Continuous Controls Monitoring (CCM) is a technology-driven approach that continuously monitors and validates the effectiveness of controls implemented within an organization. CCM can be used for monitoring financial controls, technological controls, and internal controls. CCM can be adapted across industries and exists in Financial Services as fraud monitoring and financial transaction monitoring. In manufacturing as quality and process control monitoring; and in technology, for example, as cyber security and network security monitoring. CCM is a key aspect of Governance, Risk and Compliance (GRC) that helps a firm improve its overall risk management.

What is the business case for CCM?

We live in a time of rising risks including financial, reputational and now health risks. Changing regulations, increased scrutiny and compliance costs are major drivers. A firm’s ability to scale its operations and increase efficiency through reduced cycle times are of paramount importance. As the complexities of risk management and compliance increase, businesses must work to operationalize the overall risk management effort. Further, firms have built up multiple duplicative and overlapping controls that must be rationalized. CCM enables all of this.

IT and Cyber Risk Management Software

The Business Case for CCM: 

  • Rising risks
  • Changing regulations
  • Compliance costs
  • Ability to scale
  • Operationalize the overall risk management effort
  • Reduce cycle time
  • Rationalize controls

So, what is Control Monitoring, and why is CCM different? 

In the old way of doing things, control monitoring was exception based. A business would define a set of controls to monitor, such as Change Management, HR Management, Incident Management, and so on. Perhaps these controls are departmental based, and another set is developed for the division, while an acquisition brought on another set of controls that, while similar, are named differently. The folks tasked with monitoring the controls, usually the second line of defense or the business area, would periodically check that the controls were working, or not. Auditors, or the third line of defense, would on an annual basis, perform an audit for a snapshot of a point in time, to find control gaps and raise issues for the business to resolve. Based on the business or the particular audit, some of the duplicate controls would be identified, and at some point, raise as an issue. 

Implementing CCM

Implementing CCM requires identifying processes or controls according to the applicable industry control frameworks, such as COSO, COBIT 5, and ITIL, as well as by the various regulations defined by oversight bodies. Prioritization of key controls for continuous monitoring happens here. Then the control objectives or goals are defined. Automated tests or metrics are specified and built. Then determine the process frequency to do the test at a point in time close to when the transactions or processes occur. At this point, processes for managing the alarms, communicating, investigating and correcting the control weaknesses are required.
CCM provides an automated, optimized and modern framework for financial and regulatory control monitoring. It also provides benefits to all three lines of defense and creates a more harmonized and efficient controls environment.


About the author:

Alan Paris is a Customer Success executive at MetricStream and manages some of our largest audit clients. Alan has more than 30 years of financial services executive experience.