I joined KPMG’s advisory practice in September 2016 as part of the Technology Risk Consulting graduate programme.
Based in the Edinburgh office, I’m one of two graduates who work within a nine-person team (one director, two senior manager, three managers, one assistant manager, and three analysts).
During the last seven months I’ve worked on a number of projects to help deliver a variety of services to a diverse range of clients. The KPMG website will tell you that we help clients manage their IT risks. But for those who don’t work in IT or indeed risk management, that statement doesn’t tell you much.
If you like the sound of being a Technology Risk Consultant (TRC), but don’t really know what it is, then hopefully this article will help you.
I’ll be using examples from my personal experience to shed light on the roles and responsibilities of a graduate TRC, as well as the opportunities available, and provide some insight into what it is my colleagues and I actually do on an average day.
Here are some interesting facts about my time as a TRC so far:
- I’ve spent more time in an airplane than I have in a car
- I’ve worked in 6 different teams across 7 different engagements in five different cities.
- I’ve spent around 150 hours attending training sessions (including project management, agile development, IT audit, accounting, excel, programme assurance…and more).
- I hear the word ‘scope’ more than any other.
- I no longer associate the word ‘hotel’ with ‘holiday’
- …and finally, I’ve met a lot of very interesting, intelligent and incredibly diverse people.
Let’s start with External Audit. For those who don’t (yet) have any experience either auditing or being audited, an external audit can be described in simple terms as an inspection of a company’s financial statements. It’s a process that ensures that a company functions adequately so as to prevent errors in their records; i.e. have they really made the money they said they’d made.
So where does a Technology Risk Consulting come in?
We test controls that are put in place to reduce risk, which in turn reduces the likelihood of errors affecting the accuracy of the financial statements. Controls come in all shapes and sizes; from a physical barrier preventing someone from entering a building to a three-tier payroll approval review process. We only test and evaluate specifically IT related controls, i.e. anything to do with systems, applications, databases and general computer operations.
An example of an IT control would be employee access to a computer system. As a tech risk analyst I would evaluate and test the controls in place to ensure that once a user leaves the company they can no longer access the data.
Next up we have Independent Programme Assurance (IPA). Again in order to keep things simple, IPA in its basic form involves consultants working with a client to measure the likelihood of success of a programme or project they’re running. We can gauge this by tracking its development in terms of time (is it taking too long?), quality (is it what we asked for?) and cost (have we blown the budget?).
I was part of a team assembled to provide IPA to a multinational engineering services company with offices in the UK and US. Together we produced a report for the client outlining the suitability of a particular programme they had built and developed themselves to improve business operations.
In order to create the report I had to:
- gain an in-depth understanding of the programme and its role within the wider business strategy
- meet with key stakeholders to understand roles and processes
- understand relevant documentation and analyse data (to look for trends or deficiencies in processes)
- create and distribute a survey to gauge user satisfaction
- and then help put it all into writing
Oh, and I flew half way around the world (to Houston, Texas) to do all of this!
The third and final piece of work was an Information Systems Strategy Review for a college based in Scotland, where I had a much minor role. Although I mostly assisted by attending interviews, taking notes and writing up findings, I was exposed to (and able to learn about) several areas of operational risk relevant to any organisation. During the review we assessed and analyzed the governance structure, budget, change development processes as well as their reporting and tracking procedure – without these processes any organisation would struggle to operate efficiently and cohesively. This may seem obvious but you’d be surprised by the amount of companies that lack basic operational frameworks.
I recently came across a book titled ‘How Management Consultants Steal Your Watch and Then Tell You the Time’. Whilst it made me laugh, I do believe, from what I’ve experienced so far, that sometimes it takes a fresh pair of eyes to help an organisation realise its true potential.
So I guess if I were to summarise a TRC’s role, KPMG’s definition is actually pretty accurate. We do help clients manage their IT risks, but we do it in several ways…
A Technology Risk Consultant can help clients:
- understand risk and how to manage it
- better manage their risk (this includes other areas such as digital, data and mobile)
- evaluate the suitability of an IT system (with regard to operations, current strategy, proposed future strategy…etc)
- reduce costs by targeting areas of risks
- assure change programmes (upgrades and implementations) to help reduce technical, operational and commercial risk
- test and evaluate IT controls
- implement effective and cost efficient IT controls
…and so that’s essentially what I do, or will be doing as I continue my career as a Technology Risk Consultant.
If you’re interested in a career in technology risk consulting, and would like to learn more about what our team does, or you just fancy a chat…please don’t hesitate to reach out to me via email or LinkedIn.