Which Technology?
I would draw the following roadmap, if you ask me which technological tools should be used for the requirements I tried to list in the previous part. Of course, it’s undeniable that the impact of each sector, the geographical region in which the company operates and even the corporate culture are important factors to decide technological investments for risk management. Therefore, it is not always correct to buy everything and start a mega GRC project. The job of technology suppliers/consultants like us is to offer models that we think can fit into the company’s core requirements.
Analysis of Big Data
Let’s start with analyzing big data. Downloading and examining all the logs you have in Excel documents is a method that is repetitive and not sustainable at all. Let’s see what we can use to clean and analyze this data:
1. Fraud Detection Software: If you are a firm operating in the finance, energy, merchandising, or insurance industry, you will need a fraud detection software. If you’re wondering if there is a need for this in other industries, there will definitely be benefits, but I suggest you take a look at other methods first, because discovering patterns of fraud will require a lot of effort in terms of both data and software.
2. Smart Insights / Machine Learning-Powered Decision Algorithms: If your data is not measured by millions or if your risk management practice is very scattered within the organization, or if you do not have a human resource to examine all these metrics one by one, I can recommend these technologies as a cheap and practical method. Because we can generate meaningful insights from the datasets and we can also discuss why these data are meaningful with the owners of the process/risk. A quick and effective method.
3. Data Visualization: An inexpensive and fast entry point for many organizations. It takes a long time to collect data for all risks and make calculations that will highlight strategic values. In addition, it seems that it’s not possible for quality reporting to be sustainable. It is a specialty to make a board that can tell its own meaning. Therefore, it is a very effective method to discuss these reports with a good data visualization expert and quickly turn them into a dashboard.
Auditing All Data
Software architectures have become very, very complex. Already, the incredible increase in cybersecurity cases is due to the deficiencies in the set of relationships of these complex software. In the past (I mean 7 or 8 years ago), only the finance, production, and purchasing operations of a company were managed by software, now you can find the footprint of almost every transaction, from quality management to performance management and opportunity management.
The general method for auditing the data was to take a very small portion of the footprints in the system and check for an anomaly. It has been experienced many times that this method is not a very reliable method. Moreover, as the data size grows in this way, it seems that even the number of samples to be taken in an appropriate confidence interval will be too dense to be done with human resources.
On the other hand, it is a fact that some of these data are already analyzed by the process owners. Therefore, it continues to be a serious cost for different units to receive the same data over and over again for different purposes.
KPI / KRI Tracking Software: If the aim is for the organization to reach its maximum potential, it is necessary to gradually eliminate the difference between Key Performance Indicators (KPI) and Key Risk Indicators (KRI). In other words, it is necessary to bring that famous bow-tie model to life. We need a model that can place risks and KRIs on the left side of the bow tie and results and KPIs on the right side of the bow tie. In my opinion, it is essential to develop an integrated solution with enterprise risk management software in order to monitor and analyze these critical metrics, which are collected from one or more applications and can be matched with the company’s objectives.
Continuous Audit Scripts: Here is the winner of the COVID times. In order to detect anomalies in ERP systems, we can invest in scripts that periodically report data that goes out of the confidence interval by scanning all the data. Personally, I think it would be useful to add this to the list of must-haves.
Financial Impact Analysis for SoD: One of the easiest methods of detecting internal fraud and anomaly will be to examine processes carried out by only one person. Sometimes, the fastest action that can be taken will be the detection and auditing of financial transactions carried out by one person or combination of persons.
Risk Consolidation
The above are very important components in detecting anomalies separately and in drawing meaningful conclusions The above are very important components in detecting anomalies/risks/defects separately and in drawing meaningful conclusions from complex data. However, it is very, very important to use risk management software in order to create a risk memory for the company and to manage the risks effectively. There are books about how a good risk management software should be, of course, but I can briefly refer to a blog post I wrote before and the RMIS Panorama document, which is one of the most comprehensive studies I have seen on software selection.
Follow-up of the Audit
Anomaly detection and strategy-based risk management are emerging trends okay. However, the importance of control will continue to increase. At this point, there is a need for software that will work integrated with the risk management application, guide the audit experts in compliance with the audit procedures in the organization, and increase the audit effectiveness with ready-to-use audit work packages.
Audit management will actually be a middle layer between the organization’s business principles and risk in the transformation from” GRC as an afterthought” to” GRC as Forethought”, which I tried to write before.
One of the most important outputs of the audit processes that are intertwined with the processes will be the follow-up and reporting of the post-audit actions. At this point, I believe that an action tracking software that will work in integration with the company’s risk management and monitor these actions will be very important.
The effectiveness of the audit is not only by monitoring the findings and audit reports but also by measuring the audit performance and following the actions regarding the findings; It is effective to the extent that it helps auditors of different specialties to work on the same audit package in accordance with the auditing practices of the organization.
On the other hand, finally, compliance with the audit budget, monitoring, and planning of audit personnel will also be very useful for establishing an efficient audit framework.