<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1907245749562386&amp;ev=PageView&amp;noscript=1">

The Leonardo Blog

All Posts

Linking GRC and BPM: Governance Risk Compliance and Business Process Management


Business Process Management and Governance Risk & Compliance Management: two separate worlds?

Reading a newsletter of Leonardo Consulting you would not be surprised to find the word Business Process Management (BPM) in the headline. Not that common is the topic Governance, Risk & Compliance (GRC), which is indeed becoming more and more important: Quality standards (e.g. ISO 9000)  in  various business areas as well as laws and regulations that have been introduced and are binding. This article puts a spotlight on both Management areas in order to illustrate, how they are linked to each other.

Business Process Management  is well known as an approach to improving an organisation’s processes, by aligning  all relevant aspects of an  organisation promoting  effectiveness and  efficiency. Corporate Governance describes the regulation framework for a target-oriented, responsible and ethical administration and a regulated control of organisations in accordance with the existing law. Risk Management integrates the handling of risks that threaten the achievement of strategic and operational business objectives and therefore covers topics like risk identification, risk evaluation, risk mitigation and risk monitoring. The Compliance Management, last but not least, is the fulfilment of all relevant internal and external, binding and voluntary requirements of all stakeholders. So much for the definitions, but how are the GRC topics related with BPM?

A good example is the Internal Control System (ICS). Being influenced by the US Sarbanes Oxley Act in 2002 which put a spotlight on risk inheriting processes and process steps as well as reasonable controls and their ongoing execution, the topic ICS became more and more common and important. See also the best-practice guidelines set by the Australian Stock Exchange (ASX) which requests companies to implement a risk-management process within their Risk & Control Management systems and its assessment. However the guideline is not compulsory for organisations to follow. But it  makes  it obvious: no business without business processes. And these processes and process steps inherit risks. Business Process Management is therefore an ideal basis for risk evaluation, risk mitigation and risk monitoring.

The existing process knowledge should be used in order to support the Risk Management succeeding in these topics. Once the risks have been identified it is about setting up appropriate controls, mitigating the evaluated risks. If specific laws have to be followed, (e.g. SOx with a financial focus) the relevant process areas are clearly defined. BPM can support these compliance aspects by providing the process knowledge and, if any tools are used, the maintenance of the GRC related data as well as its communication. Risks and controls could be assigned to process steps and specified with responsibilities and information about application systems or tests to be executed to ensure the controls effectiveness. The BPM repository, if a tool including a database is used, would ensure a sustainable approach by offering GRC specific reports or having the data required to feed a workflow tool handling the risk evaluation as well as the testing of designed and implemented controls.

These are just two examples for various business cases, where BPM and GRC are linked to each. In conclusion, it is worthwhile to look at BPM and GRC questions in a combined approach, as both management areas do contribute to each other in specific business areas and therefore the effectiveness and efficiency of both BPM and GRC related aspects could be increased.

Download the 7 Enablers of BPM paper  to read about enabling Process Governance

Related Posts

Leonardo at the Red Hat Forum in Sydney

Leonardo will be exhibiting and presenting at the Red Hat Forum in Sydney at the Hyatt Regency.  Our presentation topic will be 'Using Processes-as-Microservices to Drive Better Customer Experiences' which presents an approach that combines digitised processes, business rules, and microservices that collectively deliver improved customer experiences through event-driven digital “micro-moments” – those brief interactions with your customers that can sometime be neglected.

Leonardo partners with Trisotech for greater client success

Leonardo announced today that they have formed a partnership with Trisotech - a leading provider of highly visual and interactive software tools that help organizations innovate, transform and improve their operations. According to Adam Mutton, Managing Director of Delivery for Leonardo, “Trisotech enables Leonardo Consulting to foster an innovative, collaborative approach for the subject matter experts at its clients. Trisotech’s Digital Enterprise Suite is a modelling environment that helps Leonardo design, model and execute its customers’ business processes & business rules. Organisations globally are demanding digital and mobile enablement to streamline and automate their processes to improve the customer experience and drive revenue. Trisotech’s modelling platform delivers BPMN, CMMN and DMN which are crucial artefacts to drive consistency that connects business strategy to automation, integration and implementation for Leonardo’s clients.”

Leonardo partners with University of Melbourne’s Apromore

Leonardo and the University of Melbourne’s Apromore team today announced a partnership whereby Leonardo will be assisting the Apromore team in developing the platform strategy and implementing it through an agile methodology, and by providing industry-strength development power to improve the platform. According to Leonardo Managing Director of Deliver Adam Mutton, “Apromore’s unique selling point is that its process mining capabilities are ahead of the curve, given that they are directly informed by many years of academic research, combined with numerous applications in the field. We have substantial experience in supporting open-source initiatives and are confident we can transfer this experience to the Apromore Initiative”.