Portals eNewsletters Web Seminars dataWarehouse.com DM Review Magazine
DM Review | Covering Business Intelligence, Integration & Analytics
   Covering Business Intelligence, Integration & Analytics Advanced Search

View all Portals

Scheduled Events

White Paper Library
Research Papers

View Job Listings
Post a job


DM Review Home
Current Magazine Issue
Magazine Archives
Online Columnists
Ask the Experts
Industry News
Search DM Review

Buyer's Guide
Industry Events Calendar
Monthly Product Guides
Software Demo Lab
Vendor Listings

About Us
Press Releases
Advertising/Media Kit
Magazine Subscriptions
Editorial Calendar
Contact Us
Customer Service

Thoughts from the Integration Consortium:
Continuous Monitoring Meets Enterprise Risk Management

online columnist  Integration Consortium     Column published in DMReview.com
October 6, 2005
  By Integration Consortium

This month's column is written by Robert Martin, senior solution architect for Online Business Systems.

Over the past two years, new risk-management solutions have slowly started to appear under the banner of continuous monitoring. These solutions integrate with existing systems and provide ongoing assurance through detection of events of risk-management interest and notification of stakeholders. Over the last six months or so, increasing industry buzz has arisen from new entrants in the field, partnership announcements, large customer implementations and the odd mention by analysts and articles in some mainstream publications.

This column discusses key benefits of these solutions and reasons behind the growing interest at this point in time, some considerations for integrating such tools into enterprise risk management (ERM) programs, and some predictions for how this field will develop over the coming years.

Key Benefits

The key focus for continuous-monitoring solutions is to reduce recurring manual compliance effort, chiefly through replacing manual controls with automated ones. Compliance and cost reduction aside, these solutions can increase assurance of financial integrity in several ways.

Why Now?


Sarbanes-Oxley (SOX) will be a significant driver to accelerate the need for timely awareness and reaction to risk events. SOX Section 409, in particular, requires prompt disclosure of information materially impacting the organization, implying a need for rapid detection of concerns, analysis and coordinating sound corporate reaction.

Other regulations such as Basel II imply requirements for real-time controls and diligence (e.g., antifraud and money laundering) in industries with transaction volumes so high that integrated, automated compliance solutions are necessitated.

Sustaining Compliance

Compliance with Sarbanes-Oxley has been a major driver for organizations to begin embracing risk management on a broader scale. For many organizations, initial compliance efforts were very manual, more expensive than anticipated and focused on documenting current practice. Deadlines necessitated a tactical view for initial compliance efforts. These organizations are now recognizing that the strategic view involves remaining compliant, fixing or improving broken processes and controls, establishing repeatable compliance practices that maintain or improve accuracy and keeping cost under control.

Maturing ERM

More organizations are adopting ERM, and early adopters are maturing in discipline. An organization's risk program takes time to develop, starting from an initial base of core practices and extending in capability over years. Improving the timeliness of information delivery is one performance factor that is optimized in programs over time. Continuous monitoring techniques promise to minimize the lag in detection of risk events.

Considerations for ERM

Different Kinds of Monitoring

There are different types of monitoring supported by these kinds of tools. All play a role in comprehensive risk management programs.

In this column, the term risk event includes all of these uses  and describes more than just physical events. Consider event detection to refer to detection of a physical event or instances of measurement. When you separate the concerns of detection/communication from the organizational reaction to risk events, the need to distinguish between the different kinds of events is reduced for many useful purposes.

User Interaction

Monitoring solutions typically include some kind of extensible dashboard for communicating risk events to stakeholders. They may feature asynchronous notifications and alert mechanisms such as e-mails and pagers. Depending on the solution, the front end could be a simple monitoring user interface, a dashboard in the balanced-scorecard vein or a portal intended to serve broader ERM needs, incorporating features such as workflow for issue tracking, escalation and resolution, mapping events to risk/control frameworks, multiple views for different stakeholders and so on.

Historical Risk Event Data

If a significant portion of an organization's risk events are routed through monitoring software, it can serve as a unifying point of collection for historical data. This is of value as a secure, independent audit trail of history. It can also provide historical data for analysis offline, and provide data for specialized risk controls (e.g., departure from trend).

Risk/Control Frameworks

Some packages provide libraries or rule bases of controls to jump-start organizations and the capability to extend these with additional organization-specific controls. Organizations will have existing systems of controls in place, and overlap presents an opportunity to replace broken or cumbersome controls with built-in automated ones. The 80/20 rule will always apply, and systems will need to be extended for organization-specific controls. Similarly, there may be built-in support for established risk frameworks such as COSO or COBI T, or specific regulations. Again, organization-specific customization should be expected.


The integration of a continuous-monitoring solution with the information sources for risk events will be a significant part of any implementation effort. Within the enterprise, these sources can include ERP systems, specialized risk systems, and other packages and applications. Consider that every organization exists within a larger ecosystem of partners, competitors, regulators, industries and the world as a whole, and that it is reasonable to expect to monitor and react to external risk events as well as internal ones.

While the basic concepts underlying continuous monitoring have been around for a while, a number of factors appear to have now combined to drive customer interest beyond a threshold level, creating an emerging market space that is expected to continue to grow in 2006 and beyond. The integration of these solutions into ERM programs can provide numerous benefits. A few predictions for how ERM might change to accommodate real-time monitoring in the coming years:

  • As continuous monitoring features become more common in technology solutions supporting ERM, specialized vendors will offer best-of-breed components (e.g., portals, analyses, compliance reports, workflow engines) designed to integrate into larger solutions. Package vendors will become suite vendors. To satisfy the differing needs of organizations, they will offer versions of components featuring different degrees of sophistication, complexity, resource requirements, price points and more).
  • Standard models for risk information and information exchange will be vital to achieving successful solutions comprised of loosely coupled components. Look for independent broad industry groups such as the Object Management Group and the Integration Consortium (Risk Management and Compliance Committee) to provide guidance and lead standards development in this field.
  • Monitoring will extend beyond the enterprise to the larger risk ecosystem in which every organization exists. Standards will be developed for syndication of risk events to allow organizations to monitor/share risk events with partners (consider generalizing supply chain management), with regulators (consider the role of XBRL in compliance reporting), and to aggregators (consider RSS, news/weather feeds and exchanges reporting events pertaining to traded companies).

The next few years promise to be an interesting time for risk management.

Robert Martin chairs the Integration Consortium's Risk Management and Compliance committee. He is a senior solution architect and risk management thought leader for Online Business Systems. He has more than 15 years experience as a senior analyst, architect and team leader in the finance, energy, healthcare, insurance, telecom and agribusiness sectors in the United States and Canada.


For more information on related topics visit the following related portals...
Compliance and Risk Management.

The Integration Consortium is a non-profit, leading industry body responsible for influencing the direction of the integration industry. Its members champion Integration Acumen by establishing standards, guidelines, best practices, research and the articulation of strategic and measurable business benefits. The Integration Consortium's motto is "Forging Integration Value." The mission of the member-driven Integration Consortium is to establish universal seamless integration which engages industry stakeholders from the business and technology community. Among the sectors represented in the Integration Consortium membership are end-user corporations, independent software vendors (ISVs), hardware vendors, system integrators, academic institutions, non-profit institutions and individual members as well as various industry leaders. Information on the Integration Consortium is available at www.integrationconsortium.org or via e-mail at info@integrationconsortium.org.

E-mail This Column E-Mail This Column
Printer Friendly Version Printer-Friendly Version
Related Content Related Content
Request Reprints Request Reprints
Site Map Terms of Use Privacy Policy
SourceMedia (c) 2006 DM Review and SourceMedia, Inc. All rights reserved.
SourceMedia is an Investcorp company.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.