Last Friday I had the pleasure of attending the Society of Corporate Compliance & Ethics’ regional meeting for Boston, a great event organized by local compliance hero Web Hull, one of the nicest people in the business. The agenda covered numerous important topics, so let me focus on one that compliance officers probably hear quite a lot these days: continuous controls monitoring.
The phrase has a specific meaning, and compliance professionals in financial services should not confuse it with the monitoring they do in the surveillance sense of the word. Continuous controls monitoring (and yes, it’s often abbreviated as CCM) is the practice of observing and testing your internal controls as frequently as possible—with the ideal that you monitor controls in real time, all the time, to know immediately when some internal control no longer works.
Two directors from PwC, John Dalton and Jonathan MacKenzie, led the discussion about CCM. First, they said, the idea is hot simply because companies are pushing into more industries, and as a consequence they are racking up more risks. According to PwC’s annual survey of CEOs, one-third of respondents said they have entered new industries in the last three years, and more than half expect they’ll compete in new industries within the next three years.
To my thinking, an equally important driver for CCM is new technology. IT today has dramatically accelerated “risk velocity” (defined as the time between you recognizing you have a serious risk and the risk blowing up in your face), just at that time companies are expanding into new fields and picking up new business risks. So of course you need controls that are as reliable and effective as possible.
Few companies have achieved true continuous monitoring, but the more frequently your business can do tests and reviews, the better. Besides, monitoring is part of effective internal control and effective compliance, according to the COSO framework and the U.S. Sentencing Guidelines. So even if your compliance department isn’t doing it continuously, you probably are trying to do it somehow.
Compliance officers who want CCM to succeed at their companies have a delicate juggling act to do. You need data on your internal controls from business operations (the first line of defense), which feeds into you sitting in the middle as the second line of defense. Meanwhile, if your company has an internal audit function (the third line of defense), that team may be performing its own tests of internal controls; you also need to coordinate with internal audit to make sure it isn’t duplicating effort and is testing controls in a way that’s useful to you.
Compliance officers (and internal auditors) have some obligations here too. You need to provide high-quality feedback to the business units, especially if you believe in the idea that business units should own the risk and control rather than you. You are the coach who tells them how to perform, and how to perform well. But like all good coaches, ideally you want to remain on the sidelines.
CCM can go awry if disparate groups within the enterprise do their own testing and monitoring; that’s the first line of defense getting carried away with itself. The compliance officer should be in charge to coordinate all that action, Dalton and MacKenzie said, and to ensure everyone uses a standard data format so you can find outliers or detect patterns accurately. (Another pro tip from them: lean on your internal audit department to help you design your control tests, since internal audit excels at that sort of thing.)
The goal is to tie the results of your risk assessment to the controls you have. Do they block the risks to your satisfaction? Can you test them? Can you monitor them to see whether any actions the control is supposed to prevent somehow happen anyway? You want the answer to be “yes” to all three questions. Tech tools do exist to help with all this (Archer, BWise, MetricStream and others), and ultimately you will need to find an approach that works well for your specific company.