documentation or controls, using everyday office productivity software such as Excel, Access and SAS. These applications offer real business value, but they can also bring real risk to the organization.
Demanding that employees stop developing applications would only create rogue developers, Fannie Mae's Leon Nisenfeld said in an interview with FierceCIO. So instead, Nisenfeld, director of application development for operations and technology risk controls, spearheaded a different approach. The initiative ultimately resulted in an EUC "factory," operated by IBM (NYSE: IBM) in East Lansing, Mich. The factory provides application development services to the lender on a pay-as-you-go basis, enabling the company to meet its unpredictable application development needs while providing the necessary level of control.
FierceCIO: What were the main drivers for changing the way end users were coming up with the applications they need to do their jobs?
Leon Nisenfeld: End user software tools have become more prevalent, and people are getting more sophisticated with them. What starts as a spreadsheet may grow organically. This organic growth is valuable to the business, but we needed to find the appropriate level of risk control for it. We needed to explain the technology risks to the business users.
FCIO: What types of applications are we talking about, and which employees are developing them?
Nisenfeld: These are primarily around office automation tools. We've had a whole variety of people who have found a need to develop applications. So many people use spreadsheets to keep track of things, and they recognize the use of putting some automation on top of them.
FCIO: Can you give an example?
Nisenfeld: I can give you a generic example that applies to many companies. Someone might work with an application that has a lot of data, but it might not include a report that gives a breakdown of the data. The user might export data from the database to a spreadsheet and create a pivot table. When there's a potential that it could change the way business transactions are completed, that's where risk could come in.
These EUCs are great short-term solutions, but we can't leave them out there for a long period of time. We've had some that are kept around for a few months and some that are around for 18 months.
FCIO: What are the main risks in these situations?
Nisenfeld: They're the standard risks that any organization would evaluate for a technology risk assessment: Making sure access is controlled; making sure the end user developed tool doesn't make it easy for hackers to get in; data quality standards and policies.
FCIO: What was the first step in trying to improve controls over end-user developed applications?
Nisenfeld: We went out and did an inventory. We were not going to just jump in and slam controls on everyone. We had a cooperative effort with people identifying their applications. We engaged people to get the inventory, and we talked through how we were going to apply controls. Then we did the risk assessment. We worked on the high-risk applications first. Then we customized that process to the medium-risk and low-risk levels. There was a general agreement that we needed to add controls, but there were questions about how to do it. This is where the idea of the factory came up.
FCIO: Why not have IT develop the applications that end users need?
Nisenfeld: The more you force everything through the technology organization, the more it goes underground.
Before my current role, I worked in the technology organization here, trying to help one business segment that was starting to use a lot of spreadsheets and was reaching out to the technology organization for support. We had to be able to help them without slowing them down too much. I had a very small team focused on trying to do some quick turnarounds for them. This was part of what went into the model for the EUC factory with IBM.
FCIO: What advantages does the application development factory model offer?
Nisenfeld: The factory provides a more agile development approach. A service provider like IBM can offer the variable support that we need. We'll bring in requests as they come in, and we've got this great service that can maintain most of the speed.
It's been set up as a pay-as-you-go service. Our demand is unpredictable. We've had some projects that take a month and some that have taken three or four months. These needs can come up in a flash. We have a pricing sheet like t-shirt size prices.
FCIO: Were there any surprising lessons along the way?
Nisenfeld: One of the surprises was the effectiveness of the program from the risk perspective. I am not technically part of the technology organization in this role, even though you might expect the technology organization to be leading the charge. I grew up in the technology organization, and my career has been technology up until the last few years when I moved into the risk role. I have dealt almost exclusively with front end systems, such as line of business applications that run on the desktop. I'm very in touch with the user interface, and to see that the risk organization has been able to achieve so much is gratifying.
I think there were some lessons in it for the technology organization as well. The technology organization does have to be comfortable letting go a little bit. It helps if the risk organization can come in and say yes, we understand both sides of it.
FCIO: Where do you envision the factory model headed?
Nisenfeld: There are some great tools in terms of business intelligence out there, really good analytic tools that put a lot of power in the hands of the end user. But we're concerned about the data. For now, we're trying to find ways to show business users ways to use their tools better. We like to be able to say, here's an opportunity to get more bang for the buck. This helps me sleep at night from a controls perspective, and it also it builds the relationship. We're giving them a better way to do things.