Continuous control monitoring technology is powerful, efficient and grossly underused. Many GRC professionals automatically assume that controls should be continuously monitored. Of all the things that this technology could be used for, control monitoring is possibly the least valuable overall. I believe that properly used, continuous monitoring of risk indicators, business performance and customer and employee behaviors is far more valuable. The payback is streamlined controls, better business decisions and a dramatic reduction in human error as a cause of losses.
In 2004 I was asked to write a review for a publication of the IIA Research Foundation titled “Changing Internal Audit Practices in the New Paradigm.” One case study in particular caught my attention. Internal Auditors at Kinko’s (as it was called at that time) had developed what they called data mining techniques that allowed them to monitor daily Point of Sale (POS) transaction data and identify situations where fraud was likely based on an analysis of the timing, frequency and sequence of certain transaction types. In other words, fraudulent employee behavior could be detected early and at very low levels.
Two benefits were achieved. One was that onerous manual controls to prevent such fraud could be streamlined. The second benefit was that dishonest employees left the organization.
In 2007, Protiviti published a white paper titled “The Shift To Behavior Monitoring : A New Paradigm for Exception Based Reporting (EBR)” outlining the basic principles of the technique and giving it an appropriate name. Found mainly in retailing and used for loss prevention the technique, the white paper described important principles and techniques. Let me give you a personal example.
A few years ago we left my adult son at home and went on vacation. I left him one of my credit cards in case he ran short of cash. Three days later, sitting beside a pool in Palm Springs, my credit card company notified me my card had been stolen and had been used to but about $50.00 worth of textbooks at a college bookstore.
Behavioral monitoring was able to separate 2-3 miniscule transactions from among many thousands of transactions totaling many millions of dollars based on a pattern of spending that differed from my historical patterns.
I may be an optimist, but I believe with more refinement and extensive research, this technology just might be able to detect a bogus $10 million transaction by a rogue trader or maybe a $50 million dollar fraudulent entry by a CFO. If we could achieve that goal, we could eliminate costly but far less efficient and effective controls and at the same time eliminate some bad apples.
There is little evidence to suggest that the techniques described in the Protiviti paper are being broadly applied by GRC professionals.
In February 2010, The Economist magazine published a special report titled “Data, data everywhere a special report on managing information”. It is an exhaustive analysis and discussion of the problems and opportunities presented by the enormous amount of data we are creating. According to the article, Best Buy discovered that 7% of its customers accounted for 43% of its sales and began to focus on those customers. Cablecom, a Swiss telecom operator, was able to reduce defections from about 20% of subscribers per year to less than 5% by analyzing calls to customer support early in the client life cycle and identifying which customers were likely to leave. The Economist article contains numerous examples of benefits from monitoring data for such patterns.
On April 22 I presented a webcast for Compliance Week on People Risk. (http://video.webcasts.com/events/pmny001/viewer/index.jsp?eventid=34431) . My premise was that as GRC professionals we had pushed our ntraditional “hard” control to their limits. Human erro, not “hard” control failure accounts for the majority of losses across most fields of human endeavor and channeling the right kinds of human behaviors to accomplish the right goals offers huge promise and lower costs.
Continuous monitoring holds great potential. The only question is whether it will be used wisely to drive down the cost of control, identify undesirable behaviors and drive better business performance, or whether its use will be limited to perpetuating and continuously monitoring the controls we have today.
I believe GRC professionals have an opportunity to dramatically change their paradigm and add value.
Your comments are most welcome
You’ve done it once again. Great post!