Assessing Business Resilience

Business resilience determines to a great extent whether a business can continue or not. The risk of failure to forecast and build business resilience to weather out a disaster is the most significant risk that could affect the continued existence of an organization.

What is Business Continuity?

Business continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (Source: ISO 22301:2012)

A “Crisis” is an abnormal situation which threatens the operations, staff, customers or reputation of the organisation and many business crisis situations can be foreseen (example a supply disruption or logistics crisis or a financial crunch). One can handle a crisis situation through emergency response or recovery plans for a particular incident.

On the other hand, a “Disaster” can be defined as an unplanned interruption of normal business process and cannot always be foreseen. Disasters can be natural disasters or man-made ones. They can interrupt business processes to threaten the continuance and viability of an organization.

Over the years, man-made and natural disasters have unveiled the vulnerability of businesses on a global scale. Many well laid out, documented and executed Business Continuity Plans during normal times do not hold good during times of disasters.

Disasters, by their very definition, do not happen at a convenient time and is always unpredictable, making it difficult to forecast its impact. There is no way of knowing the time it would strike, the form it will take and the damage that it can cause.

Take for example the current COVID19 pandemic – is it a natural disaster or man-made? Many differing opinions exist on this subject.

COVID 19 pandemic and its severity across the world has thrown into disarray all business, trade, commerce and logistics operations. Even the best laid crisis management / disaster recovery / business continuity planning could not have forecast the severity of this threat and impact.

However, that does not mean that one should not attempt to understand the impact of various disaster scenarios and plan for effective response as this is key to business continuity and resilience building.

Business Resilience (BR in short) is dependent on many factors:

  1. Financial resilience: This is a no-brainer, as any organization that is strapped for cash and liquidity during the crisis is likely to succumb faster than companies with reserves to see through the difficult times.
    1. Receivable management and avoidance of bad debts should be the focus of primary concern to strengthen cash and liquidity positions.
    2. During a crisis of the nature of a world-wide pandemic, suppliers, their stability and supply availability would directly impact working capital, raw materials and ideal stock levels to be maintained.
    3. Bank loans, interest moratoriums and other debt facilities will have to be re-looked and restructured.
    4. Inability to adhere to existing agreements like lease, rentals, customer commitments on agreed due dates, operational restrictions brought in by regulatory authorities for the common good, etc.
    5. Top management will face challenges in estimating reasonably possible future cash flows in uncertain conditions.
    6. Unlike traditional budgeting methods, relying on historical data to project future business is not going to be of use.
    7. There is a big question mark on what is the “new normal” and how it would be for each industry and within organizations.
    8. As estimations becomes complex, it would be difficult to show adherence to the existing audit and accounting standards and convince Audit Committee on the underlying assumptions behind such estimations.
    9. Last but not the least, is the criteria of “going concern” met? Assumptions underlying the certification may be complex and difficult and will have to pass the test of the auditors before reporting and disclosures to the key stakeholders.
  2. Physical resilience: How deeply affected are an organizations’ locations / premises / access to facilities and how long can it take to restore normalcy? This is an important factor to assess how quickly the business can spring back to normalcy. Is there an adequate insurance cover for such contingencies?
  3. Data Protection Plan: Is there a plan in place that ensures your existing data is retained and protected? The company’s computing resources such as server, networks, firewalls, access authorizations, hardware and software, etc. need to be protected and safe guarded. This is a must for the continued availability of the Information Systems to function at basic levels during the crisis and without losing critical business information.
  4. Customer retention: Brand loyalty and assured customer retention makes it easier to estimate potential earnings when normalcy is expected to return to the economy. This factor is more pronounced in retail and FMCG industries where customers can easily switch between brands. However existing revenue contracts may need to be revisited, reviewed and revised in the light of the shutdown.
  5. Employee retention: An organization that lays off employees during a pandemic or crisis is going to take a longer time finding replacements or skilled people when it wants to get back to business. Migrant workers who have attained skills in many industries may not desire to shift locations but find better alternatives in their own home locations. The shortage of adequate and appropriate human resources may impact resilience of the organization in the long run.
  6. Workplace transformation: During a pandemic (such as the COVID 19), all essential operations cannot come to a sudden standstill. It is important to ensure that basic activities go on without endangering the employees to infectious diseases. Organizations that can quickly bring in, enable and encourage “Work from Home” alternatives can adapt to the situation and show more resilience than those that are not ready with the infrastructure to adopt such measures.
  7. Digital transformation and adoption: Resilient organizations will always be at the forefront in being flexible and adaptable to new technology and embrace digital transformation. However, this adoption and transformation would be dependent on the financial readiness and budget allocation during times of crisis.
  8. Emotional / psychological resilience: It is finally the human psyche that matters – whether the key stake holders are mentally resilient and steadfast – in the continuance of business, the form in which it can be carried out in future. Small and medium businesses may fold up in current locations, larger organizations may look at mergers and amalgamations, start-ups may see a bleak future in the near-run.

What is Business Continuity Management (BCM)?

Organizations lay down Business Continuity Plans at various business processes and with emphasis on Information Systems and execute and audit them at regular intervals to ensure preparedness of the organization to handle any event, incident or crisis.

Business continuity management (BCM) enables organisations to restore their businesses to normal operations following an unanticipated disaster or business interruption.  To date, however, the corporate BCM capabilities necessary to establish that resiliency generally have ranged from absent to insufficient. 

Can a disaster (except probably the weather forecast for a cyclone or typhoon) be predicted to near accuracy? Can one predict if the business will be resilient after the effects of the disaster – say economic downturn, depression, catastrophic effects on humans, country-wide regulations and lockdowns?

Assessing the operational / financial resilience on the Business Continuity Plans is not just limited to Information Technology risks (or protecting information assets and financial information). There is a lot of difference between executing BCM audits in normal times and during unexpected natural or man-made disasters like the pandemic we are currently facing.

Is your information really secure?

Cyber security risk management is no longer confined to solid firewalls and state of the art Virtual Private Networks. A video that recently caught my attention may make you re-think cyber security programs that you have (or intend to have). Have a look …. Video credit: CNA Insider.

Here are factors that one should focus on and strategize before embarking on building/strengthening cyber security risk assessments. Break them down into segments based on users, data, location and devices. Security risk assessments must have a holistic approach to include human vulnerabilities as well – not just focus on machines and devices.

  1. What is the kind of data you want to protect – your business assets (physical, financial and information), employees’ data, client/customer information?
  2. Where is your data located? In the cloud or on premise? Think and evaluate your cloud security concerns, whether you are in a shared tenancy or private cloud. Even if your cloud service provides the basic risk management techniques, you are still responsible if your data in the cloud gets leaked.
  3. Do the applications your run (or intend to run) have basic security in-built? Do they provide a context-based sign-in before granting access? Do the applications provide the flexibility to set up multi-factor authentication on different devices like mobiles, tablets and laptops?
  4. Have you categorized your users? (like how many are temporary / contractual / permanent etc.) Who needs to have privileged access to critical data and transactions?
  5. What kind of devices do users use for performing their tasks – whether within the perimeter or firewall of the company or from the outside?
  6. Should you use a “zero-trust” security policy? When employees are allowed to “bring-your-own-device (BYOD)” (as some companies do), can you take the risk of an infected device that may share information with a hacker or subject your organization to a malicious attack?

When evaluating security solutions keep in mind

  • Solutions that offer to protect the “perimeter” of the company (like firewalls, anti-virus / malware software, anti-phishing devices, network sniffers, etc.) – which is mainly the border around its physical locations and intranets – are not sufficient. Most of such security solutions are not capable of understanding application security breaches and proactively inform the CISO’s office of the risks in order to plug the breach immediately.
  • Large companies having a geographical spread have a different set of requirements to deal with as compared to small or mid-size companies.
  • Companies that still rely on old / legacy systems that are not amenable to the latest technology upgrades, that are proprietary in nature make the security scenario complex.
  • Look for solutions that helps you centralize the various types of log information in real-time (or close to real-time) from multiple systems. They must be capable of tracking inventory of multiple devices (like networks, servers, terminals, mobile devices, laptops, access and audit logs, wireless access from extranets, etc.)
  • They should be able to track users, their roles and the usage of the various actions / tasks within the system. They should ensure that context-based risk assessment is done periodically. Ensure you have up-to-date information about everyone (including employees, customers and suppliers) who has access to your systems and about the devices they use.
  • Placing your single sign-on outside of your perimeter (on the internet) may require a lot of thought, not only due to the complexity of scenarios, but also due to legal compliance requirements (like data privacy laws).
  • Migrating to the cloud environment requires you to evaluate and assess security risks carefully and whether your cloud service provider is experienced enough to look at the larger security aspects – not just employee access but also B2B or B2C scenarios used by your organization.
  • Do not make security risk assessments a quarterly or annual affair, it should be an on-going exercise. It is best implemented as part of a daily operation, so that you are proactively alerted to react to breaches before severe damage is done.

My take on IRM and GRC

The next buzzword after GRC (Governance, Risk and Compliance) is now IRM (Integrated Risk Management). (Not to be confused with another acronym “IRM” which denotes “Information Rights Management” which is a form of IT security technology for protecting access to sensitive documents and emails.)

Why are we emphasizing so much on new acronyms and confuse practitioners of risk, control and compliance? Why debate on whether GRC is dead and IRM is the new norm? Would it not be better to get down to basics and understanding the importance of and concepts that each of those words denote? (People generally like to put old wine in new bottle to keep the interest going.)

Technology -when properly deployed – has and is always capable of giving an integrated view of things in an organization.

But jumping into a technology approach without proper understanding by all stakeholders concerned leads to quick disillusionment and project failure.

It is a fact that silos exist is several organizations. This is mainly because different departments (such as finance, internal audit, risk committee, operational heads) cocoon themselves into their own departmental priorities and have a short-sighted approach. Their reasons and defences are many – inertia to collaborate with other stakeholders, ego issues on whose approach is better, having a “get-it-done-with” approach, citing shortage of staff, insufficient budget that makes them adopt sub-optimal solutions, etc. The top reason could also be that the C-level is not apprised of the benefits or they do not consider these initiatives adding to their top line revenues!

Quoting Gartner’s definition – Integrated risk management (IRM) is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.

Since the summer of 2018, Gartner has been moving away from GRC (Governance, Risk and Compliance) towards IRM (Integrated Risk Management).

In my perspective, if one forgets the acronyms – GRC and IRM – and look at what are the concepts that are being espoused, one can very well see that the fundamentals have not changed, but the emphasis is on a holistic approach towards a better management of risks arising out of poor governance, failed business controls, non-compliance, weak IT security leading to data breaches, external threats, etc.

To elaborate further, what all of us (or most of us) understand / agree at a high level are the following points

  • There is no “business” or “for-profit” organizations without taking calculated risks. Managing those risks intelligently and on time ensures business continuity and success. That is why “Risk Management” is ideal in all decision-making processes.
  • In the long run, only integrity pays and ethical practices in business help its brand value and survival – others simply vanish. This is what we understand as the “Governance” standards set by the entrepreneurs, promoters and expected to be followed and communicated by the top management to the operational teams.
  • The “Governance” has two aspects to it – one set of internal practices and policies set up by the management and the other set of operational, tax and statutory compliances set up with respect to any or specific industries, countries and communities. This broadly comes under the “Compliance” umbrella.

On a deeper level, one can see that all the above points are intertwined and one cannot exist without the other –

  • Governance cannot be enforced without proper policy formulation and communication of the internal policies (corporate specific procedures and ethical practices) that the management envisions and laying emphasis on external compliances to ensure business continuity. It is a failure of governance if business risks are not identified, assessed and mitigated on time. Governance also implies that proper internal controls are in place and working effectively.
  • Compliance does not stand alone – failure to comply – whether with internal policies (such as purchase or pricing policies) or with external statutes (such as taxation, etc.) – is a reflection of poor business controls.
  • Risk awareness is the overarching umbrella that recognises threats to the business continuity – whether arising from poor governance, improper compliance, inadequate IT security measures to protect data and ineffective business controls in its processes that could lead to frauds.

The bottom line for all organizations wishing to set up a framework for Governance, Risk Management and Compliance may need to consider the following:

  • have a holistic understanding and approach of the proposed integrated framework, include all functions and processes – not just finance or internal audit or SOX compliance. External threats such as legal risks, brand risks, cyber security, IT risks, conflict of interest that results in abuse and fraud, environment, health and safety risks deserve equal importance when we talk about a sustainable business in the long run.
  • bring all stakeholders on one page – workshops, discussions, whitepapers, surveys, opinions, etc.,
  • don’t jump into a technology solution without assessing preparedness and maturity of all functions,
  • as far as possible avoid siloed programs (that are focussed only on a particular function or department),
  • even if you have to start small (if there are budget or resource constraints), never compromise on the big picture of where you want to be at the end of the program,
  • keep in mind an integrated approach that ties together all types of internal or external risks to the enterprise.

My random thoughts on societal risks

A certain heart-wrenching and gruesome event that happened very recently and the subsequent findings by the police / investigation agencies (read here: //timesofindia.indiatimes.com/city/hyderabad/accused-returned-to-spot-to-ensure-body-was-burnt/articleshow/72323219.cms will touch the hearts of any good person (of whichever country / religion / caste / creed or colour). What is more shocking is that out of the four accused persons, one of them is a minor boy aged about 15 years.

Another 35-year-old woman was also burnt alive and the body found in a couple of days after the above incident and close to the same venue.

It makes me wonder where we are going wrong all the time in preventing tortures and crimes against women. In my opinion, “women at risk” is a topic today than even discussions about mitigating business risks should take a back seat for some time.

Catching the culprits and snuffing out their lives through capital punishment is only momentary solace and will seem quick justice to the parents and loved ones of the deceased. There are and there will be many more offenders lurking for an opportunity to assault women for whatever reasons. This is true because after the shocking “Nirbhaya rape and murder” that shook the nation a couple of years ago, such an incident has happened again.

  • Is it the victim’s fault that she was a good-looking young girl?
  • Is it wrong that she was in a profession that required her to work late evening?
  • Can you lay the blame that she was unaccompanied by a chaperon at that time?
  • Is it right to say that women should never venture out alone after sunset?

Societal and family values play a major factor in bringing in awareness about how and why you should respect women. It might seem that too much advice by parents and teachers will not work with young minds. But just remember the good old days when children had enough attention at home (either parents, grandparents, uncles and aunts, etc.). The effect of strong familial values goes a long way into the development of the human psyche.

We are living in a fast-paced society where working parents and nuclear families have little or no time to devote to child development (and I mean all-round development – not just academics and scoring high ranks).  In such a situation, teaching fundamental values of life begins at schools and educational institutions. Parental guidance / counselling on raising children should start at the grassroots at all levels – irrespective of which economic strata they belong to.

We also need to strongly question why some common risk factors are not taken seriously by the Government / local administration and police, such as

  • desolate places without enough lighting,
  • no vigorous night police patrolling at such places,
  • no quick response mechanism or follow-up by the local police when incident is reported,
  • poor enforcement of the law and delayed justice in courts,
  • biased opinions by media based on religion and politics that subverts the very motive of the crime.

We, as responsible citizens, owe it to ourselves to deal with the issue of why women are at risk and what we could do to mitigate the same to prevent such dastardly crimes from happening. There is no use expecting the Government to come to the rescue since this is a fabric woven by the society in which we live and education must start in each and every home.

A Primer on AI/ML/DL/NN etc.

Today, many of us non-technical people feel quite left out of conversations that are buzzing around in companies, social media, webinars, presentations, etc.

Yes – I am talking about the most talked about acronyms – Artificial Intelligence (AI), Machine Learning (ML), Deep Learning (DL), Neural Networks (NN) and so on that also includes Big Data, Statistical methods, Data Science, Predictive Analytics and so forth.

My attempt to facilitate understanding of the basics.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

  1. Artificial intelligence (AI) is the simulation of human intelligence processes by machines, especially computer systems. If a system or a device can do “smart” things like humans do, then it is said to be artificially intelligent.
  2. It is an umbrella concept that includes image processing, natural language processing, robotic process automation, machine learning, neural networks and many more.
  3. There is a wrong impression that AI is a system, but it is implemented in a system. Particular applications of AI include expert systemsspeech recognition (Natural Language Processing (NLP) and machine vision.
  4. These processes include learning (the acquisition of information and rules for using the information), reasoning (using rules to reach approximate or definite conclusions) and self-correction.

WHAT IS MACHINE LEARNING (ML)?

  1. To put it very simply, machine learning is defined as “the ability (for computers) to learn without being explicitly programmed.” Machine Learning deals with making your computers (or machines) learn from external environment data being provided – like connections to sensors, electronic components in devices, storage devices, etc. It also crunches huge input data sets that are provided to it to come up with patterns and predictions – like Amazon suggesting what your buying preferences are or Netflix offering options based on your previous viewing history, etc.
  2. Machine Learning is simply a way of achieving Artificial Intelligence. The main objective of ML is to allow the computers to learn automatically without human intervention, assistance or programming and adjust actions accordingly.
  3. ML builds models and inbuilt algorithms that it keeps constantly updating and fine- tuning based on what inputs you provide on an on-going basis.
  4. Machine learning enables analysis of massive quantities of data.

WHAT IS DEEP LEARNING (DL)?

  1. Deep learning is a specialized form of machine learning – for example – a machine learning starts with relevant features being manually extracted from images. The features are then used to create a model that categorizes the objects in the image.
  2. Whereas with a deep learning approach, relevant features are automatically extracted from images. In addition, deep learning performs “end-to-end learning” – where a network is given raw data and a task to perform, such as classification, and it learns how to do this automatically.
  3. Deep Learning is also sometimes referred to as “Artificial Neural Network”. Another key difference is deep learning algorithms scale with data, they often continue to improve as the size of your data increases.
  4. Deep learning is applied in many areas of artificial intelligence such as speech recognition, image recognition, natural language processing, robot navigation systems, self-driving cars etc. Some examples that we see in our daily lives are virtual assistants like Alexa, Siri, Cortana, driverless trucks, drones and automated cars, automatic machine translation, Character text generation, facial recognition, behavioural analysis, etc.
  5. Big Data is required for Deep Learning. Massive data is to be fed into models – however the bottleneck remains in cleansing and processing the data into the required format for powering the DL models.

WHAT ARE NEURAL NETWORKS?

  1. A neural network is a type of machine learning which models itself after the human brain. Neural networks with their deep learning cannot be programmed directly for the task. Rather, they have the requirement, just like a child’s developing brain, that they need to learn the information.
  2. They have become important and standard tools for data mining. Neural network is an adaptive system that changes its structure on external or internal information that flows through the network during the learning phase.
  3. A neural network usually involves a large number of processors operating in parallel and arranged in tiers. The first tier receives the raw input information — analogous to optic nerves in human visual processing. Each successive tier receives the output from the tier preceding it, rather than from the raw input — in the same way neurons further from the optic nerve receive signals from those closer to it. The last tier produces the output of the system.
  1. Handwriting recognition is an example of a real-world problem that can be approached via an artificial neural network. The challenge is that humans can recognize handwriting with simple intuition, but the challenge for computers is each person’s handwriting is unique, with different styles, and even different spacing between letters, making it difficult to recognize consistently. Handwriting recognition has various applications, as varied as automated address reading on letters at the postal service, authorization signatures on documents, reducing bank fraud on checks, etc.
  1. Technology uses have expanded to many more areas such as chatbots, stock market prediction, delivery route planning and optimization, drug discovery and development and many more.

WHAT IS DESCRIPTIVE, PREDICTIVE AND PRESCRIPTIVE ANALYTICS?

  1. Descriptive – based on insights into historical data – What has happened?
  2. Predictive – based on statistical tools and forecasting techniques to answer – What could happen?
  3. Prescriptive – use simulation and optimization algorithms to advise on possible outcomes and answer – what should be done?

WHAT IS DATA SCIENCE AND WHAT CAN YOU DO WITH IT?

  1. Data Science is a study which deals with identification, representation and extraction of meaningful information from data sources.
  2. Some of the tasks you can do with Data Science include: Coming up with conclusive research and open-ended questions, extracting large volumes of data from external and internal sources, deploying statistical, machine learning and analytical methods, clean, prune and get data ready for processing and analysis, looking at data from various angles to determine hidden patterns, relations and trends, etc.
  3. If you are wondering what is the difference between Data Analyst and a Data Scientist, there are quite apart from the goal or objective with which they work. A Data Analyst starts by aggregating, querying and mining data for reporting on various functions. A Data Scientist starts by asking the right questions and therefore the Data Scientist needs substantive expertise and non-technical skills.

“Fox minding the hens” – Interesting snippet

Imagine a situation when somebody at the C-level is responsible and in-charge of ensuring ethical standards and setting policies on insider trading is himself accused and punished of that very same prohibited action.

Yes – this is what CFO.com titled the news “At Apple, the Fox was minding the Hen house”. Very strong words but very apt criticism of non-compliance in the top echelons of the company.

The tech giant’s former Global Head of Corporate Law, Gene Daniel Levoff, was charged by the Securities and Exchange Commission with trading Apple securities ahead of three quarterly earnings announcements in 2015 and 2016.

Before the public announcement of Apple’s earnings, Levoff sold off all his personal holdings worth about $10 million Apple stock from personal brokerage accounts. By doing so, he avoided personal losses of about $345,000. Apple’s share prices dropped by more than 4% when it publicly disclosed quarterly financial data.

“Levoff’s alleged exploitation of his access to Apple’s financial information was particularly egregious given his responsibility for implementing the company’s insider trading compliance policy,” said Antonia Chion, associate director of the SEC’s division of enforcement.

As a senior Director, Levoff reported to Apple’s general counsel, and reviewed and approved the company’s insider trading policy. Not only that, he was the one who notified employees regularly about blackout periods around earnings announcements.  He also managed the company’s corporate subsidiaries structure and was a Director in several Apple subsidiaries.

The SEC’s complaint, filed in federal district court in Newark, New Jersey, charges Levoff with fraud and is seeking the return of his trading profits plus interest and penalties. It is also seeking to bar Levoff from serving as an officer or director. In a parallel action, the U.S. attorney’s office for the district of New Jersey announced criminal charges against Levoff.

Levoff, of San Carlos, Calif., was let go by Apple in September 2018.

News: Courtesy Vincent Ryan, -Feb 13 2019 CFO.com/US

Analytics for fraud investigations

Many have wondered why one would perform analytics for fraud detection (or prevention) in good times (business as usual) and why would you when there is no whistle blown about a fraud suspicion?

Is this not a grey area where people sensitivities are involved and news about investigations can affect the organization’s brand image? Being trolled over social media that becomes painful to counter? But the CFO’s office is the hardest hit when it comes to answering the Board on the financial losses incurred due to fraudulent activities that leaves a gaping hole in finances.

Traditional anomaly detection is conducted routinely by internal or external auditors. But they are insufficient, not backed by powerful tools and the objective and terms of reference for these audits limit the investigation to a certain level and no more.

Often referred to as “Forensic Audit”, fraud detection methods assume great significance because it requires digging deeper than normal audit to examine and investigate internal control failures, conflict of interest, social networks, multiple factors such as behavioural analysis and ability to crunch big data that can extend / expand beyond the time period under the lens.

A prudent and practical approach would be to set up a mechanism that can proactively provide analytics and flag off high risk areas that need immediate attention.

Fraud Analytics is the use of analytical technology with intelligent business rules and techniques, which will help detect improper transactions like bribery, favouritism, working capital leakage, asset misappropriation, etc. either before or after the transaction is done, so that appropriate steps can be taken to prevent further damage.

Fraud Analytics also helps in performance measurement, evaluate internal control failures and deficiencies, standardize and help in constant improvement that would benefit the overall organization and governance.

Fraud perpetrators use a lot of different and unique techniques which are randomized to prevent discovery and therefore, the techniques used for detection has to be one or many of the following:

  1. Capable of running automated business rules that throw up anomalies that can be further investigated for false / true positives.
  2. Calculation of various statistical parameters like averages (for example average number of calls made, emails exchanged, delays in bill payments, etc.), quantities (for example comparison of total quantities ordered / received / invoiced / returned), performance metrics (e.g. attrition rate pattern amongst certain departments, sales returns peaking immediately after monthly close, etc.), user profiles (e.g., interested party contracts, sudden lifestyle changes by the user, behavioural patterns noticed) etc.
  3. Trend analysis using time series distribution.
  4. Clustering and classification that can help find patterns and associations within data sets.
  5. Algorithms, models and probability distributions of various business activities.
  6. Machine learning and neural networks to automatically identify characteristics of fraud and used later with increasing Big data inputs.

Having a Fraud Prevention program for controlling fraud risks is an important part of Enterprise Risk Management and provides your investors, partners and auditors with more confidence on your demonstrated ability to tackle the same in a sustained manner and not on an ad-hoc basis.

Leverage the New Digital Era for GRC Automation


DIGITAL TRANSFORMATION BRINGS IN A NEW ERA OF AUTOMATION – 

CAN GRC INITIATIVES BE FAR BEHIND IN ADOPTION?

Learn the new Mantras in technology that is going to re-define the way users interact with business applications to perform their tasks with ease.

We hear very frequently the acronyms “RPA” and “BOT” (and also CHATBOT) that claims to automate high volume, mundane and repetitive tasks that are performed by human beings. Gartner has predicted that by 2021, more than 50% of enterprises will spend more per annum on bots and chatbot creation than traditional mobile app development.

Well, RPA is “Robotic Process Automation” for the ones who are uninitiated into the world of AI (Artificial Intelligence) and ML (Machine Learning). It is a software that can not only automate high volume repetitive tasks but also perform calculations, execute queries and maintain records and results.

“BOT” is short form for “ROBOT”. BOTS are like virtual assistants which can answer questions and help you get things done faster without needing to speak to another human. They are software applications that perform repetitive tasks, often faster than humans. A common task they do is chat, like in question-and-answer format. Some times when you think you’re chatting with a person, you may be chatting with a bot, because they mimic human interaction and conversation.

There are two types of chatbots: Ones that can only respond to very specific commands and is as smart as how it is programmed. Another type of BOT has artificial intelligence and improves constantly via machine learning. It gets smarter the more it crunches large data, talks to people and listens to their conversations or responses.

CAN GRC PROGRAMS LEVERAGE THE DIGITAL REVOLUTION?

Let us move on to the subject of how the life of internal auditors, SOX Controllers/ testers, CFOs office, Finance departments can leverage the RPAs and BOTs.

Many organizations embark on a GRC program and decide ultimately on a framework (which includes scope of coverage and overall data structure that supports the internal control environment) and the processes (priority areas that need immediate attention for testing). Roles and responsibilities are then defined to decide which resource would do what kind of compliance activities (testing plans, surveys, assessments, entity-level certifications and so on) across the organization.

This decision is very often supported by a good GRC vendor who provides the application software to set up the internal control monitoring and compliance activities.

Once the GRC implementation is done and usage increases over time, all resources are swamped with more activities and get bogged down with time consuming compliance checks, manual testing and certifications, consolidation of surveys, solving urgent issues and gathering information for producing the next GRC report for top management.

EXTEND THE GRC PLATFORM WITH RPA AND BOTS

RPA and bots can be innovatively used, become very cost-effective, exciting and simply add more power to these challenges that the GRC team faces.

Let us look at a few examples that can do with some automation techniques.

  1. RPA / BOTS can be made to access multiple data sources (ERP systems, databases, document management systems, etc.). This would help in automating control testing based on criteria or selections done by users.
  2. RPA / BOTS can be used for scheduling automated test runs at specified intervals for Continuous Control Monitoring (CCM) or ad-hoc and gathering the necessary evidences and classify the “pass or fail” criteria.
  3. Many of the manual test plans for controls and compliances are generally rule based steps with documentation and ideally suited for RPAs. This would help in reducing dependence on human testers going around to complete the test steps and then consolidating the answers and evidences. For example, monthly legal compliance checklists (indirect taxes, GST, and many more) can be automated to consolidate information and presented in a dashboard report.
  4. Those instances where responses are delayed or incomplete can be highlighted for action. Exceptions can be flagged off by the BOTS to automatically raise issues for remediation and trigger workflows to concerned persons.
  5. Control design surveys / entity level certifications / C-level questionnaires can be handled automatically by BOTs. Reminders for responses can be sent automatically and results consolidated as a report.
  6. BOTs can be used to take corrective action – say for example – post automatically check mark in the vendor control account is unchecked several times to pass manual journal entries – and this has been brought out by automated control tests – BOTs can actually be made to check on similar control accounts (like customer / inventory, etc.) and do a similar testing and send notifications to control owners on the same for investigation and corrective action.
  7. BOTs can be made to take preventive action – say a user misusing his access rights to make multiple changes to an open transaction or multiple inventory write-offs after the period close or downloading sensitive reports. BOTs can immediately block access to the user with simultaneous notification to his / her manager and based on the manager’s response can unblock the user’s access rights.
  8. BOTs can review and validate master data structures in GRC applications to highlight whether control owners are assigned for control testing, check the risk and control matrix for blank values against risk (meaning there is no control defined for a risk identified).
  9. BOTs can escalate failure of critical controls to line managers, consolidate reports and immediately alert senior management when a significant volume of control failures have been identified for a given organization unit or department.
  10. BOTs can automate mundane tasks like password resetting after necessary validations, triggering Segregation of Duties violation reports with transaction details in near real time, send reminders for firefighter reviews that are pending over a specified number of days, etc.
  11. BOTs can use AI and ML to look at dependencies and patterns in transactions that are tested. For example
    1. a duplicate vendor check was disabled by a user and this was detected as a failure of internal control. It can immediately check transactions to see if there were duplicate invoices recorded the same day / period by another user and a possible collusion between the two users that points to a fraudulent scenario.
    2. Do a pattern analysis of occurrences of multiple credit notes for customers issued during the first week of the next month after sales (to cover up fake customer invoices and boost revenue).
    3. Insert real time control checks within business applications during travel claim settlements and approvals to prevent suspicious or inadvertent claims. Check for history of claims by a particular user, compute standard deviations and exceptions for flagging to managers for real time intervention before claim settlement.
    4. Scan texts / images in documents attached in support of transactions such as Purchase orders, journal vouchers, travel and other reimbursement claims to verify the correctness, relevance and accuracy of the same and highlight mismatches which needs to be probed further by the line managers.

“Business bots will be the new intangible assets owned and reported by businesses in future. Harvesting and integrating the value derived from these intelligent assets will become crucial for business success.” Chatbots Magazine

The examples given in my above article are only a few samples. The continued evolution of AI is enhancing the potential and functionality of RPAs and BOTS, making possibilities virtually limitless

Digital Transformation re-defines CCM

In complex system landscapes (especially those that have leading ERP solutions that are capable of handling huge data) defining an approach for Continuous Control Monitoring can be overwhelming. The nuances of the very many configuration, master data and transaction controls in the system, when coupled with authorization mechanisms can influence the effectiveness of the controls.

Every auditor (or audit firm) faces the daunting task of defining appropriate audit procedure for various types of audits.

Testing types in a traditional audit generally varies from one or many of the following:

  • Appropriate inquiry about controls in existence,
  • Activities and operations tested through observation of a process / sub process, such as reviewing transactions and supporting documents,
  • Ensuring manual controls are performed by examining and recording evidence,
  • When all the above is not providing sufficient assurance, manually re-performing a control test and compare against the system generated result, and,
  • Using a Computer Aided Automation Tool (CAAT) (e.g. ACL, IDEA, etc.) that helps in looking at a larger sample size out of the data available.

Internal Audit, as the 3rd line of Defence, has to necessarily rely on substantive evidences provided by Continuous Control Monitoring (CCM) that can be corroborated by other audit test procedures.

With an appropriate high performing analytical platform,

  • 100 % coverage of transactions chosen for control testing can be achieved and not just limited to a sample,
  • The statistics (mean, variance, standard deviation, etc.) could be computed over a very large population—could be millions of transactions if you do it over the course of a quarter / year.
  • Technological capabilities of a strong platform can bring in control testing and analysis that applies Artificial Intelligence – through machine learning and pattern analysis across huge data.

Leading companies have started using Continuous Control Monitoring because they reap significant benefits:

  • Proactive detection and corrective measures on time before control deficiencies lead to financial misstatements and losses.
  • Automation techniques available for monitoring and testing helps cover more controls than manual tests done earlier, thereby enabling better coverage and assurances to the top management for certification.
  • Automated control testing makes CCM easier to schedule and evaluate tests and deal with issues.
  • Lesser costs, time and effort as compared to manual testing.
  • Helps bring in transparency for internal, external audits and regulatory requirements.

Leveraging Automation in Continuous Control Monitoring

  • Automated testing used for CCM brings in 360 degrees coverage for key risks. It is not just about “controls monitoring” it is about “risk identification” too!!
  • Access and authorization risks (foundational internal control) to monitor segregation of duties and critical or sensitive access to data.
  • Configuration risks that could arise due to inadvertent or wilful change of system configurations that could have serious repercussions on the efficiency and effectiveness of the controls.
  • Master or static data changes that drives erroneous or suspicious transactions that results in waste, abuse or fraud to the organization.
  • Transactions recorded in the enterprise systems have to be screened for exceptions and deviations to avoid risks.

 KEY TAKEAWAYS FOR ADOPTING CONTINUOUS CONTROL MONITORING

  • CCM is not just a “nice to have” concept – with almost all regulations like the Indian Companies Act, Stock Exchange Listing Agreements, and several other international requirements on certification of internal controls “efficiency and effectiveness” – it has become a “must-have” need.
  • Automation of CCM with the right technology partner reduces your
    • Time to test
    • Cost of testing
    • Efforts in setting up schedules
    • Find exceptions faster and route them to users for resolution
    • Take preventative steps in critical areas of business to strengthen internal controls in a timely manner
    • Bring in transparency that can be shared with internal / external auditors to save audit time and effort and reliable reporting to the Board and Audit Committee.

Blockchain – Basics

Blockchain is a much-used word and a hot topic for the last few years. (On the lighter side, many of you ladies out there who are not technically inclined – do not for a moment think it is another piece of jewellery you may have missed out :-)))

BLOCKCHAIN is simply a technology platform that contains BLOCKS of data / information that is chained together and the chain increases with the addition of more BLOCKS (whole lot of technical stuff to ensure integrity behind this).

I thought it best to pen down a few fundamentals of what exactly is Blockchain technology, in the first place – before going into what are the benefits and risks associated with it as of today.

  1. The term blockchain and bitcoin are not synonymous or interchangeable. Bitcoin is a cryptocurrency token (like there are many other digital currencies available and emerging in the world).
  2. You may wonder what is cryptocurrency – it is a medium of exchange like traditional currency, it is designed to exchange the digital information through a process made possible by cryptography. Cryptocurrency is a bearer instrument, meaning that the holder of the currency has ownership and no other record is kept of the identity of the owner.
  3. Blockchain, on the other hand, is the ledger (or technology) that keeps track of who owns the digital tokens at any given point in time. Therefore, you need blockchain technology in order to transact in Bitcoins.
  4. Blockchain can be defined as an interlinked chain of “BLOCKS”. These “BLOCKS” contain data or information on transactions between persons, businesses, Governments or other users and it has a technique that digitally timestamps documents that is not possible to backdate or erase or tamper with them in anyway. This provides integrity, security and a risk-free transaction recording.
  5. This is possible since all information transferred via Blockchain is encrypted and a digital distributed ledger keeps every occurrence recorded and immutable making it almost risk-free as compared to traditional methods of transacting.
  6. Blockchain enables peer-to-peer transactions between parties that are even unknown to each other. Unlike in traditional methods where there needs to be a central authority or trusted middlemen to complete transactions, Blockchain guarantees correct transactions through an automatic program.
  7. Typically, when you want to do a bank transfer from one country / Bank to another person, you have to necessarily go through a chain of transactions like your Banks’ correspondent bank remitting it to the receivers’ correspondent bank and then it finally reaches the receivers’ own Bank account. In a blockchain scenario, observe the diagram below (released for public understanding by ICICI Bank in India).
  8. Blockchain can be used for the secure transfer of funds, property, contracts, etc. without the intervention of a third-party intermediary like a bank or Government. The data recorded inside a Blockchain is immutable and irreversible.
  9. Blockchain is decentralized, so there is no need for any central, certifying authority, eliminating the single point of failure in a centralized setup.
  10. The data that is stored in a BLOCK depends upon the type of Blockchain – it can be a Bitcoin Blockchain or a healthcare blockchain or a Government record management type. It can be a public blockchain which is transparent and anyone can use the same, or a private blockchain or consortium which restricts it to authorized or a community of users.
  11. Blockchains cannot be run without Internet and is a software protocol that uses database, software applications and some connected computers.
  12. Blockchain technology first evolved from a distributed ledger concept that was used in payments in cryptocurrencies like Bitcoin. Then came Smart Contracts that are executable programs that check and verify conditions. Now there are what is called Dapps (or decentralized applications) running on peer-to-peer networks and are just like any other app, with front end and backend codes.
  13. There is a myth that Blockchain solves every problem, and smart contract is always legal. The reality is that this technology is so fast emerging that there are still grey areas that need to be addressed.

While India’s position is positive towards Blockchain technology it is cautious in it approach to digital currencies like Bitcoin. However, a lot of pioneering work in various industries and sectors are already in progress and both public and private sectors in India are actively contemplating the use of Blockchain for various use cases like land registration and property management, e-KYC for SEBI (in the wake of large scams), supply chain finance, international trade finance and foreign currency remittances by banks, e-Governance by linking databases built around the citizen identity project Aadhaar and so on.