The Sorbanes-Oxley Act (introduced in 2002) mandated a wide range of practices in governance, risk management and compliance.
This means that the companies should explicitly identify their risks, implement risk controls that are put in place to monitor and prevent risk development, and finally to establish testing procedures.
This area requires high volume of manual effort and investment from the companies.
The Risk Controls Accelerator provides financial institutions and insurance companies the basis to quickly jump start the analysis of their existing risk controls and demonstrates how IBM Cloud Pak for Data can support developing end-to-end cognitive solutions for risk controls on the basis of public NIST security risk controls data set (800-53).
Request a consultation
The accelerator supports the following business use cases:
Analysis of quality of control descriptions
Application of rules relative to word count, grammar, similarity between control names and descriptions, and presence of jargons, misspelled words, conditional words, and hyperlinks to prioritize controls for remediation.
Usage of semantic model to evaluate the completeness of control descriptions.
AI model used to answer questions about control descriptions.
Clustering of the controls to identify the internal structure of content
Machine learning algorithm creates 'clusters' of controls with similar themes.
Word clouds and archetypical control descriptions are evaluated to determine an expert judgement-based name for each cluster.
Cluster analysis is commonly used to derive taxonomies from unstructured data.
Projection of control group attributes across control population (using classification)
Controls may define certain unique attributes (e.g. control categorization) to describe their content. For example, one team may use an indicator to denote whether a control is preventive or detective.
Machine learning can be trained on this team's control descriptions with its preventive/detective indicator values and project a preventive/detective value onto the controls of other teams which were previously not categorized.
Machine learning can project a taxonomy depending on the availability of model training data which is another frequently found use case.
Whenever a control attribute is projected, a corresponding score is available to assess the model's conviction.
Recommendation of controls for a given risk
Every control should be associated with at least one risk.
Machine learning can consider the controls associated with each risk and use this information to recommend controls for new and existing risks.
Controls may be recommended on a dynamic basis upon new risk entry.
Required services: To use the industry accelerators, you must install one or more of the following services on IBM@ Cloud Pak for Data
Importing the accelerator
To use this accelerator on Cloud Pak for Data v220.127.116.11, contact the Data Science Elite team
This accelerator has been verified on:
- Cloud Pak for Data v18.104.22.168
About the developer:
Terms and Conditions
The terms under which you are licensing IBM Cloud Pak for Data also apply to your use of the Industry Accelerators. Before you use the Industry Accelerators, you must agree on these additional terms and conditions that are set forth here. This information contains sample modules, exercises, and code samples (the code may be provided in source code form ("Source Code")) (collectively "Sample Materials").
License: Subject to the terms herein, you may copy, modify, and distribute these Sample Materials within your enterprise only, for your internal use only; provided such use is within the limits of the license rights of the IBM agreement under which you are licensing IBM Cloud Pak for Data. The Industry Accelerators might include applicable third-party licenses. Review the third-party licenses before you use any of the Industry Accelerators. You can find the third-party licenses that apply to each Sample Material in the notices.txt file that is included with each Sample Material.
Code Security: Source Code may not be disclosed to any third parties for any reason without IBM's prior written consent, and access must be limited to your employees who have a need to know. You have implemented and will maintain the technical and personnel focused security policies, procedures, and controls that are necessary to protect the Source Code against loss, alteration, unlawful forms of processing, unauthorized disclosure, and unauthorized access. You will promptly (and in no event any later than 48 hours) notify IBM after becoming aware of any breach or other security incident that you know, or should reasonably suspect, affects or will affect the Source Code or IBM, and will provide IBM with reasonably requested information about such security incident and the status of any remediation and restoration activities. You will not permit any Source Code to reside on servers located in the Russian Federation, the People's Republic of China, or any territories worldwide in which the Russian Federation or People's Republic of China claim sovereignty (collectively, "China or Russia"). Company shall not permit anyone to access or use any such Source Code from or within China or Russia, and Company will not permit any development, testing, or other work to occur in China or Russia that would require such access or use. Upon reasonable written notice, IBM may extend these restrictions to other countries that the United States government identifies as potential cyber security concerns. IBM may request that you verify compliance with these Code Security obligations, and you agree to cooperate with IBM in that regard.
General: Notwithstanding anything to the contrary, IBM PROVIDES THE SAMPLE MATERIALS ON AN "AS IS" BASIS AND IBM DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR ECONOMIC CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR OPERATION OF THE SAMPLE MATERIALS. IBM SHALL NOT BE LIABLE FOR LOSS OF, OR DAMAGE TO, DATA, OR FOR LOST PROFITS, BUSINESS REVENUE, GOODWILL, OR ANTICIPATED SAVINGS. IBM HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS OR MODIFICATIONS TO THE SAMPLE MATERIALS.