<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1907245749562386&amp;ev=PageView&amp;noscript=1">

The Leonardo Blog

All Posts

Linking GRC and BPM: Governance Risk Compliance and Business Process Management


Business Process Management and Governance Risk & Compliance Management: two separate worlds?

Reading a newsletter of Leonardo Consulting you would not be surprised to find the word Business Process Management (BPM) in the headline. Not that common is the topic Governance, Risk & Compliance (GRC), which is indeed becoming more and more important: Quality standards (e.g. ISO 9000)  in  various business areas as well as laws and regulations that have been introduced and are binding. This article puts a spotlight on both Management areas in order to illustrate, how they are linked to each other.

Business Process Management  is well known as an approach to improving an organisation’s processes, by aligning  all relevant aspects of an  organisation promoting  effectiveness and  efficiency. Corporate Governance describes the regulation framework for a target-oriented, responsible and ethical administration and a regulated control of organisations in accordance with the existing law. Risk Management integrates the handling of risks that threaten the achievement of strategic and operational business objectives and therefore covers topics like risk identification, risk evaluation, risk mitigation and risk monitoring. The Compliance Management, last but not least, is the fulfilment of all relevant internal and external, binding and voluntary requirements of all stakeholders. So much for the definitions, but how are the GRC topics related with BPM?

A good example is the Internal Control System (ICS). Being influenced by the US Sarbanes Oxley Act in 2002 which put a spotlight on risk inheriting processes and process steps as well as reasonable controls and their ongoing execution, the topic ICS became more and more common and important. See also the best-practice guidelines set by the Australian Stock Exchange (ASX) which requests companies to implement a risk-management process within their Risk & Control Management systems and its assessment. However the guideline is not compulsory for organisations to follow. But it  makes  it obvious: no business without business processes. And these processes and process steps inherit risks. Business Process Management is therefore an ideal basis for risk evaluation, risk mitigation and risk monitoring.

The existing process knowledge should be used in order to support the Risk Management succeeding in these topics. Once the risks have been identified it is about setting up appropriate controls, mitigating the evaluated risks. If specific laws have to be followed, (e.g. SOx with a financial focus) the relevant process areas are clearly defined. BPM can support these compliance aspects by providing the process knowledge and, if any tools are used, the maintenance of the GRC related data as well as its communication. Risks and controls could be assigned to process steps and specified with responsibilities and information about application systems or tests to be executed to ensure the controls effectiveness. The BPM repository, if a tool including a database is used, would ensure a sustainable approach by offering GRC specific reports or having the data required to feed a workflow tool handling the risk evaluation as well as the testing of designed and implemented controls.

These are just two examples for various business cases, where BPM and GRC are linked to each. In conclusion, it is worthwhile to look at BPM and GRC questions in a combined approach, as both management areas do contribute to each other in specific business areas and therefore the effectiveness and efficiency of both BPM and GRC related aspects could be increased.

Download the 7 Enablers of BPM paper  to read about enabling Process Governance

Related Posts

Leonardo wins 2020 Red Hat ANZ Professional Services Partner of the Year

Red Hat announced Leonardo as their 'ANZ Professional Services Partner of the Year'. This is the third year in a row Leonardo has been recognised at these regional awards, and we're extremely honoured again for this acknowledgement. Well done to Team Leonardo for your superb work delivering great outcomes for clients - and to Red Hat Asia Pacific for their amazing partner growth and results over the past year.

Leonardo Invests in Apromore to advance AI-Driven, Open-Source Process Mining Technology

MELBOURNE, AUSTRALIA – 7 July 2020 – Leonardo today announced its investment in Apromore - a leading developer of open-source, AI-driven process mining technology. The investment forms part of a Series A round of funding totalling $A6.8 million, led by German business process management specialist GBTEC, and also included The University of Melbourne, which helped to incubate Apromore prior to spin off.

Leonardo wins 2019 Red Hat Hackathon - Customer Experience with OpenSource

      We're thrilled to share with you that Leonardo has won 2019 Red Hat Hackathon 'ReBoot Customer Experience with Open Source'. Early on Friday morning ( 5am AEDT 13th December 2019),  Leonardo awarded first place from a field that included 320 participants from across the globe.  The Hackathon's brief was to reinvent customer experience using Open Source. Providing an outstanding customer experience that customers actually love is especially challenging in more traditional industries like banking, insurance, telecommunication, public sector/government, healthcare, manufacturing, or transportation. These markets offer great opportunities for change and disruption as has been shown by many examples such as Uber disrupting transportation, Twilio disrupting telcos and Stripe or Transferwise disrupting banking.  We want you to be the next disrupter who creates a customer experience that users actually love.  An Open Source solution - ACE  Airline Customer Experience Our project is an application using a Red Hat Process Automation Manager process-as-microservice developed for "ACE Airlines", our fictional client (see video above for the demo). It communicates personalised, event-driven (gate change, delay, etc.) messages to passengers in the language of their choice, using their preferred communications type (SMS, push notification, email).