Solution Guide - End-User Application Governance

Thank you for your interest in our ADOIT solutions! We are excited to help you transform your Enterprise Architecture initiatives into actionable results.

Before You Start

This guide assumes that you’ve already completed the ADOIT Quick Start Guide. If your ADOIT environment is already set up, you can start directly with the End-User Application Governance Solution Guide.

Empower Innovation with Secure End-User Computing

In many companies, employees develop their own End User Computing (EUC) applications (such as Excel sheets, Access databases, or macros) to solve daily operational tasks. This grassroots innovation is highly beneficial, as it empowers teams, enhances flexibility, and significantly boosts productivity by reducing dependence on the IT department. In fact, a majority of organizations recognize that EUC applications improve overall productivity.

However, because these user-built tools often operate outside of IT's direct assessment, they naturally come with certain risks. Without proper awareness, organizations can face data integrity issues, a lack of documentation, and compliance challenges. For instance, about one-third of successful cyber-attacks target data stored in unmonitored infrastructure.

To stay resilient and scale innovation safely, companies need to bring visibility to these solutions. End-User Application Governance helps you manage these applications with well-informed, transparent, and compliant decisions across the enterprise. This approach allows you to fully embrace the advantages of EUC while actively reducing risks, safeguarding business continuity, and ensuring compliance with regulations like DORA and NIS2.

Why End-User Application Governance in ADOIT

Effectively managing EUC requires a proactive approach that combines policy enforcement, technology, and transparency without stifling innovation.

ADOIT provides a unified view of all applications and processes, including those created and maintained by end users. With ADOIT, you gain the visibility and governance needed to turn hidden risks into well-managed assets. It empowers you to establish governance policies, track changes, monitor audit trails, and ensure that all applications meet the required regulatory standards - giving both business and IT the confidence to innovate safely.

How it Works in ADOIT

Choose the lean metamodel profile as a starting point

As already recommended in the ADOIT Quick Start Guide choose the ‘ADOIT for Lean Architecture Fans’ metamodel profile. It is a proven and pragmatic starting point that keeps things simple while still allowing meaningful analysis.

It simplifies the complexity of ArchiMate while ensuring you have all the objects and relations needed to fully use our offered solutions and sample models.

From there you can expand step by step once you know which elements and relationships are actually needed for your End-User Application Governance practice.

Make it easy for teams to register their tools

The first step to gaining control is asking your teams to register their End User Applications. Create enterprise-wide transparency and establish a reliable foundation for safe governance.

Steps:

1. Use ADOIT Forms to give everyone a simple, guided way to register their end-user applications without needing deep repository knowledge.
2. Provide your users with the link to the dedicated "Submit an end-user computing application" form.
3. Users assign a name to the EUC application, briefly describe its purpose and add the business units that are usinf the application.
4. Then users specify which types of technology is used and if the data that is processed in the application is for exmaple personal or customer data. This is important due to potential security or compliance issues.
5. Optionally they can select a tag to classify the application. For example "EUC".
6. Once the form is submitted, the next steps depend on your form settings:
   • "Approval required" IS NOT activated: The new objects are automatically stored in the predefined repository folder.
   • "Approval required" IS activated: The information is sent directly to the defined approvers to review.

Review process when "Approval required" is activated:

1. When "Approval required" is activated, the information is sent directly to the selected Enterprise Architects to review. They will be notified via email.
2. On the forms page under "My Approvals" the Enterprise Architects can review and approve or reject the suggested applications. In this step it is also possible to make changes to the suggested applications.
3. After clicking "Approve" the new objects are automatically stored in the predefined repository folder.

Spot risks before they impact the business

Once the EUC catalouge is established, you need to assess whether these applications contain confidential data and how their security can be improved. Quickly see which capabilities, technologies, and processes each user-built tool touches to identify risks early.

Steps:

1. Open a view that shows how the EUC applications are assigned to their respective organizational units. You can use our exmaple: Business Actor -> responsible for -> Application Component
2. In our example form we used the action required attribute as a YES/NO question if the data that is processed in the application is personal or customer data. Now we can use ADOIT's color coding to visually highlight applications that process these sensitive data. (e.g highlighting them in red). These applications represent a higher risk and require immediate action.
3. Take a closer look at a high-risk EUC application by opening the Insights Dashboard.
4. In the Relationship Network, you can instantly see which data objects (e.g., Passenger Data) are linked to this application and what underlying technology (e.g., Excel) is being used:

Shape how each tool should evolve

Create clear improvement plans for every tool. Decide whether to secure, enhance, or modernize the application, and assign ownership to make it happen.

Steps:

1. Develop a roadmap or strategy to secure EUC applications that contain sensitive data.
2. Decide on the appropriate action: "securing" can mean migrating the solution to a more robust technological platform, implementing access restrictions, or choosing better-protected storage locations.
3. Create a Workspace to plan the phase-out of the risky EUC applications.
4. Build a Gantt chart view that visualizes the lifecycle of each EUC application and its replacement timeline:

Keep governance aligned as things change

Keep governance a living process. As tools evolve or new ones arise, ensure decisions stay accurate, aligned, and compliant. Use up-to-date overviews tracking governance status, actions, and progress over time to ensure that all applications continuously meet the required standards.