In my last two blogs I shared my views on the link between risk management and BPM as a management philosophy on one hand and linking risks and controls to processes on the other hand and one of the major benefits of doing this is that an organization will have much more control and grip on all of the mitigating activities (often in the form of a process or a part of a process) that have been defined and implemented to balance the risk appetite and risk exposure. The next biggest challenge now becomes the act of keeping all of this information up to date, in other words, how can you manage your risks and controls?
Very often, the group of people managing the business processes and the group of people managing the risks and control are very, very different groups in the organization. I've seen this during my nearly two decades in a manufacturing multinational where I was leading the #BPM group and we were integrating the risks and controls into our process documentation and process models. If you would follow the chain of command from both groups upwards, you would need to go up to the CFO to find the first person that was ultimately responsible for both. In many organizations, however, BPM tends to report into the CIO column and then there might be no single person to oversee both disciplines.
Does this matter, I hear you think? Yes, it does matter and here's why. Organizations are trying to optimize the delicate balance between the risks they are willing to take and the gravity of the mitigating actions they have put in place in order to keep the risk exposure to a minimum. A lot of these mitigating actions can be found within business processes. For instance, the purchase requisition approval process is a control that focuses on minimizing the unauthorized spend risk. So, these two disciplines are much closer and much more interconnected than often is perceived, or even appreciated.
Now, coming back to the topic at hand: how can you manage your risks and controls? The answer is, obviously, through your management of change process, or in short: MOC. I've written a lot of blogs about that topic, and if you consider the risks and controls as an integral part of the wider business process content (that you are managing via your BPM platform), then it only makes sense to include also the upkeep of your risks and controls (and all of the other related information such as ToD's, ToE's etc) via the same management of change process.
Why do I keep coming on so strong about this topic, you ask? Because it is the single most undervalued process in virtually every organization, yet it is vital to ensure the quality and relevance of your business process content and in the end, the execution of these business processes is what makes you, as an organization, reach your strategic goals (or not).
Including risks and controls into the central BPM management of change process does not mean that the risk department has no more control over their own content, on the contrary, they will have much more control because they know that:
- Every change is executed in the same consistent manner
- The potential impact on other (non-risk related) topics is better known before the change will be implemented.
- The reporting on the current status quo of risk management becomes more valuable because it is connected to the execution of your business processes across the organization.
On top of all this, I have more good news. The team I am working in has been strenghtened with a new member. Andrea Beltran Gomez has joined our team and she brings with her a ton of experience on risk and compliance management in the financial industry. In next week's blog I will do a little interview with her and treat you on some more insight in the wonderous world of risk management.
Ciao, Caspar
