Balance BPM and GRC to navigate challenging times

Business process management (BPM) and business transformation can be triggered by multiple sources. A bunch of buzz words describe the core topics companies must face these days: ESG, cost pressure, generative AI, regulatory compliance and operational resilience, to only name some of them. External and internal factors force companies to permanently adapt and change operations, processes, organizational structures and IT systems.

Having a deeper look at topics related to GRC (governance, risk and compliance), we can identify regulatory compliance and operational resilience as two important aspects. Nobody will deny that in the nearer past, every company was affected somehow by at least one of them.

Michael Rasmussen, The GRC Pundit, has even forewarned about a Tsunami of Regulatory Change overwhelming the organization.

OCEG (Open Compliance Ethics Group), who claims to have originated the concept of GRC, indicates that work done by many different departments (be it legal, risk, HR, IT, finance, or affected lines of business) in the company has to be integrated. This results in the need to realize one common platform as basis for the different stakeholders talking different “languages.” The role of being a central hub within a company can be played by the different processes.

Process descriptions partly already include GRC relevant items and can be enhanced with lacking ones. Main spots to have a look at are related to risk, control, policy and regulatory management. The items playing the main role are interconnected among themselves and with BPM related artefacts (beside processes, e. g., IT systems, organizational elements, documents, etc.).

For all these spots, the first step is to gain transparency. Knowing, documenting, gaining oversight, defining responsibilities, evaluating and analyzing - all activities known and relevant in BPM are also necessary for the additional content. And the result of this can be a trigger for change management.

The goal must be to find the correct balance between process performance on the one side and risk and compliance on the other side. Below are the relevant items to be considered.

WEBINAR --> Unlocking Compliance: Navigating Operational Resilience Regulations (like DORA)

Risk management

Identification and documentation of risks relevant for the company can be a starting point. Risk libraries, structured according to different aspects and categories, help to clarify the status as-is and build a basis for discussion with all stakeholders in the different departments and lines of business. This should not only be executed by risk management, but also discussed with the lines of business and collecting their knowledge. Reference catalogues can also be helpful. And AI can also play a role in collecting and finding typical input.

Bringing these risks into the business context (affected processes, organizational elements, IT systems, …) and documenting these dependencies is useful to define responsibilities. This does not only cover ownership, but also who is able and responsible for assessing these risks. This helps to find out the most relevant risks in your company, line of business, or location.

Furthermore, it is helpful to know whether there are already measures available to mitigate the risks. Are there already controls in place? Which policies help to mitigate risks? Is insurance a means of mitigation? And in addition to that, to know and document which norms, regulations, laws are somehow connected to the risks will also help the respective stakeholders analyze their status accordingly and report within their area of responsibility.

The assessment of these risks can be based, e. g., on expert estimation, but documented incidents, losses, etc. can also play a role. Different approaches how to assess risks are possible: quantitative or qualitative assessments; multiple dimensions can be considered (financial aspects, reputation, ecological, etc.)

Defining rules to execute assessments (what to do, when, in which frequency should the assessment take place, how to document the results) will then be the basis for the operational execution of the assessments.

Furthermore, rules on how to proceed with the results must be defined (e. g.  risk appetite).

Control management 

To know which controls are already in place helps to find out and evaluate the mentioned risks accordingly. Controls are deeply connected to processes and operations within the company. They can be implemented in application systems. Controls can be preventive or detective and are not necessarily implemented within the processes where the risk occurs.  

To find new controls or improve them, reference content can be used, and of course, AI can also play a role hereby. And again, defining and assigning responsibilities helps to find the blind spots. Ownership is key.

Documentation which controls mitigate which risks is the first step but not enough. Regularly checking whether the control is (still) designed in a way to really do its job, is necessary. Are the controls working and executed as planned? Control testing helps to gain the relevant information. Access to control execution documentation helps to show evidence. Process mining can play a relevant role in supporting (or automatically executing) these tasks. If there are ways to bypass controls within the process or if controls are not working effectively, measures must be taken to either improve the control, change the respective process or define a new one, change organizational responsibility, adapt IT systems.

Policy management

As mentioned above, there are not only controls, but also policies that are used to mitigate risks within the company. There are two main steps in policy management: policy roll-out and regular policy review. A policy, as it is meant here, is an instructional document that describes rules and procedures. In most cases, different stakeholders are involved in generation and have to approve it, before the policy can be roll-out in the company. In some cases, a simple publication is sufficient, in other cases, confirmation that the policy was read and understood, or even that the employees attest that they will follow this policy must be gathered. And policies must also be regularly checked to see whether they are still appropriate, if they have to be updated or can be retired.

Regulatory management 

The fourth item covers laws and regulations (and, e. g., norms that the company decided to follow). Especially in that context, a wide range of topics forces companies to take action – some of them relevant for all companies, others only addressing specific branches or geographic regions: Sustainability, ESG, DORA, data protection, 3rd party risk management, to only name a few.

Being able to show compliance with requirements coming from legislation, laws, etc. is also a very important task for companies, as fines can harm them. An overview of the relevant regulations and defined responsibilities again helps to gain transparency. Deriving understandable business requirements out of the regulations helps to include all relevant stakeholders and have a common understanding. Document the business context (affected processes, IT systems, organizational structures) as well as connections to GRC items (risks, controls, etc.). Based on these connections, rules and responsibilities for compliance assessments must be defined. In those cases that the company does not comply with the requirements, measures to adapt must be taken.

In addition to that, changes in regulations (new versions, updates) and finding new, relevant regulations must be regularly considered and handled in a professional manner.

Having a look at the different aspects and the tasks associated, it should be clear that activities should not be structured in a siloed manner. Bringing so many different stakeholders together and aligning them can only be successful with a professional system.

One common basis to detect redundancies and optimize assessment activities will help to solve the issues efficiently. Enabling all stakeholders to have access to all information in their area of responsibility, know the status of the system, the measures taken and the results is key.

Analyzing and navigating through the net of connected items, defining appropriate responsibilities based on the structure of the company delivers important input to improve your performance. Process mining can help to document conformance of executed processes with the business blueprint. And in case of deviations, initiate mitigating actions before they can harm the whole company.

Of course, risk managers need access to all relevant information in their area of responsibility, the same is true for compliance managers. But as processes are the central hub within the company, process managers also need transparency, why the process is defined in a specific way: why do we need this (control) step or that document? Why do we have to follow that instruction (and could it be optimized)? What is the status of risks that can occur in my area of responsibility? Do the controls work as planned? This information will probably be needed on a more aggregated level than the one for risk and compliance management. But not knowing or ignoring that information is not really an alternative. But a process manager should be able to confirm that the processes executed are compliant with the defined structures.