Share with your friends
Managing data risk

Managing data risk

Managing data risk

“Fundamentally, we are witnessing an exponential growth in data generation across all aspects of our lives", explains Paul Hough, Director of Forensic Technology - KPMG Ireland.

"Both individuals and businesses are constantly generating data through day to day activities, such as use of smart phones, social media, banking, email and web browsing. With the Internet of Things, data is being generated constantly based on our shopping decisions, household utility usage, public transport, ATM withdrawals, eating habits, even how many steps we take. This data growth will only continue to expand.”

Paul returns to Ireland with a wealth of experience and subject matter expertise, having spent 12 years with KPMG London, specialising in advising clients on strategies to address their data issues, with a particular focus on investigations and data disclosures. 

Great risks, great opportunities

“With this growth of data comes great opportunity for businesses to make better informed decisions. The converse is that big data brings significant risk for businesses in the form of fraudulent use, regulatory and legal requirements, cyber-attacks and information misuse.” KPMG has a strong heritage in helping businesses manage risk and make informed decisions. KPMG Forensic Technology brings a wide spectrum of skills and technology to address these data risk issues – complimenting existing service offerings, to enhance their role as trusted client advisors.

While getting an approach to data right delivers valuable insights and understanding of business issues, getting it wrong can create reputational, legal and regulatory risks to the business. “We had a very relevant recent example of technology driven risk, which shows the uphill battle businesses are facing against cyber-attack. We supported a client in dealing with a traditional ‘Friday evening fraud’, but executed through technology and exploiting weak business controls. ‘Friday evening fraud’ occurs when a business or individual is coerced into making a payment to a fraudulent account at short notice, usually last thing on a Friday evening to give the appearance of urgency. In this case, the CFO of the business was sent what looked to be a personal email asking them to open an attachment. Once opened, they inadvertently executed a cyber-attack, allowing the fraudster to take control of their email account without their knowledge.

Over the course of the next 48 hours, the fraudster was able to instruct the finance team to make a number of immediate payments to foreign bank accounts, appearing as if the instruction was coming from the CFO. Once the CFO identified the transactions were occurring, KPMG Forensic were able to work with the business to identify the issue, stop the outstanding payments and close the security hole.” This example shows the minimal effort required by a fraudster and the constant vigilance required by businesses regardless of sector, size or industry.   

With compromised systems and poorly secured data so readily available to a fraudster, the effort required to execute a cyber-fraud is almost negligible and the proceeds are often extracted to a foreign jurisdiction immediately

“Our approach is very much about helping businesses better understand and secure their data, achieve compliance standards such as GPDR, and make more informed decisions based on their data. Businesses now expect their trusted advisors will provide data risk advice and deliver technologically driven solutions to address data in all aspects of their business.”

KPMG’s traditional services, such as Audit and Tax, have embraced this proliferation of data. “The centralisation and standardisation of processes and software across global companies has in turn resulted in more comparable data across their operations and locations. We have seen an increased benefit from the use of our Data & Analytics tools, which supports our audits, but also brings added insights into the business operations for our clients”, explains Christopher Wood, Director of Audit in KPMG Cork.

KPMG’s Forensic Technology team support businesses in a wide variety of areas, with a particular focus on; 

Forensic Investigation

Fraud, cyber-attacks and the unauthorised introduction, or removal, of intellectual property, pose commercial and reputational risks to companies. When suspicion arises around the misuse of technology, it is essential to follow correct protocols, otherwise data may be compromised, lost or become inadmissible in future proceedings. This makes the process inefficient and costly.

KPMG’s Forensic Investigation service handles the end-to-end process, from data preservation, analysis, reporting and testimony, through to the recovery of deleted information. “With compromised systems and poorly secured data so readily available to a fraudster, the effort required to execute a cyber-fraud is almost negligible and the proceeds are often extracted to a foreign jurisdiction immediately” explains Paul.

KPMG Forensic Technology draw on investigators, expert witnesses and subject matter experts within KPMG locally and from member firms across the globe, to resolve these client issues. Members of the team have provided attestations and testimony to regulators and judicial bodies worldwide.


The burden on businesses to identify relevant data across their entire enterprise to satisfy discovery requests in investigations, regulation and litigation responses, is enormous and continuing to grow. It is essential that data is captured systematically to meet requirements, keep costs under control and minimise business interruption. “KPMG’s eDiscovery solutions enables the processing, filtering and hosting of potentially relevant data so that it can be reviewed for relevance and ultimately disclosed. Our experienced team manage these processes and advise clients on workflow and best practice.”

To cope with the continued data growth, KPMG use ‘Technology Assisted Review’ (TAR) capabilities. This drives efficiencies in document review and ensures that the most relevant information is surfaced as early as possible to the client and its advisors. TAR utilises machine learning and human input to model what a relevant document is likely to look like. The TAR model is then applied to the full corpus of data, bringing back the most relevant documents for review first. “It is just one of many tools and workflows that we employ to harness the huge volumes of data and provide an efficient solution to our clients.”

Data in deals

When companies buy or sell a business, intellectual property (IP) and commercially sensitive information (CSI) are a significant part of the value. Failure to separate data properly and identify ownership, risks passing important information to the acquirer or leaving the sold business without information needed for it to function.

Getting it wrong risks the deal being blocked by a regulator, delays and legal actions post completion. Forward-thinking companies are addressing these risks at board level when divestments/acquisitions are planned. KPMG Forensic Technology support businesses in mapping their data environment, identifying and classifying high value IP and CSI data.

To support their local and multi-national clients, KPMG operate technology data centres and forensics labs around the world, including Ireland.

“The risk is not going away; businesses will continue to grapple with the flood of data entering and exiting their environment, both on-site and in the cloud. Collaborating with the right advisors, who can not only support the data aspects, but also bring deep understanding of your business, will be key to managing your risk.”

This article first appeared in The Irish Examiner, and is reproduced here with their kind permission.