What keeps fascinating me is the reaction of people attending our conferences on what is getting nearly famous as "The Door". People always ask me if they may use this example! That's the most frequent question after our presentations. Well here you are!
But let's start from the beginning for those who didn't attend one of our GRC conferences. During my speeches I try to give easy to follow explanations why there is a clear connection between Business Processes, effective controls and reliable risk evaluations. The first perception you have to discard is the assumption that As-Is-Processes are running as the documented To-Be-Flow. If you reconstruct processes from the transactions in an ERP system you can easily prove that. Very often controls are well thought of but do not take into account the "other 20%" of instances the process is running out of the main stream. One example is the case where a lead engineer took a half-produced product directly with his personal stuff to speed up time and delivered it himself to the next production facility in China.
There was a sophisticated export control at the shipping center that was smoothly circumvented without any bad intentions - but unfortunately the product was on the list of goods that should never have been imported to China.
The second perception to question is that this line of thinking does not apply for sure for the assessment of risks. Far from it - risk levels for operational risks can only be judged appropriately if the real life process is taken into consideration during assessment. The prominent example here is the well known case of Societe Generale, the French bank. Assessing risk positions without knowledge about the “real” processes used (by purpose or without ill intent) may lead to catastrophic misjudgments.
But back to the door - another illustrating example to show a ill designed control. Obviously a locked security door with a alarm system and emergency exit opening device should control people to follow another way to the exit of a parking lot. I'm sure there was reasoning behind why especially this exit needs to be blocked - maybe security, maybe compliance requirements. So to make sure that this control is reliable we take a look at this from another angle:
Jens Lühning said:
Mr Kling,
I find “the door” is a perfectly fitting example for your keypoint, that real processes do often not match the defined processes.
I think good process design should take this more into consideration. maybe by introducing some control spots, “doors”, into the process, that have to be passed. (this reminds me very much of the LKW Maut control spots above the german or french Autobahn..)
I wish you all a very successful day.
