Upload
trinhcong
View
215
Download
1
Embed Size (px)
Citation preview
Andreas Havliza
Connecting BPM and GRC
2
Agenda
Overview: Linkage of BPM and GRC
BPM and Governance
BPM and Risk Management
BPM and Compliance
Benefits
3
Overview: Linkage of BPM and GRC
BPM and Governance
BPM and Risk Management
BPM and Compliance
Benefits
Agenda
4
Definitions
Business Process Management
Aligning all aspects of an organisation promoting
effectiveness and efficiency via a BPM life-cycle.
Corporate Governance
Internal instructions, directives, relevant laws,
codes of conduct, vision, strategy, objectives
Risk Management
Identification, classification / evaluation, mitigation
and monitoring of strategic and operational risks
Compliance
Fulfilment of all internal and external, binding and
voluntary requirements of all stakeholders.
5
What does the practice say?
GRC – integrated and embedded
Source: PWC
6
Why Governance, Risk & Compliance (GRC)?
Drivers of GRC Laws such as Sarbanes Oxley Act (SOx)
Basel Committee on Banking Supervision (BASEL I, II,III)
Australian Securities & Investments Commission (ASIC)
Standards Australia (e.g. AS/NZS ISO 31000:2009)
Internal guidelines and aims
Just necessary or beneficial? More effectiveness and efficiency?
More awareness of business risks?
Easy to set up using existing process data?
7
Graphical Illustration of composition
Risk sourcing 1
Risk sourcing 2
Risk closing 1.1
Risk closing 1.2
Risk closing 1.3Risk sourcing 3
Risk sourcing 4
Risk
categorysourcing
Risk
categoryclosing
Risk clos ing 1.1
Controlclos ing
1.1
Testdefinition clos ing
1.1-01
Testdefinition clos ing
1.1-02
Tester group 3.02
Test reviewer group3.02
Tester group 3.01
Test reviewer group3.01
Risk manager group3.02
Control managergroup 3.01
Controlling Controlling
Fixed assets
Current assets
Account Hierarchy Risk Overview Organizational Structure Business Processes
Business
Control
Structures
Fixed assets
Assets
Current assets
Profit and loss statement
Liabilities and...
Shareholders’ equity
Reserves and accruedliabilities
Financial statement
Financial statementpositions
Deferred charges
Liabilities
Deferred income
Tester_3 Test reviewer_3
Tester group 3.01
Tester group 3.02
Test reviewer group3.01
Test reviewer group3.02
T_1
T_2
T_3
T_4
TRV_2
TRV_1
Sign-off owner_3
Sign-off ownergroup 3.01
Sign-off reviewer_3
Sign-off reviewergroup 3.01
SOR_1SOO_1
8
Agenda
Overview: Linkage of BPM and GRC
BPM and Governance
BPM and Risk Management
BPM and Compliance
Benefits
9
BPM and Governance
Governance closely related to BPM Managing the BPM life cycle and ensuring a sustained BPM
approach
The process of Business Process Management
Governance sets the framework for an
organisation-wide GRC-Management
Mature BPM already includes Governance Vision and Strategy of organisation
Internal guidelines, regulations
Advantage: Easy to adopt and supporting the need of BPM
10
Management Strategy
Balanced Scorecard
KPI’s
Different views for different target groups
Risk / Compliance Risk Mitigation
Regulations (SOx)
Quality Standards
IT IT Architecture
Applications
End User Work Instructions
Knowledge
Processes
Risks & Controls KPI’s / Rules
Products Documents
Functions
Data
Systems
Organization
11
Agenda
Overview: Linkage of BPM and GRC
BPM and Governance
BPM and Risk Management
BPM and Compliance
Benefits
12
BPM and Risk Management
Most risks occur because of processes! Without business processes no business and therefore no risks
Incorrect financial reporting, cash drain, on-site processes
fraught with risk
BPM is ideal for risk evaluation, risk
mitigation and risk monitoring Existing process knowledge should be used in order to support
Risk Management
Aggregation by risk categories, processes, applications,
organisational aspects possible
Risk monitoring with supportive tool
13
BPM and Risk Management
Not to forget the opportunities!
Process oriented perception of risks supports
evaluation of possible gains as well
Risk AND Reward - taking known risks with
imbedded controls into account Risk Acceptance, Transfer, Elimination, Reduction
BPM as a supportive discipline
Using Business Rules in order to constrain
process flows
Strengthening Risk Management AND
enhancing BPM maturity
14
Agenda
Overview: Linkage of BPM and GRC
BPM and Governance
BPM and Risk Management
BPM and Compliance
Benefits
15
Proof of an effective Internal Control System
Maturity Model to evaluate status of Internal Controls System
Where are we, where do we want to be concerning ICS?
16
BPM and Compliance
Internal Control Systems Sarbanes Oxley Act
Australian Stock Exchange best practice set (not compulsory)
BPM can assist Compliance Management
in an ideal way In order to fulfil regulations and to comply with mandatory laws
very often controls are implemented to ensure compliance
Controls are nothing else but business procedures / steps
Organising these business steps is the key competency of BPM!
Integrating Compliance aspects into BPM
increases BPM maturity!
17
Semiconductor: As there are huge benefits to combine BPM
and SOX, integrated solutions were evaluated primarily
18
Bank / Insurance: Ideal ICS structure
Operational activities in
process, risk description, and
control and test description
All processes in their entirety
Management reporting, analysis
Deficiencies, findings
Alarm, escalation
Measures,
changes,
optimization
Operations Central management and
monitoring of ICS (with ARCM)
Process owners
ICS contacts
Process model, risk description,
control description, test description
1. Control implementation and
documentation by responsible
person
2. Test implementation and
documentation by tester
Testing of design/
process approval
(process owner
ICS contact
ICS unit)
Management/
audit
19
Agenda
Overview: Linkage of BPM and GRC
BPM and Governance
BPM and Risk Management
BPM and Compliance
Benefits
20
Benefits
Compliance efficiency from BPM data
Introducing internal instructions and guidelines and
communicating within the organisation
Assigning risks and mitigating controls to relevant
processes in order to avoid risk occurrence
Ensuring that laws / regulations to be followed are
made visible and are being followed
Gaining synergies by reusing existing information
Increasing BPM maturity
If tools are used: consolidated documentation and
organisational-wide, role-based communication
Saving money due to increased efficiency!