By Ray Vazquez on April 04, 2021
As the digital world continues to accelerate, traditional risk management practices are unable to keep up with the velocity of the business processes in order to provide strategic value. The existing structures created in the early 2000’s to measure risks, identify controls, test controls, identify deficiencies, and develop remediation plans cannot keep up with the pace business wants to and needs to move.
As I meet with companies with extraordinary requirements to stay ahead of risks, implement strategic ERM and ride the tiger of information security risks, the measurement of digital exhaust is the topic of the day.
What exactly is measuring digital exhaust? Each of your business processes are producing byproducts. Those byproducts can include data and reports as a defined output. However, there is byproduct that is produced that was not an intended deliverable in an of itself. Capturing and analyzing the byproduct across the value chain of a process can provide an incredible amount of information and insight that can be used to answer the following questions:
- Is this an efficient process?
- Is this a well controlled process?
- Are there signs of potential issues that are only beginning to emerge?
- Is there opportunity to leverage this process more (underutilization)?
- Are there signs of stress?
- Is this process working as intended and within management’s risk appetite?
Capturing exhaust can be a difficult activity. Exhaust tends to not linger much, it may be only available for a brief period of time and may not meet the traditional definitions of “audit evidence” to meet classic re-performance standards. Yet, this exhaust when captured and measured timely may prove to be the richest information available to provide confidence of ongoing performance, provide early warnings on potential issues, and identify opportunities to tweak and adjust activities to quickly capture gains.
Do you want to measure exhaust? It begins by integrating risk capture capabilities into the process, knowing the business better than the business, and being creative of where the best source of exhaust may exist. The more automated a process, the easier this task will be. Capturing exhaust in highly manual processes, would be no different than attempting to capture the exhaust of a horse and buggy.
Candidate processes for digital exhaust capture include:
- Software Development
- Identity and Access Management
- Revenue generating activities
How do you identify candidate processes? It begins with understanding which business processes are or want to move quickly to meet strategic objectives. Those areas that can benefit from velocity will be open to exploring opportunities to implement digital exhaust capture in partnership with risk areas.