Medellin, Colombia --- Hispanic businesswoman drawing on paper in office --- Image by © Jon Feingersh/Blend Images/CorbisDictionary.com defines “phobia” as “a persistent, irrational fear of a specific object, activity, or situation that leads to a compelling desire to avoid it…” So my coined word “CCMophobia” would mean a persistent, irrational fear of continuous control monitoring (often abbreviated as “CCM” as I’ve done here).

Search for “continuous control monitoring” on the Web, and you’re unlikely to see a consistent definition. You won’t find it in Merriam-Webster or even Dictionary.com, but you will find a myriad of ads telling you how to buy it, analyze it, or find a consulting firm to help you do it. There are plenty of blogs comparing it with other things like continuous auditing, business activity monitoring, or just continuous monitoring. Others caution that continuous control monitoring is very different from continuous transaction monitoring and that you should ignore that distinction at your peril.

Come to think of it, perhaps this is one of the reasons CCMophobia exists! Continuous control monitoring means different things to different people. Software vendors don’t necessarily agree on what it is, so they define it based on what their software does. I’m no different, as I routinely talk about CCM in terms of what our SAP solutions for GRC can do—especially SAP Process Control (“my” product). My GRC colleagues at SAP, while they accept my definition, may describe it as continuous monitoring, continuous transaction monitoring, or continuous auditing to better encompass their product specialties. And, just to confuse things further, many consultants and customers talk about “CCMs” to denote the business rules that drive continuous control monitoring as in, “We have 100 CCMs in place.”

…But enough on definitions. For the purpose of this blog, let’s use a definition based on how customers are using the monitoring functionality in SAP Process Control. That might include activities like this:

  • Monitoring software configurations (often in ERP) to see that the desired configuration exists and remains in place; that is, check for certain configuration values and notify someone if there’s a change so they can verify that the change isn’t done in error or for nefarious purposes
  • Monitoring master data to see if certain fields are set as required by policy, be it customer credit limits, duplicate vendor invoice checks, payment terms, or what have you
  • Identifying and reviewing transactions that fall outside certain expected thresholds or with undesired characteristics (e.g., a frequently used business rule SAP Process Control provides out of the box is a check for duplicate vendor invoices).
  • Automatically routing pre-filtered reports to someone to review on a timely basis and document that they‘ve done it
  • Locating errors, omissions, or suspicious acts faster so they can be corrected and hopefully prevented in the future
  • Testing by internal audit to reduce their workload

In fact, there are so many uses for CCM that I used this word cloud in a presentation at GRC2015:

CCM

In other words, it’s a way of using data that you already have in SAP or non-SAP systems in an automated way to make your life easier. So if that’s the case and it’s a GOOD thing, why do so many seem to be CCMophobic? To return briefly to my definitions, I might as well ask why do so many have technophobia, “the fear or dislike of advanced technology or complex devices and especially computers.” That discussion would fill a book, and already has—as of this writing, looking for technophobia produced several pages of results.

It’s my suspicion that other factors also contribute to CCMophobia. Consider these difficulties:

  • Making the case for an appropriate return on investment to get company funding when there are so many competing priorities
  • Knowing where to start (what’s important and why) from a business perspective
  • Finding the right data technically to support the business need and other technical challenges—not that I want to contribute to growing technophobia
  • Getting the right people involved both from the IT side and the business side (hint: this means they need to collaborate, which is hard to do in some companies)

I’m a firm believer in starting with low hanging fruit—do some easy things and gain momentum as you go. Not only does this keep initial costs in line, but it also helps build champions within the company to be CCM evangelists. I know this happens—I met a lot of them at GRC 2015 this year where CCM was a hot topic.

So, for you CCMophobes, I’ll do a follow-up blog soon, so watch for it. I’d enjoy hearing your views and anecdotes.

Learn more about SAP solutions for governance, risk, and compliance or go directly to the SAP Process Control page.

 

VN:F [1.9.22_1171]
Rating: 5.0/5 (4 votes cast)
GRC Tuesdays: Do You Have CCMophobia?, 5.0 out of 5 based on 4 ratings