Caspar Jans's picture

This weeks’ and actually this months’ topic in my #BPM blogs is risk & compliance management and despite the fact that I am not a risk management expert, I do have some thoughts to share on how I think this topic could or even should be linked to the business processes. 

Risk and compliance management of course is a professional domain all by itself and has gained tremendous traction over the last decade and a half. Ever since the financial crisis of 2008-2009 the risk function in larger organization has been promoted into strategical sparring partners of the business management. At the same time the BPM philosophy also has gained popularity over the last 5-10 years, partly also because of the rise of #RPA and #processmining. 

The link between risks and controls on one hand and business processes on the other hand  can be explored from a few different perspectives. First of all, there is the perspective of fraud (why not start with the worst case scenario, right?). We’ve seen plenty examples in the world where employees played the system or process for their own personal benefit and most of these cases were possible in the first place because of too broad a set of authorizations for any one person. Simple example: if you can change a purchase order and you can change the corresponding invoice, you could theoretically pay yourself instead of the vendor (or have the delivery address changed to another address). 

Another example can be found in manufacturing environments. Imagine you’re a producer of products and you need certain raw materials to produce this products. If you run out of raw materials, your plant will eventually shut down and for some types of plants this is just annoying, but for large chemical plants for instance this is highly undesirable because an unplanned or unexpected shutdown bears environmental risks (all raw materials already in the production process and that cannot be used anymore are simply burned and exhausted) and financially very high costs. 

To go on a bit on this last example, the business processes for procurement (both the sourcing as well as the procure to pay processes) are there for, among other things, to prevent unexpected plant shut downs. So this identified risk is mitigated (partly) by having a structured procure to pay process in place. The same applies to the MRP run process (where the production planning is mapped against the inventory of raw materials) that triggers the procure to pay process. 

Besides all this, the regulatory pressure on companies also has been increasing significantly the last years and the consequence of this is that companies need to comply to an increasing number of regulatory frameworks (think about ISO & BS norms, SOX, Basel 1 thru x and many more) and of course companies are also being audited on these frameworks (both internally as well as externally). How sweet would it be if you can have one single overview of those regulatory frameworks and how they are covered by the existing business processes, that in turn, are linked to all the risks the organizations tries to mitigate? Indeed, that would be truly efficient…

To make this a bit more practical, instead of managing your risks and controls in 25 different excel files, why not model them in the same fashion as you do with your business processes? For example, look at the picture of the Space Station above. Risks are incorporated into the model of the Space Station instead of just in an excel file. This provides the added value that you can actually connect (link) these risks (or their corresponding controls) to the processes or even the activities in the processes. The derived benefit is that at the moment a change needs to be executed to either a process or a risk, an impact analysis on the potential consequences is basically a click of a button. 

When you go even deeper down the rabbit hole and into wonderland, it becomes even possible to define the Test of Design and Test of Effectiveness and derive periodical reviews and test execution from the ToD and ToE and manage the outcomes, all linked to the respective business processes. So, instead of managing this whole functional area using 12 different tools, a large part of it can be covered using the best #BPM platforms out there. 

To summarize, business processes (and all of its related artifacts) and risks & controls are intemperately connected and because of this, it makes a lot of sense to manage, document and optimize risks and controls in the same way you do with business processes, roles, applications and much more. 

Looking forward to your feedback and opinions.

Ciao, Caspar

Tags: ARIS 10 ARIS Risk & Compliance Manager BPM Business Process Management risk