Academic journal article Journal of Accountancy

Unstructured Data: How to Implement an Early Warning System for Hidden Risks

Academic journal article Journal of Accountancy

Unstructured Data: How to Implement an Early Warning System for Hidden Risks

Article excerpt

Managing the devil you know is difficult enough. But in risk management, it's the devil you don't know that can spring chaos on your organization. And risks are growing--and growing in complexity--at such a clip that the periodic cycle of internal audits and updating of controls often can't keep up, particularly when it comes to risks that can go viral in this hyper-connected electronic age.

Thus, a new reality is emerging: The scope of risk on which internal controls are focused at many companies is much narrower than the scope of risks actually faced by the organization. So organizations must implement new strategies to identify and manage risks. For most organizations, that strategy should include monitoring a broader swath of internal and external data.

Accountants and management have long used internal controls to identify, assess, and manage risks. And, increasingly, organizations have turned to audit software to conduct more extensive internal control testing and transaction monitoring. The problem is that most companies have used such technology primarily to monitor controls embedded in structured data--e.g., operating statistics and financial facts found in transactional data such as accounts payable, customer sales, inventory, and labor hours--contained in enterprise resource planning and other financial systems. But companies rarely use such technology to effectively identify risks beyond those related to business and transaction processing in financial and operating system internal controls.

What often goes unmonitored is a broad universe of data including email, desktop documents, internet logs, phone calls, text messages, and even social media messages and online customer product reviews. These data have become known throughout industry as "unstructured data," a catchall term that lacks precision because much of the data included under that rubric actually have structured components. Email, for instance, contains address, senders, times, and the like. (See Exhibit 1 for examples of types of unstructured data.)

Regardless of the nomenclature, monitoring these data could help a company spot emerging opportunities and risks. This article highlights techniques that can be used to expand the scope and effectiveness of an organization's risk management program in a way that may help identify hidden risks before they emerge as full-blown crises.


Every organization faces corporate events where information flow and timing generate risk: confidential product R&D activities, new product announcements, corporate earnings releases, news releases that may affect share price, significant changes in product pricing, procurement activities that indicate a shift in product strategy, confidential executive search activity, or announcements of joint ventures and other major investments.

Often, that large body of underexamined data explains why a risk existed, how the risk developed, who was involved, and what corollary risk exposures there might be. In other words, these are the "who, what, when, where, how, and why" of a risk. Email messages and other electronic documents, for example, are the types of data that attorneys and regulators will seek to pursue in lawsuits and forensic accounting investigations. But the tale of the risk, in those instances, is often learned only in retrospect.

Organizations that proactively monitor these kinds of data, however, might be able to better detect risks before they emerge, surprise management, and turn into post facto investigations.


In stock option backdating cases, for example, the manipulation of event timing and uneven access to important earnings and performance data generate the risk. Email data, not the ledgers, generally reflect the timing and intent of the information and activities leading up to the transaction. Investigators examine email traffic surrounding each grant to determine the intended date of the grant and the date on which it was actually communicated. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.