Linking Continuous Controls Monitoring (CCM) to Performance
Posted on May 18th, 2009 by Michael Evans »Permalink
People vote with their feet. So it’s always interesting to see where people head when a conference breaks from the plenary session. At the Gartner Risk Management & Compliance Summit earlier this month there was a clear winner. Gartner VP and Distinguished Analyst Paul Proctor’s session — “5 Practical Tips to Link IT Risk Management and Compliance to Corporate Performance” — attracted a standing room only crowd that stretched all the way back to the coffee stations in the hallway.
In a nutshell, Proctor’s main message is that executive management and boards of directors want to know that their organizations are appropriately protected against reasonably anticipated risks. But IT speaks a different language from the executives that allocate budget dollars. The solution? Proctor argued that now more than ever IT security professionals needed to translate the key risks indicators (KRI) they deal with on a day-to-day basis into key performance indicators (KPI) which executive management can understand. IT-oriented KRIs and operational metrics are down in the weeds and hard for execs to relate to according to Proctor. But if you can translate those into KPIs for key processes, communicate how good (or bad) you are currently doing and how specific proposed IT projects will help move your KPIs in from a 2 to a 5 you can make a direct link between how budget dollars will impact performance. What if your exec doesn’t want to fund your project? Proctor’s advice was simple. Tell your executive “No problem. See how we’re at a 2 out of 5 for our ‘threat and vulnerability management’ KPI? I just need you to sign here and say that you understand we’re going to be staying at a 2 because we’re not funding these three projects that could help us move to a 4.” It may sound simple but getting execs to sign off on the risk they are assuming by not funding key projects quickly brings the cost of inaction into focus.
Proctor’s other session on “Continuous Controls in ERP and Financial Systems”, which he presented along with Gartner Research VP French Caldwell, also attracted a near capacity audience. The main message in this session was that continuous controls monitoring isn’t just for compliance and audit anymore; it’s also driving key performance benefits particularly in the area of improving the availability of working capital and reducing fraud. Three ways CCM is driving business value for management: (1) lowering audit costs, (2) improving antifraud and other controls and (3) improving important business processes. On the audit side of the house value comes from: (1) reducing manual sampling, (2) external auditor trust in internal audit work and (3) ID and correct problems before there’s a performance impact.
Proctor and Caldwell are working on additional research in the area. In the meantime, feel free to check out some of their latest work on the subject here.
May 28th, 2009 at 3:40 pm
Thanks, good article.
May 31st, 2009 at 9:07 pm
Where I work, top executives, would probably refuse to sign off on the risk acceptance or provide funding.
Their strategy to risk management would be, find a cheaper (read “free”) way of getting it done. I’m making this your responsibility since you have now highlighted it to me ..