|Sign-Up for Free Exclusive Services:||Portals|||||eNewsletters|||||Web Seminars|||||dataWarehouse.com|||||DM Review Magazine|
|Covering Business Intelligence, Integration & Analytics||Advanced Search|
Thoughts from the Integration Consortium:
This month's column is written by Robert Martin, senior solution architect for Online Business Systems.
Over the past two years, new risk-management solutions have slowly started to appear under the banner of continuous monitoring. These solutions integrate with existing systems and provide ongoing assurance through detection of events of risk-management interest and notification of stakeholders. Over the last six months or so, increasing industry buzz has arisen from new entrants in the field, partnership announcements, large customer implementations and the odd mention by analysts and articles in some mainstream publications.
This column discusses key benefits of these solutions and reasons behind the growing interest at this point in time, some considerations for integrating such tools into enterprise risk management (ERM) programs, and some predictions for how this field will develop over the coming years.
The key focus for continuous-monitoring solutions is to reduce recurring manual compliance effort, chiefly through replacing manual controls with automated ones. Compliance and cost reduction aside, these solutions can increase assurance of financial integrity in several ways.
Sarbanes-Oxley (SOX) will be a significant driver to accelerate the need for timely awareness and reaction to risk events. SOX Section 409, in particular, requires prompt disclosure of information materially impacting the organization, implying a need for rapid detection of concerns, analysis and coordinating sound corporate reaction.
Other regulations such as Basel II imply requirements for real-time controls and diligence (e.g., antifraud and money laundering) in industries with transaction volumes so high that integrated, automated compliance solutions are necessitated.
Compliance with Sarbanes-Oxley has been a major driver for organizations to begin embracing risk management on a broader scale. For many organizations, initial compliance efforts were very manual, more expensive than anticipated and focused on documenting current practice. Deadlines necessitated a tactical view for initial compliance efforts. These organizations are now recognizing that the strategic view involves remaining compliant, fixing or improving broken processes and controls, establishing repeatable compliance practices that maintain or improve accuracy and keeping cost under control.
More organizations are adopting ERM, and early adopters are maturing in discipline. An organization's risk program takes time to develop, starting from an initial base of core practices and extending in capability over years. Improving the timeliness of information delivery is one performance factor that is optimized in programs over time. Continuous monitoring techniques promise to minimize the lag in detection of risk events.
Different Kinds of Monitoring
There are different types of monitoring supported by these kinds of tools. All play a role in comprehensive risk management programs.
In this column, the term risk event includes all of these uses and describes more than just physical events. Consider event detection to refer to detection of a physical event or instances of measurement. When you separate the concerns of detection/communication from the organizational reaction to risk events, the need to distinguish between the different kinds of events is reduced for many useful purposes.
Monitoring solutions typically include some kind of extensible dashboard for communicating risk events to stakeholders. They may feature asynchronous notifications and alert mechanisms such as e-mails and pagers. Depending on the solution, the front end could be a simple monitoring user interface, a dashboard in the balanced-scorecard vein or a portal intended to serve broader ERM needs, incorporating features such as workflow for issue tracking, escalation and resolution, mapping events to risk/control frameworks, multiple views for different stakeholders and so on.
Historical Risk Event Data
If a significant portion of an organization's risk events are routed through monitoring software, it can serve as a unifying point of collection for historical data. This is of value as a secure, independent audit trail of history. It can also provide historical data for analysis offline, and provide data for specialized risk controls (e.g., departure from trend).
Some packages provide libraries or rule bases of controls to jump-start organizations and the capability to extend these with additional organization-specific controls. Organizations will have existing systems of controls in place, and overlap presents an opportunity to replace broken or cumbersome controls with built-in automated ones. The 80/20 rule will always apply, and systems will need to be extended for organization-specific controls. Similarly, there may be built-in support for established risk frameworks such as COSO or COBI T, or specific regulations. Again, organization-specific customization should be expected.
The integration of a continuous-monitoring solution with the information sources for risk events will be a significant part of any implementation effort. Within the enterprise, these sources can include ERP systems, specialized risk systems, and other packages and applications. Consider that every organization exists within a larger ecosystem of partners, competitors, regulators, industries and the world as a whole, and that it is reasonable to expect to monitor and react to external risk events as well as internal ones.
While the basic concepts underlying continuous monitoring have been around for a while, a number of factors appear to have now combined to drive customer interest beyond a threshold level, creating an emerging market space that is expected to continue to grow in 2006 and beyond. The integration of these solutions into ERM programs can provide numerous benefits. A few predictions for how ERM might change to accommodate real-time monitoring in the coming years:
The next few years promise to be an interesting time for risk management.
Robert Martin chairs the Integration Consortium's Risk Management and Compliance committee. He is a senior solution architect and risk management thought leader for Online Business Systems. He has more than 15 years experience as a senior analyst, architect and team leader in the finance, energy, healthcare, insurance, telecom and agribusiness sectors in the United States and Canada.
The Integration Consortium is a non-profit, leading industry body responsible for influencing the direction of the integration industry. Its members champion Integration Acumen by establishing standards, guidelines, best practices, research and the articulation of strategic and measurable business benefits. The Integration Consortium's motto is "Forging Integration Value." The mission of the member-driven Integration Consortium is to establish universal seamless integration which engages industry stakeholders from the business and technology community. Among the sectors represented in the Integration Consortium membership are end-user corporations, independent software vendors (ISVs), hardware vendors, system integrators, academic institutions, non-profit institutions and individual members as well as various industry leaders. Information on the Integration Consortium is available at www.integrationconsortium.org or via e-mail at firstname.lastname@example.org.
|E-Mail This Column|