• Skip to primary navigation
  • Skip to main content
  • Skip to footer
CUBE announces its acquisition of The HubCUBE announces its acquisition of The HubCUBE announces its acquisition of The Hub

CUBE global

  • Products
        • RegPlatform product overviewOur enterprise product, providing regulatory intelligence for large, global financial institutions looking to tackle complex compliance.
        • RegAssure product overviewOur highly intuitive, seamless compliance product, that grows with your small or medium sized business.
        • View all products
  • Solutions
        • PrivacyGlobal governance for data privacy regulations, the world over
        • RecordsHolistic oversight of ever-growing regulations for records
        • CybersecurityAutomated workflows for up to date, relevant data on cyber
        • Technology riskEffective policies and controls to mitigate technology risk
        • Financial crime and AMLWatertight audit trails to show risk-based rationale
        • View all solutions
  • Resources
        • Resource hubLifting the lid on financial services, compliance, and regulation
        • Read

        • Case Studies
        • Blog posts
        • Reports
        • Brochures
        • Find

        • Compliance Corner
        • Compliance Confessions
        • ESG Conference
        • CUBE’s regulation game
        • Listen

        • Videos
        • Webinars
        • Podcasts
  • Partners
        • Advisory and consulting partnersEnhance your regulatory compliance offering with the entire suite of CUBE regulatory data.
        • Integration partnersCompliance is complex enough without over-complicated integration procedures.
        • Technology partnersAdd value to existing customer applications with a unified window into regulatory intelligence.
        • Partners overview
  • About us
        • About usThe story of who we are, how we got here and why we’re exceptionally proud of what we do
        • TeamThe visionaries and leaders powering CUBE’s success
        • NewsThe latest news from CUBE
        • CareersOur movement to transform regulatory data into regulatory intelligence
        • ContactWant to know more? Get in touch
  • Request a demo
Customer login
Home » Resources » Continuous monitoring vs. outcome testing: two sides of the same coin

August 3, 2022 | Amanda Khatri

Estimated reading time: 7 minutes

Continuous monitoring vs. outcome testing: two sides of the same coin

sylvia

Compliance expert and former Head of Compliance, Sylvia Yarbough, shares secrets and insights from the heart of the compliance team.

For the last few years as data has become more readily available, risk management teams have begun to find ways to use data in monitoring and testing. As with many things in compliance, this has been an uphill battle. Organizations with strong analytical and data management teams are making significant strides, but others are falling behind.

I had the opportunity to make progress in the compliance monitoring arena by building in-house and partnering with a third-party vendor. After a few years of slow progress, the monitoring program moved from monthly reporting to continuous monitoring of some products. I won’t try to sugar-coat it; the struggles were great. Internally, we didn’t have sufficient analytical support and getting funding for expanding third-party support was always a challenge – especially in a tight expense-management environment.

Nevertheless, my monitoring team made progress and demonstrated to the business, 1st line risk and audit and the value this program could bring to the entire organization. While my compliance team raced to make progress to counter-balance cuts in resources and increased regulatory scrutiny, some 1st line risk managers were discovering outcome testing. This focused on automating the control testing to support the Risk Control Self-Assessment (RCSA) program.

The article’s subtitle, “…two sides of the same coin” alludes to how continuous monitoring and outcome testing are valid attempts to automate processes that ultimately achieve the same outcome: understanding and managing risk.

For individuals new to these concepts, I want to take a few moments to describe each. So, for the experts among you, please bear with me and read on.

Continuous monitoring

In the compliance world, our focus is on regulatory requirements. Therefore, in developing a monitoring program, we focus on aligning these requirements to the business process which would prove if the requirements were being met. Often, we leverage data elements to prove the process.

This could be as simple as comparing two dates to see if adverse action notices are sent on time. Or get more complex with document scanning and text analytics to ensure the accuracy of a mortgage settlement statement. In all cases, the focus is on running the transaction through the analysis, identifying the exceptions, and – based on the risk associated with the requirement – setting acceptance thresholds and tolerance levels. This puts compliance, 1st line risk, and the business partners in the best possible place to understand where their highest risks are and focus on improving processes upstream to minimize, if not eliminate the exceptions.

The term ‘continuous’ can be defined by the frequency of monitoring that must occur. For some activities, monitoring may need to be done daily. For others, it could be monthly, e.g., FCRA reporting. The value of this type of monitoring will benefit the audit team, who can inspect the same data and/or look at the monitoring process to form opinions on the compliance program. 

Outcome testing

Outcome testing’s final results are similar and uses data to test the steps in the business process. However, the analytics is built based on the control’s definition. The premise assumes that the controls are accurately defined, therefore, finding ways to automate testing them versus the manual efforts. Controls should already be aligned to regulatory requirements that are risk rated. The outcome is that exceptions can be identified, thresholds set, and 1st line risk, compliance, and business partners can focus their attention on the areas of highest risk that seem problematic. More effort can then be put into fixing the business process that caused the exception.

Two sides of the same coin

As you can see, the only difference between the two approaches is the angle that drives your analytics development. In both methods documenting business process, it is foundational that the department focuses on products and process horizontal rather than vertical. As a compliance professional, I am a firm believer in testing compliance with regulations. You create the analytics based on the regulatory requirements aligned to the process, eliminating the steps of creating controls, thereby achieving more precisely defined continuous monitoring. Nonetheless, some would disagree and believe leveraging the controls is a better process.

Perhaps I’m a cynic to that approach as I’ve seen numerous poorly written controls and believe we should spend time rewriting them rather than focusing on getting to the end. For those who believe in the quality of their controls, building your analytics to achieve outcome testing is doable. I’ve discovered that organizations that are firmly wedded to their control testing process are more focused on automating the controls testing. These are often the same organizations that are constantly trying to enhance, improve and revamp these same controls – remaining in a constant state of rebuilding.

My statement still holds true for testing operational risk. To endear myself to my 1st line risk and business partners, I extended my analytics development to include operational items that have no regulatory implications. It is easy enough if you are doing a business process walk-through to identify operational items that align with policies and procedures. Once my team can access the appropriate data, they can simply retrieve data elements to support testing operational points if that data is available. Please note that continuous monitoring does not have to be just for regulatory focus. I am a compliance professional but first and foremost I am a risk professional, so if I can kill two birds with one stone when developing a new program then why not?

In closing, the last thing I would encourage is that an organization should pick one method or another. Either choose continuous monitoring or outcome testing. I am a firm believer in using the continuous monitoring process and eliminating the entire control process as it becomes redundant and an unnecessary burden. Continuous monitoring will still support Risk Self-Assessment (RCSA). You are just replacing the control testing with a different C – continuous monitoring becomes the control. The 1st line and their business partners still can land on a residual rating with more accurate testing results. The 2nd line can better assess the overall risk environment, you’re more likely to land on the same residual risk. This is because you are leveraging a more accurate basis versus the 1st and 2nd lines performing their individual testing routines.

It’s difficult for organizations to tackle both simultaneously, so if you are just getting started on this path, always pick one. Otherwise, through the competitive nature of human beings and the race to get things done, there could be repercussions – something I have seen first-hand. Coming at this work from both sides only results in the misalignment of risk and technology resources. In addition, it can cause business overload. The business lines must support both efforts to include business process walkthrough, vetting sources of data, and reviewing preliminary outcomes. Plus, the man-hours spent in comparing results that were created using different processes.

By deciding on one path, everyone in the organization can align their goals, support the program, build, and leverage the same outcomes. If you have a stake in the game, vote for continuous monitoring, it truly is a game changer.

A few things to keep in mind regardless of the method your organization chooses:

(1) focus on the products/processes with the highest risk,

(2) focus on the highest risk regulations,

(3) build wide, not deep to start,

(4) bring the entire organization along in the journey – change is difficult,

(5) and yes, you can get the regulators behind eliminating controls and control testing if you can show them a process that is working much better and fits into the expectations of strong risk culture and the 3 lines of defense model.

 


Speak to the team

CUBE simplifies compliance for regulated companies of all shapes and sizes.

Speak to the team
Related resources
View all articles
UK to regulate crypto
Blogs

Crypto Country? UK joins the EU in crypto regulation

Bitcoin is a popular cryptocurrency
Blogs

Cryptocurrency and ESG: the contradictions and complexities

A man sits wondering why fintech is so hard to regulate
Blogs

Why is FinTech so hard to regulate?

A panel at IFGS discussing embedded finance
Blogs

Finance as a force for good: 4 things we learned at IFGS 2022


Want CUBE updates and latest industry news sent straight to your inbox?

Footer

Add CUBE logo here

  • Products
    • Partners
    • Solutions
  • Resource hub
    • Blogs
    • Reports
    • Brochures
    • Compliance Corner
    • Webinars
    • Podcasts
    • Videos
  • Behind CUBE
    • About us
    • Meet the team
    • Careers
    • News
    • Contact us
  • The legal bits
    • Privacy policy
    • Cookie policy
    • Terms of use
    • Accessibility
Follow us:
  • LinkedIn
  • Twitter
  • YouTube

© 2023 CUBE Content Governance Global Limited

  • English
  • US

envelope

Want CUBE updates and latest industry news sent straight to your inbox?

Sign up to our Newsletter here