A Fitness Monitor For Your Risk Profile?

How continuous control monitoring can lead to a smarter, safer, and healthier organization.

If you were a recreational runner a few years ago, you may remember taking your pulse manually with your fingertips. You knew there was an optimal heart rate range to get the most benefit from your exercise, but you probably didn’t track your numbers very closely.

Then you got your first Fitbit or Apple Watch, and your workouts have never been the same. Now a tiny computer monitors your every move, providing a constant stream of data about your fitness levels while prompting you to strive toward new activity goals.

Companies seeking to improve their risk management fitness are experiencing a similar epiphany as they institute continuous control monitoring, or CCM. This technology supports high-frequency automated monitoring of controls to more effectively manage risk and ensure regulatory compliance.

Already implemented by many organizations, especially those in highly regulated industries, CCM takes the place of labor-intensive sample testing. Results are published periodically, and allow for monthly, weekly, daily, or even real-time controls testing. The process registers changes in the organization’s risk profile for which CCM is set up and, most importantly, creates an opportunity to act far faster than ever before.

Achieving a holistic view

Older, siloed information systems and business processes don’t support CCM. Instead, CCM requires a common data platform that can consistently create connections between data sources to allow aggregation into a single data model. Accessing that through an integrated governance, risk, and compliance (GRC) capability creates a priceless single window into an organization’s risk-and-controls health.

The resulting wealth of data, however, can create information overload—and overreaction.

[How secure is your organization? Take this self-assessment to find out.]

For instance, where manually measured controls allow testing of only a small sample—say, 100 of 100,000 IT changes—CCM enables review of all 100,000 IT changes automatically. If 1% of the IT changes don’t pass muster, the manual process would report a single failure from its sample, likely raising few alarms. But that same 1% would result in a CCM report of 1,000 failures, potentially drawing far more attention and adrenalin.

That’s why effectively adopting CCM requires a culture shift across the organization.

While it’s a powerful new tool for managing risk, CCM’s abundance of data can come as a shock to long-established norms. With CCM, executives accustomed to reviewing quarterly reports about issues that already have been resolved now can see control tests fail in near real time. A dashboard filled with red alerts—even if those alerts represent the same percentage of failures as previously reported—can drive the wrong behaviors if the required culture and education shifts haven’t been embedded in the organization.

Ensuring you have a strong and integrated GRC solution is key to discerning the signal from the noise.

It’s important to remember that your organization has the same level of risk the day CCM is implemented as it had the day before. You are now getting a more granular view of how the pulse of the company rises and falls, its natural ebb and flow. Some alerts will self-correct as part of the natural course of events. Others, however, are the real points of concern—the atrial fibrillations of your company, if you will.

Ensuring you have a strong and integrated GRC solution is key to discerning the signal from the noise so that you can adjust your tolerances for action and escalation accurately.

Controlling risk fitness

With a carefully measured response to failure reports, a well-integrated CCM solution lets companies manage risk far more effectively and efficiently, while they also get actionable insight that helps them maximize desired business outcomes.

Formerly laborious audit cycles can be streamlined with automated reviews and reports.

Just as your personal fitness monitor helps guide you toward improved physical fitness, CCM solutions can help companies achieve better risk management fitness, improve the overall health of the enterprise, and allocate resources to help them reach their goals.