www.marcumllp.com

In a world of big data, security breaches and thefast-evolving concept of Internet of Things (IoT), multiplerisks and challenges are added to organizations andtheir supporting Information Technology (IT) areas.Availability, efficiency and security are only a few of theconcerns that permeate the currentenvironment, while organizationsmake an effort to achieve their governance goals. Accurate andopportune information are key formaking effective business decisions.

This article presents the mainchallenges and risks that organiza-tions currently face and proposesa general process to monitor risksthrough Business Intelligence (BI).It covers examples, concepts andspecific BI practices that will help business operationleadership (IT, Finance and Operations) drive moreproactive strategic decision-making.

BUSINESS OBJECTIVES AND CHALLENGES

Regardless of their industry or type, organizationsexist to create value. COBIT 5, the well-known frame-work for IT Governance and Management, translatesthat value to “realizing benefits at an optimal resourcecost, while optimizing risk.”i

In this value equation, one of the main challenges is risk optimization. It requires a thorough understandingof not only what risks need to be addressed, but alsowhy. A holistic approach and quality information arekey to obtaining the best results.

Challenges that contribute to the growing risk environmentinclude regulatory requirements,cybercrime, multiple sources ofinformation, and high volumes ofdata. Examples like the Internetof Things (IoT), where the prediction is 30 billion devices in 2020, or the 7,900 Exabytes(big data) forecasted by TheEconomistii for last year (2015) are a clear indication of the

current and future scenarios. Risks that surround theseand other technologies may include:

n Lack of data integrity (including its accuracy, reliability and completeness of financial or operational information).

n Security vulnerabilities not identified (usuallythose related to access management or data communication).

n Resources not available or not working properly (communication devices, electronicgadgets, sensors and others).

Business Intelligence for IT Risk MonitoringBy Jose Antigua, CISA, ACDA, COBIT and Mark DeMeo

June 2016

Monitoring,… will allow organizations to takeeach risk to an acceptable

level, promoting its optimization.

“

”

www.marcumllp.com

n Multiple platforms that generate a complex environment for data analysis and decision-making.

n Information not available on time (reporting deficiencies).

Monitoring, with accurate and opportune information,will allow organizations to take each risk to an acceptablelevel, promoting its optimization. When it comes to thedetails of risk monitoring (analyzing patterns, deviationsor anomalies) in large sets of data, BusinessIntelligence (BI) is one of the most effective strategies.

THE RISK MONITORING PROCESSHere is a recommended process for the risk

monitoring project with BI:

n Identify Risks per business process, IT service or area.

n Develop Key Process Indicators (KPI) and Key Risk Indicators (KRI) that will help triggerdeviations, patterns or anomalies.

n Identify data sources that will feed the reports,which is where the technical aspect of the BI strategy starts.

n Analyze data, translating it into information.n Distribute reports/results for corrective actions.

Let us navigate through the details of the BI strategy,including concepts and practices that will make thishappen.

THE BUSINESS INTELLIGENCE (BI)STRATEGY

A BI/DW platform consists of several parts that are critical to providing quality information in a timelymanner to business executives and decision makingsystems.

The first component is usually referenced as ETL,which stands for Extraction Transformation Loading. In

a normal business, you will have multiple source systemswhere internal and external users and customers arerecording transactions such as orders, payments, interactions, account creation, etc. The ETL processesare designed to extract the information from the sourcesystems and transform the raw data from those systemsinto business views, and then load the data into a datawarehouse to provide a consistent and reliable sourceof information that can be shared for the business.

The data warehouse consists of three types of primary data views. An operational store is usually areference to data that matches how the transactionalsystem (such as your financials) has recorded transactionsand is usually a copy of the production data. This is thesimplest component to implement and offloads theworkload of people running reports against a productionsystem and impacting performance.

The data warehouse consists of an integrated business model where an item such as a customer iscreated, with all aspects of how customer is definedwithin each core source system to give a complete viewof the customer. Usually the major issues that are dealtwith in the data warehouse are data integrity, data quality, changing dimensions, and history.

A subject inventory is usually a published set ofspecific data warehouse entities that allows tighter control and focus from a security, performance andanalytics perspective on a specific subset of the datawarehouse. In larger shops, the warehouse will act as a data factory and push the sets to other hardware platforms as required on a timely basis to segregateperformance and security issues.

The presentation layer is the component that allowseither desktop or server-based assets to define, create,publish and analyze against the data sets within or produced by the data warehouse. Different tool setsoffer components and features to provide for staticreporting, real time reporting, analytics, interactivereporting, etc. Most companies will have a series oftools that best fit the needs of individual departments,user capability and job function. For instance, to builddynamic reports for a remote sales force, we wouldprobably use a MS Power BI application to publishreports for consumption, but for an internal risk management analytics / statistician, we would probablyimplement a SAS or SPSS solution. Both would shareand have access to the same data sources; only thetools and restrictions on what they can build and publish would differ.

The business model is one of the most criticaldesign aspects, since it is the definition of how thecompany views turning data into information. It separatesthe physical storage used by the transactional systemsto allow the company to model itself in an intuitive way,

www.marcumllp.com

allowing the business to track the KPI’s and measurementsthat are important to the business owners.

The data quality function is a process that may betechnology-enabled based on how the data warehouseprocesses deal with issues. A simple case is how acompany might deal with a combo pack of a tooth-brush and toothpaste combined as a single product.How is the price allocated? How is cost allocated? How many units were sold? These types of issues areaddressed in the business model, and then the rule setis implemented in the data quality and transformationprocesses to deal with issues by notifying administrationand documenting what was done to correct the issue.

TYPES OF BUSINESS INTELLIGENCE

ReportingIn this setup, the goal is to publish and make

information available to the greatest number of end-usersat the lowest possible cost point. Critical componentsare usually the data warehouse and business model,which provide an easy-to-use reference and agreementamong business users as to what they are seeing andwhat it means. Usually, you will hear terms like businessdictionary, which maps business concepts over the topof the data model to make complex queries intuitive.Usually, there will be some portal or other site thatallows access to the reports and some availability forusers to define what they want to look at and over whattime period. Reports are usually pre-structured, and the complexity is removed for the end-user to allowconsistent data views and access. Common tools inthis range are Power BI, Oracle OBIEE, Cognos, andMicroStrategy.

AnalyticsThis type of reporting is similar in nature but

instead of building standard reports, data cubes arebuilt, containing a set of dimensions that represent aspecific measurable fact. For instance, an entry in acube may be tagged with the dimension of customer,date, order number, product number, sales rep, store,location and the facts of quantity, cost and price. Thisallows you to perform analysis by slicing and dicing a cube to look at products sold by a sales rep and the profit margin, and compare that to what other customers buying the same product are paying. Thisanalysis group is usually more limited than the general

population and provides a more powerful way of analyzing data. Most major products now include the feature as an add-in to their solutions.

Voice of the CustomerThis involves using traditional data sources such

as comments, text messages, voice, web data, etc. to build an understanding of what the customers orconsumers of your business product are saying. Thetraditional model was to use survey results, but in theera of the internet and social media, it becomes moreimportant to protect your brand identity and understandwhat people are saying and customer sentiment. Toolssuch as autonomy, attensity, and others are utilized to collect raw data, and using unstructured data storage,provide the ability to have insight into what customersare saying.

Real Time AnalyticsThis type of reporting is geared to understanding in a

real-time environment what is occurring in your businessworld. For manufacturing, banking, and customer interfacing businesses that have the need to make real-time decisions, this technology offers the ability tobasically map source systems directly to high speedperformance databases and then provide dashboardsto indicate what is occurring in increments as small as5-seconds (the more granular the interval, the biggerthe performance challenges, so it’s a tradeoff). HANA,IBM, CA and others all offer solutions designed for thisspecific type of need. Traditionally, this has been usedby IT Operations and other operations managementgroups within companies to identify problems andissues that may be occurring.

www.marcumllp.com

USING BI TO MONITOR IT RISK AND COMPLIANCE

Once the platform and other components havebeen identified, the next goal is to establish the actualmeasurements and source data and calculationsrequired. For example, most IT risk is associated toproject timelines and overages. Since our ETL setup isextracting information from our change managementsystem, our time management system and our projectmanagement system, plus additional data from ourfinancial applications, we can now measure baselinespend rates, burn rates, projected expenses and capitalagainst actual expenses and capital. Furthermore, since each project should have been created with ameasureable set of KPI’s for an ROI calculation, thathistorical trend and results can be associated to theactual project to ensure that business results are delivered. The power of utilizing the BI/DW concepts is that IT risk can be measured and reported by usingbasic constructs within the information stack available.

For additional components, especially around ITsecurity and monitoring, the same constructs can beapplied. For example, by collecting all the network,security, system and application logs into an

unstructured data store, it becomes possible to querythem and build a set of dashboards to indicate specifictypes of alerts and trends that are occurring. Forinstance, one client we work with utilizes this conceptto monitor incoming and outgoing TCP/IP packets lookingfor changes in destinations of addresses. Why is thisimportant? Since they are monitoring multiple remotelocations, they are looking for evidence of penetration,viruses, malware, etc. by examining the changes in network patterns.

The critical component of developing any IT risk monitoring is establishing early on what is to be measured, the reliability of that information and the timeincrement to be measured. Once those factors havebeen determined, it is possible using the tools availableto build a robust IT risk, performance and compliancemonitoring application.

There is no doubt that striving to achieve the governance goal of value is a challenge. There is alsono doubt that one of the most successful strategies tooptimize the risk related to the value is achievedthrough the monitoring capabilities that a BusinessIntelligence process offers.

i ISACA, 2012. “COBIT 5: a business framework for the governance and management of enterprise IT”ii The Economist, 2011. Retrieved from: http://www.economist.com/category/web-sections/world?page=139

This publication contains general information only and none of Marcum LLP, any of its related organizations or any of the authors of this publica-tion is, by means of this publication, rendering accounting, business, financial, investment, legal, tax or other professional advice or services.Information contained herein is not a substitute for such professional advice or services, nor should it be used as a basis for any decision oraction that may affect your business.

Evaluation of the information contained herein is the sole responsibility of the user. Before making any decision or taking any action that mayaffect your business with respect to the matters described herein, you should consult with relevant qualified professional advisors. Marcum LLP,its related organizations and the authors expressly disclaim any liability for any error, omission or inaccuracy contained herein or any loss sus-tained by any person who relies on this publication.

AAJ Technologies is a full-service systems integrator that helpsclients to capitalize on the latest technologies to boost your compet-itive advantage – and your bottom line. With a rare combination ofdeep technical expertise and business acumen, AAJ collaborateswith you to solve your most critical business challenges, offeringa full range of services including application development, enter-prise mobility, cloud computing, business intelligence, and appli-cation lifecycle management.

Marcum LLP is one of the largest independent public accountingand advisory services firms in the nation, with offices in majorbusiness markets throughout the U.S., Grand Cayman and China.Headquartered in New York City, Marcum provides a full spectrumof traditional tax, accounting and assurance services; advisory,valuation and litigation support; and an extensive range of specialty and niche industry practices. The Firm serves both privately held and publicly traded companies, as well as high networth individuals, private equity and hedge funds, with a focus onmiddle-market companies and closely held family businesses.Marcum is a member of the Marcum Group, an organizationproviding a comprehensive array of professional services.