twitter icon facebook icon linkedin icon rss icon
Home / Matt Podowitz GRC Investments Column / Making the Most of Continuous Controls Monitoring Investments

Making the Most of Continuous Controls Monitoring Investments

August 12, 2010 by 2 Comments

[Editor's note: This article was co-written by Johnny Lee.]

———-

Despite the steep costs of implementing Continuous Controls Monitoring (CCM), AMR Research reports that it will be one of the top three GRC investment areas of 2010. GRC executives must maximize the value of this significant investment to justify increased GRC spending going forward.

The CCM value challenge

With so many companies seeking to reduce or eliminate non-value-creating costs despite the apparent economic recovery, it is incumbent on GRC executives to continuously demonstrate the value of GRC processes and investments or run the risk of losing funding.

A typical Continuous Controls Monitoring (CCM) implementation can cost $300,000 to $500,000 or more. Yet many companies make this significant investment to address only one particular business process or area of regulatory compliance. Once that initial mandate is satisfied, the technology’s utility (and the corresponding ROI) begins to diminish, and the technology itself is seen as a necessary evil rather than a value driver.

Institutional memory can be short in our new-normal environment; for that reason, finding ways to create new value by leveraging this significant investment is critical.

Meeting the value challenge

Fortunately, even though they are often unrealized during an initial implementation, the capabilities of CCM technology are tremendous. With a little creativity, GRC executives can leverage those capabilities to deliver even greater value to the business and thus increase the return on CCM investments.

At its core, most CCM technology is a rules-based, transactional, exception-finding engine. As information about new events (transactions, in this context) is fed into a CCM system, that information is compared with an established set of rules. Any transaction that falls outside the bounds set by those rules becomes flagged as an exception and is marked for review. While its typical use is limited to applying controls rules to business process data, CCM technology is capable of so much more:

1. CCM technology can apply virtually any set of rules to any set of data where the rules can be defined in a manner understood by the technology and the data is presented in a usable format.

This technology has applications beyond transactional monitoring for controls compliance. For example, a company seeking to reduce its exposure related to possessing Social Security numbers, credit card numbers and other protected information could use the capabilities of a CCM system in concert with commercially available email scanning systems in order to identify communications that appear to match a profile associated with sensitive data.

2. While CCM capabilities are usually applied to new transactions in real time, the technology is also capable of looking at stored information.

It is possible to use this technology to review past transactions in addition to new transactions being added to the database. For example, a company embarking on a record-retention effort could use CCM technology to review existing electronic records to determine which meet certain criteria (such as age, author or content type) and for that reason require retention. In addition, the technology can help process owners as they brainstorm how to assign retention requirements to newly created documents.

3. Creating a new control to be monitored by CCM is often as simple as creating a new database query.

Where the level of effort is nonmaterial, it becomes possible to create ad hoc controls to be applied to existing and new transactional data. For example, a company that must produce emails, documents and other records regarding a particular vendor or customer as part of an e-discovery request in a lawsuit can leverage CCM’s broader capabilities to respond both more quickly and more comprehensively through the creation of ad hoc controls and their application to pertinent data sets.

4. Most CCM applications are risk-focused. However, CCM technology itself makes no differentiation between rules that point to risk and rules that point to opportunity.

The same CCM process that is used to identify payables about to become subject to late fees or penalties can be used to identify those that are eligible for early-pay discounts when a different set of controls are applied. A CCM process being used to monitor production jobs that are falling behind schedule can also be used to identify draft contracts that will produce lower-than-expected profitability. When such instances are flagged for review, a company may be able to take steps to realize a more positive outcome.

    The list of possible applications of CCM technology is endless, and the greatest value-creation opportunities will vary from company to company.  The size of that list will only increase over time.

    The bottom line

    Whether a company has already invested in CCM technology or is considering it, there are opportunities to leverage underutilized capabilities of the technology and realize a greater return on that investment. While the efficiency gains and improved effectiveness associated with automation of controls monitoring may be enough to justify the initial investment, every additional application of that technology serves to increase its value and, by extension, the value of the GRC function.

    Next steps

    If they are not already doing so, GRC executives should work closely with business leaders to identify the challenges and issues they face that may not fit the conventional definition of risk and therefore may not have benefited from scrutiny within existing internal audit or compliance monitoring processes. By evaluating and scoping each opportunity as a potential project, GRC executives can quickly determine where the most bang for their buck can be realized by leveraging the capabilities of CCM technology in areas outside the traditional arena of business controls compliance.

    **********

    About the co-Author

    johnny-leeJohnny Lee is an attorney and management consultant specializing in data analytics, information governance, and electronic discovery in support of investigations and civil litigation, and he provides advisory services to companies working to address complex records and information management issues.

    He serves as a Director in Grant Thornton LLP’s Forensic Technology Services practice in Atlanta, Georgia.

    Johnny can be reached via email at johnny[dot].lee2[at]gt[dot]com.

    Related content:

    1. Leveraging Regulatory Compliance Investments to Improve Contract Performance
    2. A Case for Voluntary Regulatory Compliance
    3. Medicare Secondary Payer Reporting Requirements: The Critical Role of Automated Controls and Continuous Monitoring
    4. CIO and Audit Committee: Make Room in the Sandbox
    5. Fulfilling the New Compliance Mandate – The Compliance Convergence Journey
    Print Friendly Print Get a PDF version of this webpage PDF
    Filed Under: Matt Podowitz GRC Investments Column Tagged With: , , ,

    Trackbacks

    1. Making the most of Continuous Controls Monitoring investments | The IT Value Challenge says:
      August 12, 2010 at 9:13 am

      [...] read the article click here or visit CorporateComplianceInsights.com. var a2a_config = a2a_config || {}; [...]

    2. Making the Most of Continuous Controls Monitoring Investments « Forensic Update says:
      August 18, 2010 at 9:25 am

      [...] here for the full article, co-authored by the ForensicUpdate editor and Matt [...]

    Speak Your Mind

    *