Managing yur Risks by Managing yur Prcess Gvernance, Risk and Cmpliance (GRC) is a tpic few businesses and rganisatins can affrd t ignre. Over mre than ten years, successive financial crises including: Wrldcm, Enrn, Sciété Générale, thrugh t Lehman Brthers and nw the cntinuing wrries ver the Eur have led t mre and mre stringent financial regulatin being put in place. Sarbanes Oxley, BaseI II, Slvency II, PCI the list ges n and n. In additin, legislatin is nt just limited t the financial sphere: Health & Safety, Data Prtectin, EU Directives and many mre regulatins nw affect every rganisatin. Increasing glbalisatin means it is als necessary fr businesses t take accunt f regulatins in every cuntry where they perate r trade. Organisatins are becming mre and mre aware f the need t guard against the risk f failing t cmply with this multitude f regulatin as well as managing day-t-day peratinal risks and cmpliance t internal plicies and bjectives. At the same time, the need t be able t prve cmpliance has added an additin burden. In the past, dcument-based systems (e.g. ISO 9001, ISO 30000, US Financial Reprting Standards, etc.) have been used t manage quality and ensure that apprpriate cntrls have been put in place. Checking that these cntrls were being perated, and perated crrectly, was largely ensured by undertaking audits and thse audits were generally audits f the dcumentatin rather than the actual peratin f the business. Figure 1. The Develpment f Risk Management 1
Enterprise Risk Management The challenge has been t scale dcument management-based appraches t deal with multiple regulatins and t avid duplicatin and stve piped slutins. The intrductin f the Sarbanes Oxley Act in the United States in 2002 prmpted many rganisatins t start t lk fr mre sphisticated tls t manage risks and dcument cmpliance in a way that was easily auditable. A significant step frward was the develpment f the cncept f Enterprise Risk Management (ERM) that integrates the management f cmpliance with regulatins such as Sarbanes Oxley with internal risk management and cntrl. There was increasing realisatin that managing risk and putting in place cntrls was integrally linked with the rganisatin s prcesses. After all: Prcesses are nt just smething yur business des prcesses are the business [1] Managing yur risks is therefre abut managing yur prcesses. Figure 1 shw hw the maturity f risk management has develped in the last decade. This has been supprted by the intrductin f risk management framewrks such as the COSO "Enterprise Risk Management- Integrated Framewrk" published in 2004 [2]. The COSO framewrk (Figure 2) defines an internal cntrl as a prcess perated by an rganisatin s bard f directrs, management and staff, designed t prvide "reasnable assurance" f the achieving business bjectives. Figure 2. The COSO Framewrk COSO is very much a prcess driven apprach and the better the internal prcesses are, the fewer cntrls are required. This raises the questin f why yu need cntrls at all. Surely, if an rganisatin s prcesses were designed t take accunt f all risks, then it wuldn t be necessary t have cntrls r even auditing. In reality, f curse, there are several reasns why this wuld never be pssible. Firstly, althugh prcesses are key t the perating and understanding the business, nt everything that is risk affecting will be described in day-t-day peratinal prcesses. Fr instance, the need t have manual access cntrls n the drs t the cmputer centre t prevent the risk f data theft r crruptin is a vital cntrl, but it is nt smething that wuld be dcumented in a business prcess. Secndly, the business wrld, and the wrld f risk and security, is cnstantly changing. T deal with this change it is necessary t add new cntrls, tests and audits, ften at a pace that is much mre rapid than business prcesses are nrmally updated. Thirdly, n prcess is ever perfect; it is a representatin f hw the business perates t deal with real wrld events, but it will never be cmplete r handle every eventuality. Hence it is necessary t supplement prcesses with cntrls that plug the gaps t manage risks and ensure cmpliance. In practice GRC is a balance (Figure 3). We can t put all the management f risk int the peratinal prcesses, but n the ther hand paralleling every peratinal prcess with a cntrl prcess that checks that the peratinal prcess is being perated crrectly is inefficient and ineffective. Many financial rganisatins, faced with the need t rapidly implement risk and cmpliance management, set up manual cntrl prcesses that cnstantly duble-check that the business prcess is cmplying with the regulatin and that risks are minimised. This apprach rapidly becmes untenable as mre and mre individual cntrls, tests and cntrl prcesses have t be put in place t cpe with the requirements f each regulatin. 2
Figure 3. Balancing GRC Objectives What are needed instead are prcess-based tls t dcument risks and cntrls, supprt the implementatin f the cntrls and create autmated test results. This type f autmatin already exists in many crprate IT systems that were riginally intrduced fr autmatin f prcesses, particularly financial, rder prcessing, and lgistics prcesses. Hwever, these systems ften cannt be adapted easily r quickly t changing regulatry requirements. In large rganisatins, the cntrls als tend t exist acrss system bundaries, with the result that additinal, cmpensating cntrls have t be executed manually in additin t the autmatic cntrls. Gvernance, Risk and Cmpliance (GRC) System The need t have a dedicated apprach t managing risk and cmpliance has led t the develpment f Gvernance, Risk and Cmpliance (GRC) systems. Gartner has identified fur key elements f a GRC system (Figure 4). Figure 4. Capabilities f GRC Platfrms 3
GRC systems enable flexible implementatin and efficient peratin f an enterprise-wide cmpliance and risk management system. Based n this apprach, prcess-based GRC systems have been develped that have cre functins including: 1. Identificatin and cmmunicatin f riskrelevant prcesses and the affected items. 2. Analysis and evaluatin f peratinal risks. 3. Design, implementatin, and dcumentatin f the necessary cntrls, tests, and risk assessments. 4. Prvisin f cntrlled wrkflws implementing tests, managing issues and nn-cmpliance and re-testing f imprvements. 5. Design and autmatin and reprting f surveys t manage cmpliance and attestatins. 6. Integrated audit management fr efficiently cnducting audits based n risk, cntrl and test data frm the same repsitry. 7. Management dashbards t present status infrmatin frm all fur perspectives allwing access t infrmatin frm the summary t incident level. Frequently GRC systems are cmbined with enterprise mdeling tls and prcess autmatin tls which take full advantage f integrating risk management with business prcess management. Hence Prcess-based GRC = ERM + BPM. The benefits f such systems include: Cst Reductin Increased efficiency Prcess Imprvement: every GRC prject ptimizes the business prcesses Reduced staff csts (e.g. auditrs) Reduced external audit & risk assessment csts Cmmn apprach fr cntrl testing and risk assessment Transparent wnership f risk & cntrls Audit-prf dcumentatin Fact-based decisin making Transparency and cmmunicatin Categrizatin f risk & cntrls Risk and cntrls linked t prcesses 4
Faster adaptin t new regulatins Cnslidated apprach t managing verlapping laws & regulatins Reuse f business prcesses, cmpliance requirements and reprts Cmbining audit management with GRC is particularly advantageus as it allws the auditr t have direct access t the prcesses and assciated dcumentatin and allws audit plans, templates and results t be directly linked t GRC assets. The Future is Reality In Figure 1 we saw that rganisatins have mved away frm a dcument-based apprach that was discnnected frm the reality f peratins t a prcess-based apprach. That can be extended further by mnitring the perfrmance f the prcess t understand hw the business is perfrming n a day-by-day r hur-by-hur basis. Hwever, even a prcess-based apprach is still discnnected frm the real wrld. Prcesses are abstract representatins f what is intended t happen r at best a high level view f what is happening. In the real wrld things happen, and change, minute by minute. In fact in the financial wrld things can ften happen in millisecnds and fraud invlving huge sums f mney can be accmplished within secnds. In this type f envirnment, manual audits n a weekly, mnthly r quarterly basis can nly prvide a limited level f security. Figure 5. Cnnecting GRC with Reality The next stage in the evlutin f GRC systems (Figure 5) is t bring in reality (Real 2 ). That is mnitring real prcesses in real time. Technlgies such as Cmplex Event Prcessing (CEP) and In-Memry technlgy allw the cntinuus mnitring f thusands f event streams and tens f thusands f events per secnd t lk fr cmplex crrelatins, patterns and sequences. Nt nly can this technlgy reprt pssible risks and breaches, it can detect them while they are happening and even stp them. There is n dubt that risk and cmpliance management is here t stay and that managing yur prcesses is always ging t be a vital part f managing yur risks. 5
References [1] Rb Davis. What Organizatins Need is a BPM Radmap with Clear Benefits BPTrends, July 2010 [2] http://www.cs.rg/ ------- Authr Rb is a Senir ARIS BPM cnsultant with Sftware AG which merged with IDS Scheer in 2011. He is an internatinally recgnized expert in Business Prcess Management (BPM) and the practical use f the ARIS Design Platfrm. Previusly, Rb wrked fr British Telecm (BT) where he was respnsible fr selecting and implementing ARIS in a large scale implementatin. Rb has built extensive experience f all aspects f BPM and specializes in prviding cnsultancy n BPM, prcess mdelling and design, architecture and framewrks, prcess gvernance, and integrating prcess and IT design. Rb has written three definitive bks n the practical use f ARIS Design Platfrm fr BPM. Fr mre infrmatin see http://www.rb-davis.c.uk. BPTrends Linkedin Discussin Grup We created a BPTrends Discussin Grup n Linkedin t allw ur members, readers and friends t freely exchange ideas n a wide variety f BPM related tpics. We encurage yu t initiate a new discussin n this publicatin, r n ther BPM related tpics f interest t yu, r t cntribute t existing discussins. G t Linkedin and jin the BPTrends Discussin Grup. 6