Process-based Governance, Risk Management, and Compliance

Originally Published - March 14, 2007

For the Last Time, It's All about Process!

It is apparent that as global regulatory mandates multiply and become more stringent, manual approaches to control activities are inevitably becoming untenable. By embedding a rationalized set of automated controls into companies' cross-enterprise business processes, users can move away from resource-intensive, manual control activities to address critical business risks. Although the idea here is to ensure that every organization meets compliance mandates in the most timely and cost-effective fashion while optimizing operational efficiency, compliance will remain a mix of automaton and people for a long time to come.

The proper balance of automated processes with paper records and manual, human interaction keeps cost under control, and yields a flexible but controlled set of procedures. Each of these two extremes has its costs and characteristics. Specifically, computers do a great job of handling repetitive tasks and of organizing, storing, and retrieving standard documents. People, on the other hand, do a much better job of handling exceptions (see white paper by Olin Thompson, FDA Compliance for the Life Sciences).

In any organization, evaluation of the characteristics of operations, products, and so forth will reveal the mix of standard versus exceptional circumstances. The most effective procedures will allow computer systems to assist in repetitive operations. At the same time, computers can integrate manual or semi-manual approaches to exceptions, which should be captured in a digital form to facilitate the storing and retrieving of documents, where feasible (see white paper by Olin Thompson, FDA Compliance for the Life Sciences).

Information technology (IT) systems can lower people cost while generating their own costs, and people and IT systems must be balanced to yield the correct level of compliance at the appropriate cost. One should always remember that compliance is not about computers, but rather it is about processes that involve many elements, one of which is computers. The appropriate balance between people and systems in smaller and midsized companies is typically achieved by leveraging automation to handle normal and repetitive situations, and by relying on people for variations (see white paper by Olin Thompson, FDA Compliance for the Life Sciences). This system is cleverly explained in Kiran Garimella's book The Power of Process: Unleashing the Source of Competitive Advantage (Meghan-Kiffer Press, 2006).

…while the business process management (BPM) software generally provides the DNA and the chemicals to bring processes to life, service oriented architecture (SOA) is the physio-skeletal system that allows the life-form to move about and function. XML (extensible markup language) may be likened to the nervous system that serves as the medium and protocol of communication. To stretch the analogy a bit further, just as RNA acts as a messenger and translator of the genetic code into proteins, MDA (Model-Driven Architecture) provides a technology-neutral way of translating the BPM architecture into practical designs. BAM (business activity monitoring) provides the feedback loop, the pain-pleasure principle, and the deep control mechanism that keeps the life-form in homeostasis and agile in a constantly changing environment.

For more pertinent information regarding the ideas above, see Understanding SOA, Web Services, BPM, BPEL, and More, The Modelling Approach to Post-implementation Agility in Enterprise Systems, and Business Activity Monitoring—Watching the Store for You.

Benefits of Process-based GRC

The point here is that it is the emergence of the above technological concepts that, while not a silver bullet, at least promotes the treatment of controllership and compliance in a more strategic (top-down) way, rather than as a slew of knee-jerk reactions to the regulatory threats du jour (that is, the current regulatory requirements). To that end, BPM should be able to facilitate enterprise risk management (to identify, monitor, and manage all varieties of risks) by providing tools and a framework to gain and maintain knowledge of business processes. Thus, a process-oriented control application has to provide a risk-based approach to establishing the user's control environment and identifying the most effective and efficient controls. Such an application should integrate directly with control documentation in the required governance, risk management, and compliance (GRC) repository. This integration will enable the user company to centralize control management, and eliminate the need to integrate separate tools for documentation, testing, remediation, and continuous control monitoring.

For an extensive exploration of GRC, please see the following series:

Thou Shalt Comply (and More, or Else): Looking at Sarbanes-Oxley, Important Sarbanes-Oxley Act Mandates and What They Mean for Supply Chain Management, Sarbanes-Oxley Act May Be Just the Tip of a Compliance Iceberg, Automotive Industry and Food, Safety, and Drug Regulations, "Evergreen"—Environmental Regulations for High-tech and Electronics, Chemical, and Oil and Gas Industries, and Global Trade and the Role of Governance, Risk Management, and Compliance Software, and The Challenges of Defining and Managing Governance, Risk Management, and Compliance.

As discussed in SAP Solutions for Governance, Risk and Compliance, process-based GRC will allow companies to conduct such activities as

  • quantifying the financial exposure from control exceptions to properly prioritize necessary resource deployment;

  • implementing controls for key risks with a combination of automated control monitoring, manual controls testing, and self-assessments;

  • monitoring critical "procure-to-pay," "order-to-cash," or "reconcile-to-report" process configurations and transactions, ideally with pre-delivered, automated control tests;

  • ensuring compliance with Section 404 of the US Sarbanes-Oxley Act (SOX);

  • implementing effective IT governance and alignment with Control Objectives for Information and Related Technologies (COBIT);

  • deploying consistent, automated control tests across multiple organizations and business units to reduce the number of controls that need to be maintained (control tests can be controlled using criteria such as customer and vendor IDs, company codes, fiscal periods, and financial accounts to increase precision and accuracy);

  • routing manual control tests to appropriate personnel automatically;

  • guiding control testers with step-by-step, manual procedures, and (occasionally) via approved spreadsheet templates for performing manual control tasks, while ensuring completeness and accuracy;

  • performing self-assessments for entity-level controls, design reviews, and management certifications, such as SOX Section 302 sign-offs (this section requires the chief executive officer [CEO] and chief financial officer [CFO] to quarterly certify the existence of controls and to sign off on the veracity of the organization's financial statements);

  • pinpointing control violations and prioritizing corrective actions through a global "heat map" (of burning issues); and

  • creating remediation cases automatically for control exceptions to accelerate resolutions.

As a result, companies should gain much better visibility into their business process controls so that their executives and auditors can prioritize corrective action to address risk, thus preventing the development of material weaknesses in the control environment. Last but not least, companies should be able to perform timely what-if analyses to simulate the impact of application control changes before putting those changes into effect.

comments powered by Disqus