Combining risk and compliance management with BPM

Every day when you open the newspapers (digital or physical), you can read about data leaks, scandals and other mishaps that occur in the world.

CEOs may not care much about show business scandals or political shenanigans, but there is one of these that should be high on their list of concerns – data security. Data security is just one of the risks facing organizations each day; there are also supply chain, compliance risks and many more.

In my weekly BPM blogs in March I shared my views on ways to combine or incorporate risk and compliance management into the wider business process management practice (or in short BPM).

The main topics I dealt with were:

1. Linking risk management and BPM
2. Connecting risks and processes
3. Managing risks and controls
4. An outside view on risk management

Here is a quick peak into each one of these and provide you with a link to the original blog post for more information.

Linking risk management and BPM

Business processes have for a long time been a central concept for organizations to structure the way they work – and in many cases these same business processes have also been put in place to mitigate risks that the organization does not wish to just accept.

Think about the procurement process in manufacturing organizations. This process needs to secure the supply of raw materials to prevent an unexpected shutdown of a plant. In other words, risks (and the corresponding controls) and business processes are linked much more closely than many people could imagine. Here you can find more information about this.

Connecting risks and processes

Continuing the line of thought from the first blog on this topic, the next question could be: How and where would you then link the risks to the processes? And the answer of course will be, it depends! It depends on the granularity level of the way your organization has defined risks (and controls). The risk of an unexpected plant shutdown is fairly high level and could be connected already in a strategy model.

On the other hand, the risk of an unauthorized purchase order belongs on a much more detailed level, for instance, connected to the activity “Create Purchase Order.” There are many opportunities within a business process framework or hierarchy where the risks can be connected, for instance, starting with the models of the regulatory frameworks you need to comply to and connecting these articles to the corresponding risks and controls, that would make light hands of your next audit. Interested? Find more information here in the original blog.

Managing risks and controls

Imagine you have documented your risks and controls in the same BPM platform as your business processes (and your applications, roles and policies for that matter, right?), how do you make sure that this content stays up to date and relevant? After all, the group of people managing the business process documentation is a different one than the group of people managing the risks and controls – very different to be honest. The secret ingredient here is a mutual and common Management of Change process (or in short: MoC), and I’ve already written a number of blogs on that topic and the main message here is: Have one integrated MoC process where every proposed change is being analyzed for the potential impact on all other artifacts in your BPM platform. That way you can avoid unexpected side effects (which happens to be one of the main raison d’être for risk management in the first place). Read more here if you dare.

An outside view on risk management

We’ve recently reinforced our EMEA Business Transformation accelerator team with Andrea Beltran Gomez, who has quite extensive experience in operational and tactical risk and control management. She’s had a long career in the financial industry and has joined our team to strengthen the way ARIS can support organizations to raise their risk and control management to the next level. In this blog I interview her on some BPM – risk management related topics. You can find this interview here.

I hope you enjoy the articles and in the next month’s blog series I will be taking you all underground, mining for results.