Data-Driven Risk and Performance Management

Dan Zitting, vice president for product management and design AT ACL Services, is responsible for product strategy, product management, design, and user experience for ACL's industry-leading software products. Fifteen thousand customers globally, including 89% of Fortune 500 companies, use ACL software. Dan's ten years of experience in the audit and risk assurance industry prior to ACL were spent in the IT Risk Assurance practice at Ernst & Young and as a partner and co-founder at Linford & Company LLP, a provider of governance, risk, compliance, and assurance (GRC) services to a clientele across North America, Europe, India, and East Asia. While building his practice, he developed a web-based audit and compliance management system that was quickly adopted by clients and led to founding cloud software provider Workpapers.com, which was acquired by ACL in late 2011. Dan is dedicated to the advancement of productivity-enhancing technology for the GRC professions and is a four-time winner of the CPA Practice Advisor Magazine's 40 under 40 as well as Readers' Choice awards. Dan is a Certified Public Accountant, Certified GRC Professional, Certified Information System Auditor, and Certified Information Technology Professional. He holds a B.S. from Colorado State University and an M.S. from the University of Notre Dame.

Introduction: The risks you must face-and face down-and how it can be done. Part One: Managing Risk with Data-Driven Tools This part provides an overview of risk management; how data and analytics/intelligence underlie tools for managing risk better than ever, and the basics of a system that will allow you to pinpoint violations of policies, regulations, or criminal law; or to improve corporate performance in numerous ways. Chapter 1: Managing Risk, Governance, and Compliance: What's at Stake How you can achieve "principled performance" by integrating governance, assurance, risk management, compliance, and ethics with management and organizational performance. Chapter 2: Data: The "Secret Sauce" in New Risk Management Tools Most organizations manage risk and compliance-related activities relatively blindly, focusing on those areas perceived to be risks, rather than those that actually are. Additionally, for many years, organizations have been trying to learn more about their business through, and make decisions based on, data intelligence and analytics. The methods described in this book, combined with data intelligence, provide the organization its sharpest tool for identifying risks, uncovering violations, and assessing performance. Chapter 3: Data-Driven Governance, Risk, and Compliance: A Simple, Consistent Framework for Implementation Unusually successful governance programs tend to share the common of attributes of 1) using a simple, understandable methodology and 2) meaningfully integrating data everywhere possible. This chapter will describe a single, integrated framework for accomplishing this that can be used for performance, risk, compliance, or ethics-related problems. Chapter 4: Capabilities and Technologies: Architecting Your Infrastructure for Data-Driven Governance, Risk, and Compliance Armed with an understanding of what GRC is, what the ultimate goals are, and where it is possible to start small and grow over time, this chapter will lay out key capabilities that are required, both when you get started and as the program matures. It provides the basis for the recipes that follow: objective > risks > controls > tests > exceptions, which is the basic process taking large questions like "are hackers getting into our credit card processing systems" and answering it with detailed analysis using data in your organization's RDMSs. Part Two: Recipes for Managing Risk This section is dedicated to leaving the reader with "real" solutions they can immediately begin implementing in their environment with a data-driven GRC solution to each of a series key business pains currently common across the globe. Chapter 5: Fraud Recipe 1: Travel & Entertainment Expense Fraud Recipe 2: Payroll Fraud Recipe 3: Fraudulent Billing Schemes Recipe 4: Inventory Larceny Recipe 5: Fraudulent Register Disbursements Recipe 6: Asset/Revenue Overstatement Chapter 6: Regulatory Compliance Recipe 7: FCPA and UK Bribery Act Recipe 8: Health Insurance Portability and Accountability Act Recipe 9: OSHA Compliance Recipe 10: Bank Secrecy Act Recipe 11: Anti-Money Laundering Recipe 12: Conflict Minerals Recipe 13: Foreign Account Tax Compliance Act Recipe 14: Dodd-Frank Act Recipe 15: FDA Compliance Chapter 7: Financial Control Recipe 16: Purchase to Pay Control Recipe 17: Order to Cash Control Recipe 18: Record to Report Control Recipe 19: Inventory Control Recipe 20: Fixed Assets Control Recipe 21: Sarbanes-Oxley Compliance Chapter 8: IT Risk Recipe 22: Sensitive Access and Segregation of Duties Risk Recipe 23: External Network/Application Vulnerability Recipe 24: Unified IT Compliance (PCI, FISMA, GLBA, etc.) Recipe 25: Physical Security Risk Recipe 26: IT Change Management Recipe 27: Systems Availability and SLA Compliance Chapter 9: Quality Management Recipe 28: ISO 9000 Compliance Recipe 29: Supplier Risk Recipe 30: Nonconformance, Deviation, Variance, and Out-of-Specification Chapter 10: Reputational and Brand Risk Recipe 31: Social Media Risk Recipe 32: Employee Training Risk Recipe 33: Corporate Ethics Policy Violation Chapter 11: Performance Management Recipe 34: Customer Satisfaction Recipe 35: Revenue Planning and Sales Forecasting Recipe 36: Top Talent Retention Recipe 37: Emerging Competitive Offerings Recipe 38: Competitor Performance Recipe 39: Budgeting and Cost Management Recipe 40: Licensing Revenue Assurance Recipe 41: Healthcare Revenue Assurance Recipe 42: Utilities Revenue Assurance Possible sidebars: Understanding and Overcoming the Complexity of Data Analytics Managing a data-driven program requires a certain level of technical skill in order to make pertinent organizational data available, acquiring data as appropriately as possible, and analyzing it effectively. Knowing where the challenges most commonly arise, the reader can plan an effective path to developing full, data-driven capability and maximize program value. Building on Success and Expanding Impact After developing our first, real data-driven GRC solution to an organizational risk, it becomes important to be able to rinse and repeat, using the same methodology, tools, people, and reporting but within a completely different area of the organization. This establishes credibility and confidence that the framework and process is cross-functional and scalable. Measuring and Managing Program Maturity Once a capability has been developed to solve key business risk and performance pains with data-driven GRC, it's time to expand the reach of the program. You do that by integrating those pieces into a single program, stretching across functional boundaries, and developing more advanced capability. That will, in turn, drive more transformational value for the practitioner and the organization. This will provide two important models for understanding the maturity curve an organization can expect to traverse and plan where it wants to go.