Effective process inventory helps your organization operate more effectively and efficiently and provides opportunity to focus on growth and innovation while meeting your regulatory obligations. To serve your customers with excellence demands consistency and adherence to applicable laws and regulations.
BPM is an operations management discipline which uses various methods to understand, analyze, measure, and optimize business processes and it is critical to ensuring that you understand your business, the risks, and controls to mitigate risks.
Operational efficiency is gained through consistent and accurate documentation providing insights into various aspects of the process. Accurate process documentation provides insights into:
- Where process improvement opportunities exist
- Where risk within a process exist and should be mitigated
- Where laws and regulations are applicable within a process and must be adhered to
The Fundamentals of Process, Risk, and Controls Inventory
The foundational element to understanding and managing risks is a process inventory. A process inventory framework encompasses a four level data hierarchy with processes as the foundation. A process is a sequence of two or more activities from an initial state to any successful or exceptional defined end state. Processes have defined objectives and are a sequence of activities that support a business deliverable. Laws, rules and regulations are mapped to the process to help identify risks ad where gaps may be located. Additionally, process goals and objectives can be measured using Key Performance Indicators.
Processes have some general characteristics and criteria. For example, process names should start with a verb, have one process owner, distinguish between channels, and may or may not be customer facing.
There are recommended and available tools that can assist in process documentation, such as the suppliers-inputs-process-outputs-customers, which establishes a baseline process and scope; and the Responsible, Accountable, Consult, Informed or RACI model, which helps establish roles and responsibilities in a cross-functional environment.
However, the most important tool to ensure a clear understanding of the process is the process map. The required process map documents every step of the process needed to achieve the objective while outlining where risk and mitigating controls occur. To help shape future efforts in automation, it’s important to indicate where manual activities take place. By using standard process map shapes, maps provide a visual representation of workflow to include where risk and mitigating controls are located and offers a method to assess risk levels.
Through the process inventory, critical relationships are identified creating a holistic view for business owners. This holistic view should lead to the creation of three categories of processes that can be linked to business deliverables. First, is the Owned Process which is directly linked to the business deliverable and fits the previous descriptions and information on processes.
There are also two unique process types: Dependent Processes (e.g., money movement, operations and communication) and Enterprise Policy Processes (e.g., business continuation, fraud, information technology). These process types reside outside the business deliverable.
Risk is defined as an event or standard which, if reached or passed, initiates specific actions, such as reporting, risk mitigation, or contingency plans. A risk is also the likelihood and associated impact from an event or threat on the achievement of overall objectives and goals resulting in potential or actual loss. More specifically, operational risk is the risk arising from inadequate or failed internal processes, people, and systems, or from external events. Additionally, risks can be presented by external sources, and are likely to manifest where processes may not currently exist.
Risks are inherently embedded within processes and must be controlled to ensure business and strategic objectives are met. The tendency is to think of a risk as an internal or external event that prevents your organization from achieving its objectives. However, one severe incident, or even multiple small errors, can harm your organization’s financial and reputational standing. The core of an effective risk management framework is a Risk Taxonomy, which is a structure of risks (inclusive of Principal, Tier 1, and Tier 2 risks) that articulate the broad range of risks applicable to your organization. Risk Taxonomy is established to:
- Aid in understanding current risks across the organization
- Facilitate the consistency of risk measurement and aggregation
- Assign accountability and ownership for each risk area
Examples of principal risks include Compliance, Legal, Reputational, Operational and Strategic.
Risk identification is important because:
- It identifies process gaps that could lead to operational failure.
- Reflects the risks that reside within the process and can threaten the achievement of objectives.
- Directly aligns risks to documented organizational objectives, and
- Helps identify Key Risk Indicators.
The risk identification process must be continuous, always considering the changing business and economic environment and the objectives of the process. The inventory of risks must be reviewed any time you have the following scenarios to understand the impacts of the changing environment:
- Significant people, process, or technology changes, and
- New products developed.
The following methods that can be used in risk identification. The results can lead to a specific risk embedded within a function’s business unit, or even an enterprise-level process.
Organizations must develop activities that proactively safeguard the organization from risks, and these activities are called controls. A control is an activity, device, practice, system check, or other action that mitigates the likelihood and/or impact of the occurrence of a risk event that can jeopardize achievement of process management activities. Control activities are performed at all levels of the organization and at various stages within business processes and over the technology environment, and includes items such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
The table below shows some characteristics of controls. Controls help to identify errors and deviations from standards. Controls are not dashboards, policies, or procedures. Risk mitigation begins with identifying the controls or mitigation strategies that are currently in place and outline the areas that need further improvement.
An effective control environment is the foundation to achieving strategic objectives, providing reliable financial reporting to internal and external stakeholders, operating efficiently and effectively, and complying with laws and regulations. The control environment typically contains a mix of business and operations controls specific to processes executed by a function; application controls specific to each application, and which are related to transactions and data pertaining to each computer based application system; information technology general controls, which applies to the entire infrastructure of an organization; and internal controls over financial reporting to assess the reliability of financial statements.
Controls are designed to be either preventive or detective. They also have to main components: the control type (e.g., manual, automated, automated with manual component, IT general control, IT general control with manual components) and the control purpose (i.e., preventive or detective). Both components are needed in order to have an appropriately designed control.
With regard to control design, it is often easier to implement manual, detective controls which typically do not fully mitigate a specific risk. Whenever possible, organizations should seek to implement automated, preventive controls for more effective and efficient risk mitigation.
When writing a control description, the following elements must be included: who is performing the control, what action is being performed, and when in the process is the control performed or what frequency. Control descriptions should be written in sentence format, in a concise manner, so an independent reader can understand the control activity, not include unnecessary process steps or narrative and avoid vague control language.