How does an organization create a sustainable process, where natural tensions exist between the players, so that:
- the end-to-end process fosters cross-functional cooperation
- objectives are achieved
- the critical risks are managed appropriately?
In his article “Operational risk: Lessons from non-financial organizations”, Simon Ashby writes about adopting a process-based approach to risk management. “The key to the effective adoption of the process approach is comprehensiveness. Such an approach should not only look at the organization's frontline processes, but also all of its back-office and support processes (finance, HR, IT, etc.)” (Ashby, 2008, p. 413).
While he speaks of applying risk management processes at an enterprise level, one can also apply this principle to specific processes. By incorporating risk management into a process, it is possible to bring the front and back offices together to achieve business goals in a sustainable manner.
This Article examines the link between strategy, process and risk management and explains how one governance, risk and compliance framework in particular, developed by the nonprofit group OCEG1, can be leveraged to ensure that critical business processes effectively support an organization's strategy.
Managing risk while enabling business
To manage risk thoughtfully using a process-based approach, one must consider the “comprehensiveness” of a process: Where does a process start and end? Are all of the right players involved?
It is not enough to simply include process participants who have a stake in the end-to-end outcomes to manage risk. To build on Ashby's advice, one should look to governance, risk and compliance (GRC) frameworks to ensure that sub-processes are sufficiently integrated to manage risk effectively and efficiently, increasing the likelihood of implementing smart and sustainable risk management that promotes, rather than inhibits, business.
Leveraging the OCEG Capability Model to Assess the Ability of an End-to-End Process to Optimize Risk and Reward
The GRC Capability Model was developed by OCEG, a non-profit think tank founded in 2002, in response to the significant dot.com and corporate failures that plagued the late 1990's and early 2000's. The OCEG Red Book, which is open source, sets forth elements that should result in sound governance, risk and compliance management to drive expected outcomes, including achieving business objectives, enhancing organizational culture and increasing stakeholder confidence (Scott R. Mitchell, 2012, p. 17). OCEG refers to this as “Principled Performance”™—defining GRC as “a capability that enables the organization to reliably achieve objectives while addressing uncertainty and acting with integrity” (Scott R. Mitchell, 2012, p. 19). Unlike COSO or ISO standards, the framework is flexible—not all elements must be adopted—and can be applied entity-wide or to a particular compliance program, such as anti-money laundering.
Choosing a GRC Model
Many enterprise risk management (ERM) frameworks exist that can provide some insights into risk management: COSO ERM and ISO 30001:2009 are two that are referred to most often. COSO ERM (Committee of Sponsoring Organizations of the Treadway Commission) was first issued in 2004 to give guidance to organizations to help design and implement internal controls and assessing their effectiveness. COSO ERM provides a way to evaluate ERM programs, rather than focusing on risk management activities (Deloach, 2012). Although it speaks to strategy, because of its genesis, COSO ERM tends to be associated more with compliance and the performance of internal controls than with the practical implementation of risk management. ISO 30001:2009, on the other hand, provides principles and generic guidance for risk management.
A third overarching framework exists which incorporates elements of COSO ERM and ISO 300001, along with other standards—such as ITIL and ISO 9000—and regulatory requirements, to c777reate an environment where business risks are measured and relevant information is communicated and leveraged by management to make sound business decisions. This framework, the OCEG GRC Capability Model—which is outlined in what is referred to as the Red Book—provides more in-depth context on culture and internal and external constraints than COSO ERM or ISO 30001, combining various good practices to optimize a company's performance.
“Components embody integrated Elements of a high performing GRC capability to support both universal and organizational objectives. They operate in a somewhat sequential manner; however, a user may begin to apply the Red Book at any of the Component points as a means of maturing existing capability. All components must operate continuously to realize a high-performing GRC.” (Scott R. Mitchell, 2012, p. Intro 5)
In other words, at the outset, each of the eight components can only be appropriately derived if the preceding component has been clearly defined. Following the same premise that process improvement activities should not be undertaken if they do not support business strategy, GRC activities should first be driven by an entity's business. Context: Which customer needs is the organization trying to address? What is the organization's strategy to address those needs and how do its vision and mission align to it? Within which constraints must it or is it willing to work (i.e. regulatory versus voluntary boundaries)? Context is also defined by corporate culture—setting a clear tone at the top for expected behaviors and desired results. Based on these elements, what objectives does the organization set for itself? Once these elements are defined, the organization can define its risk appetite—to how much risk is the organization is willing to expose itself in pursuit of opportunity to ensure that objectives can be reasonably achieved?
Context in turn drives an entity's ability to Organize itself. Once it determines the direction in which it wants to head, the organization can define the scope of its GRC capabilities to manage getting there. Critical success factors to the Organize element are: (1) a GRC charter aligned to the organization's objectives, (2) support for the program from the board and key senior leadership and (3) defining and describing the GRC framework to demonstrate that it enables the governance, management and assurance that business goals will be met, while managing risk and compliance (Scott R. Mitchell, 2012, p. 20). Similarly, a business process should be aligned with the organization's objectives, enjoy the sponsorship and buy-in of senior and executive management and be communicated in such a way that process participants understand the value the process brings to managing business risk while achieving corporate goals.
Once the GRC framework is organized, the next step in the Capability Model is to continuously Assess threats and opportunities. This involves weighing the effects of risk and reward to the organization to determine whether the inherent levels of both remain within the bounds of the organization's risk appetite (as defined in the Context component). Control activities are then developed to either prevent the organization from going outside of the defined boundaries (i.e. Proact) or Detect when those boundaries have been exceeded after the fact. The same can be said of any process, where threats to achieving objectives must be assessed and preventive or detective controls put in place to manage those risks effectively and efficiently, without over- or under-controlling them. Systems must then be put in place to Respond, rewarding desirable conduct and discouraging non-compliance with the established framework. In the case of process compliance, this can include incentives for applying appropriate behaviors which are critical to achieving objectives.
Once defined and operational, the GRC framework must be Measured and adapted as appropriate. Likewise for any process, in order to ensure that it is sustainable and continues to address an organization's business goals, process performance must be monitored and measured. Finally, a framework must be established to allow GRC elements to Interact, sharing the information gathered from the preceding elements so that corrective actions can be taken and improvements made.
The following table summarizes the eight components of the GRC Capability Model at a high level, based on OCEG's Red Book 2.1, and provides some examples of elements that can be considered to support each component. When combined properly, these elements should enable sound business decisions, optimizing risk and opportunity. At the same time, as the Red Book notes, provided that some form of framework is already in place, an organization can work on certain elements, enhancing weaker links in the framework to strengthen it overall.
Applying the Capability Model to Assess Strategy Execution Risks
Any organization can follow the principles of the OCEG's Capability Model to ensure processes are sustainable and enable sound business decisions that optimize risk and opportunity. Such analysis can be performed at any time for any process. An ideal time to perform it, however, is when an organization's strategy changes, or there have been significant changes to the external and/or internal context within which the organization operates. Applying the following approach at that time ensures that the front and back offices remain aligned end-to-end so that they can execute the new strategy, making it achievable and sustainable. The following steps can be used to accomplish this:
- Identify and document the organization's industry risks
- Risk—Determine and document risk categories (such as regulatory, legal, operational, financial).
- Risk Events—What could go wrong if processes are not functioning as designed? Consider potential missteps by the organization, suppliers or customers and potential impacts to all parties in the value chain.
- Potential Impacts—Document what might happen to the organization and its stakeholders if the risk event were to occur.
- Map industry risks to the processes that are impacted by the change
- At what points is the process capable of impacting the objectives of the corporate strategy?
- Which elements of the process are critical to optimize risk and reward (such as risk assessments and go/no-go decision points, process monitoring)?
- Which elements are critical to the sustainability of the process (such as aligned objectives across functions, process training)?
- Based on impacts identified above, select key process(es) to be analyzed that will be impacted by change in strategy
- Determine process scope and identify end-to-end participants.
- Consider the suppliers and customers (internal and external) using a scoping diagram. (My preferred scoping methodology is BPTrends IGOE Diagram,2 which identifies inputs, guides, enablers and outputs, taking regulations and corporate policies and procedures explicitly into account.)
- Assess the process' strengths and weaknesses against the Capability Model
- Refer to the Red Book determine which of the framework's many factors are most relevant to the process in question. It's not necessary to map to all factors, only those that will make or break success.
- For each of the eight Red Book GRC components, document the strengths and weaknesses that contribute to the process' success or could result in breakdowns.
- Address any critical weaknesses that present execution risk to the strategy
- Agree on pain points of the current process which would hinder achieving the new strategy or cause inefficiencies that are otherwise worth addressing.
- Build a road map for process improvements to manage execution risk and increase efficiencies.
If a certain level of business process maturity does not exist, it will be challenging to weave these elements together to build a seamless and sustainable approach to managing risk within a process. In that case, a road map should be developed to address significant gaps.
Applying Risk Management Frameworks to Processes in General
In his article, Ashby writes, “Adopting a process-based approach [to risk management] undoubtedly incurs considerable upfront costs and demands the careful mapping of all an organization's processes and sub-processes. However, the benefits can be considerable and may even extend beyond the operational risk manager's traditional habitat of loss identification and reduction to include the exploitation of potential efficiency gains via the streamlining of overly complex and time-consuming processes” (Ashby, 2008, p. 413).
A few elements can be combined with the foundations of good business process management to manage risk in general:
- Tie the process to the organization's strategy
- The end-to-end process, including back-office functions, must support the strategy.
- When strategies are modified to address new opportunities, risks must be reassessed. Supporting processes must be assessed and resources realigned to balance risk and opportunity.
- Link objectives of process participants to the end result of the process so that everyone is working with the same goal in mind.
- Do not make risk management complicated. Build it into existing operational processes so it becomes second nature.
- Automate workflows to facilitate execution.
- Reward systems should deter undesirable behaviors and encourage the right ones.
- Educate employees and customers about relevant risks. Employees must be able to articulate risks and defend the company's standards with conviction.
- Ensure that all participants—including customers—have appropriate level of knowledge of the end-to-end process and how elements within a process help mitigate those risks.
- If your business has high barriers to entry, do not put off the discussion—if a prospect is not prepared to comply with your standards, better to know that up front and save scarce resources. Discussing potential issues early on gives them time to think about and address them, managing the customer's expectations of time-to-market.
- Share information at the right levels and right time to inform sound business decisions.
- Monitoring and Reevaluation
- Monitor and reevaluate the process periodically to ensure efficiency and effectiveness.
- Monitor and reevaluate customer risk profiles periodically to determine if controls can be dialed back or must be increased.
- Automate monitoring tools so results can be easily measured.
- Select the right measures to track progress towards objectives.
Thinking more holistically about governance, risk and compliance when examining key processes should strengthen an organization's ability to balance risk and opportunity as the business evolves in response to internal and external factors, while remaining responsive to customer needs.
Ashby, S. (2008). Operational Risk, Lesson from non-financial organizations”. Journal of Risk Management in Financial Institutions, 1, 406-415.
Deloach, J. (2012, June 25). COSO, ISO 31000 or Another ERM Framework? Retrieved July 2, 2012, from Corporate Compliance Insights: www.corporatecomplianceinsights.com/coso-iso-31000-or-another-erm-framwork?
Scott R. Mitchell, C. S. (2012). OCEG Red Book GRC Capability Mode 2.1. Open Compliance & Ethics Group.