The Future Of Continuous Risk And Controls Monitoring

Brian Ocampo and Ben Zimmerman

Is my biggest risk the one I can’t see? How confident am I that my controls are really working? How can I get a faster, more holistic view of risk across my software landscape?

These are the questions being asked by CFOs, controllers, and compliance managers who are increasingly burdened with the effort to manage risks and controls while staying cost efficient. According to the EY report There’s no reward without risk: GRC survey 2015, leading organizations regularly prepare scorecards and dashboards that include key indicators to monitor risks. However, only 46% of respondents utilize an integrated governance, risk, and compliance (GRC) technology to get this risk visibility. As a result, organizations often resort to traditional methods to monitor risks — often through laborious, manual processes that do not provide quality insight into their environment.

To complicate this situation, many organizations today have multifaceted IT environments that contribute to fragmented views of risk. This makes it difficult to effectively track risks within their business and IT processes, often resulting in recurring audit findings and a reactive risk management posture. Clearly, there is a growing need for a “single source of truth” as it relates to risk and controls data that can provide a holistic, factual view of risks across the enterprise.

The typical current state: many organizations have disparate sources of data to monitor risk, leading to different points of view on risk and the health of controls.

Unlocking the power of data

While the practice of risk and controls monitoring is not new, advances in cloud computing, data analytics, mobile devices, and robotics make it possible and accessible for more companies to adopt leading practices around risk monitoring. The following are some common elements and key attributes typically observed in leading-practice organizations:

Single view of risk — Organizations have millions of data records across dozens of systems. In order to more effectively monitor risk, companies need a single view of risk. Technology helps consolidate data to provide a holistic reporting of risk.

Key risk indicators — Many organizations have a clearly defined set of key indicators that provide them with a snapshot of the overall health of risk and controls in their business and IT processes. These key indicators serve as a guide to investigate further if potential issues are suspected.

Continuous monitoring — Near real-time monitoring helps enable early detection of control failures and supports audit readiness. It can quickly improve confidence in the accuracy of financial reporting and reduces audit stress.

Trend analysis — High-level views of key risk indicators across different dimensions (e.g., trending over time, dollar value, transaction type) help identify the root cause of control breakdowns. Instead of constantly addressing the symptoms, organizations are able to improve process efficiencies and address systemic risks within their environments.

Cloud computing — Cloud technology allows organizations to implement advanced risk monitoring tools with subscription-based, managed service models, helping reduce the need to invest in infrastructure. Further, the cloud infrastructure can also give users increased accessibility to their data anytime, anywhere using laptops or mobile devices with Wi-Fi or cell phone access.

Future state: voluminous data is continuously gathered from multiple sources and aggregated continuously to provide real-time information to organizations, which allows for more agile decision-making and proactive risk management.

EY Business Integrity Platform (BIP) is an innovative example of a cloud-based offering built on SAP Cloud Platform that combines the power of SAP Fiori and SAP HANA with EY intellectual property to help simplify how organizations analyze data to effectively monitor risk.

Advancing risk monitoring in your organization

Here are a few tangible next steps for you to consider:

  • Defining and understanding key risk indicators (KRIs) in your organization that can impact the business
  • Defining an accountability structure for KRIs
  • Designing and activating strong monitoring processes around KRIs
  • Adopting cutting-edge technology that fits within your overall technology strategy
  • Employing data analytics and trends to address root causes for control issues

Would you like to eliminate the challenges faced by many companies when managing risks within business and IT processes? Dive into the future of risk and controls monitoring with advances in cloud, analytics, and Big Data. Empower management to be more proactive with one view of risk enabled by near-real-time data and EY’s Business Integrity Platform.

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Member firms of the global EY organization cannot accept responsibility for loss to any person relying on this article.


Brian Ocampo

About Brian Ocampo

Brian Ocampo is a senior manager in the Advisory Services practice of Ernst & Young LLP, with over 16 years’ experience as a business process and internal controls professional. He assists organizations in transforming their risk and compliance functions to better manage and control risks across the enterprise in a well-coordinated manner. From a technology perspective, he has extensive experience in SAP governance, risk, and compliance solutions and solutions for controls and security. He possesses a well-integrated knowledge of finance, IT, and compliance. His experience spans many sectors with a focus on life sciences, consumer, and industrial products and media and entertainment companies.

Ben Zimmerman

About Ben Zimmerman

Ben Zimmerman is the lead SAP Risk Partner at EY for the Americas. He focuses on helping clients build a risk-aware organization by leveraging technology to strengthen the first and second lines of defense.