Business Process Management:Risk Management and Compliance
Presentation on how BPM will manage compliance
Subscribe to our tutorials
1. The GRC market (Governance, Risk and Compliance)
[Edit]
GRC is a global issue that comprises many different initiatives, some regulatory, many policy driven - it cuts to the core of every business, regardless of geography or industry.
Over $32B in spending just in US for 2008 - John Hegarty: AMR Research 2008.
IT Risk management is the biggest projected spend within the $32 billion.
Compliance is a broad brush approach by the application of best practise.
Popular (De Facto) standards for ICT are CObIT and ITIL even TOGAF. These provide an understandable, auditable level of quality and security and are maintainable, and can reduce the level of unknown-factors and unnecessary project complexities.
Compliance is, at least, the production of evidence of governance within the business process.
3. Case Studies 2004 - 2007
[Edit]
- A US based telecom company partially responsible for SOX -2004
Over scoped, expensive, paranoid
- A UK bank present on the NYSE - 2005
Unprepared, changing goal posts, confused
- A global Oil Giant - 2006
Prepared, risk managed, implementation of control self assessment and a Plan/Do/Check/Act continual process improvement
- Increasing automation of compliance requirements
- Using risk management for de-scoping controls
- Reuse of compliance controls amongst different legislation
- Focus on reducing
administration and audit costs, contingency planning
- Monetisation of
compliance effectiveness measurements
- Risk and self asessment before
internal audit
- Standardisation of technology infrastructure to reduce
incompatibility with compliance requirements
- Modernisation programs to
replace applications that have become to expensive to maintain because
of compliance
- Increased compliance awareness amongst employees
to reduce error and audit remediation costs
5. Why are we taking this approach?
[Edit]
Compliance 2004 - 2007 was a short term audit driven need. Imposed regulations forced 'stovepipe' applications to cover them
This is market was driven by legislative domain knowledge and time to implement. Incidentally, these were seen as the main weaknesses of BPM.
6. What does the business want from compliance?
[Edit]
Business wants performance and risk management. It gets this by workflow, risk management and simulation. These are strengths of BPM and so within the BPM space, according to many analysts, expect to see BPM tools take over the GRC space.
BPM suites will start to include: Risk Management with modelling capability and built in compliance.
BPM will facilitate an understanding of how secure do we need to be? And, provide Risk analysis, simulation, costing, analysis of control effectiveness - The future of risk analysis is to apply risk factors to a business process and run simulations to understand the impact.
7. Business Process Management
[Edit]
BPM provides a framework for managing complex processes and a top to bottom view of the processes and procedures within an organisation - ready for the imposition of compliance
BPM assists secure Change Management - vital to compliance frameworks and abstraction of business rules:
8. Why the delay in takeup?
[Edit]
BPM is driven by the adoption and acceptance of industry standards - Web services, XML, BPMN, component based, process centric, application integration. In terms of Risk Management - WS-Security, XML Digital signatures, claims based id management.
BPM delivery capability still seen as immature and we need greater confidence in the adoption of these standards for the mainstream to achieve 'verticalisation' of solutions and form common practise for typical audit, reporting and monitoring needs.
9. Compliance is a business project
[Edit]
BPM provides a framework based on the compliance pain points with a lot of technical detail already plumbed in, it helps then to capture domain expertise into the model and make the all important abstraction of flexible business rules.
E.g. Management approval
10. 'Differentiating' Processes
[Edit]
Innovation and readily changed collaborative processes present a challenge. Ideally, we automate process orientated processes and we don't want to change them if we can help it. Change in a regulated environment is difficult. However, BPM especially in a modern shared service process is the only alternative to reduce the compliance hit especially when integrated with business intelligence and data analysis tools.
11. Business processes are difficult
[Edit]
Processes can hide complexity within end user computing! Ownership can be difficult to prove and agree and process definition has to define processes that:
- Can be temporally short/long
- Automated, manual, a mix
- Simple or complex
- Simple processes can span several operational applications
- Orchestration of transactions and sub processes can become very complex
- Difficult to determine cause and effect within the overall enterprise
12. Recurrent problems but BPM methods can help
[Edit]
A business process that uses web services will also use relatively uncontrolled end user applications including management workflows. End User Computing covers a number of technologies, usually MS Office, Data Warehouse reports, SQL queries and most commonly spreadsheets. The majority of companies use spreadsheets and many business decisions may be based upon spreadsheet modelling.
This is a very problematic area within compliance projects and inherently difficult to control - and is where workflow software with access control and audit logs can really make a difference.
Also, ownership is critical to compliance and security - The mapping of expertise, ownership and governance on to a process can be a complex and political task and is fraught with opportunities for conflict so it is a significant management task.
A solid BPM implementation methdology can help here to:
- Direct technical strategy
- Coordinates performance measurement
- Provide Project Management
- Centralise integration