Knowledge and Transparency - A Good Starting Point for Risk and Compliance Management

Companies are permanently facing the need to adapt or create new processes, as they do not exist in a closed bubble but must react to external and internal changes. New regulations, business strategies, disruptions in IT (Information Technology) – being in business means facing risks. And not following internal and/or external requirements can jeopardize the whole company.??

Transparency?

To be successful in our world today is only possible if you know how your company is working. You need to have transparency about?

• How the processes run,?
• Who is responsible for the overall process and who for the process steps,?
• What are the connected dots (IT systems, documents, data),?
• What are the organizational aspects (locations, cost center, organizational units, roles)?
• And many more.?

ARIS Business Transformation Suite offers a well-established basis to bring together the different stakeholders in the company: line of business, IT people, subject matter experts, and employees benefit from a common ground to discuss and align. To do so, ARIS Business Process Analysis offers a wide range of models and objects covering all the above-mentioned topics, always using processes as central hubs. Alternatively, or in addition to just documenting the standardized to-be process (e.g., based on reference content), as-is documentation can also be a starting point. Based on the measured processes in operational systems gathered via ARIS Process Mining, you gain knowledge of what really happens in your company.?

But that is not sufficient for a comprehensive approach: you must also be aware of the threats the company is facing. To really understand why the processes are designed the way they are – or to adapt them, if necessary – you need additional aspects:?

• What are the requirements coming from legal or norm defining authorities or industry standards??
• Which processes are affected by these requirements??
• What are the risks of not following these requirements??
• What are the other risks (operational, financial, etc.) in the company and in the processes??
• Are there already mitigating measures in place influencing adverse effects of potential risks??
• Who are the people responsible for risks and compliance??

Structured libraries??

The natural basis to document and describe these relevant aspects should be to enhance the existing system BPA (Business Process Analysis) system with risk and compliance (R&C) related assets and avoid building multiple siloed solutions. Besides the well-known BPA related items, ARIS offers a broad range of objects and models related to risk and compliance aspects. You can use Risk Diagrams to categorize and structure your risk library. Furthermore, documentation of compliance aspects is supported by Regulation Models (used to structure and break down laws or other legal acts of a regulatory nature: Category, Regulation, Chapter, and Clauses).?In addition to that, you can use a specific model (so called Technical Term Model) to create your structuring for any other use case, be it that you would like to use e. g. assets from your balance sheet structure or other standards.??

Risk and compliance related objects in business context ?

All these objects describe the?risk and compliance context in which the enterprise is situated. But all these “dots” are interconnected. Depending on stakeholders' view, topic of interest or questions to be solved, the navigation and analysis path are different.?

A process owner would like to know the risks occurring and / or mitigating measures and controls implemented in his in his area of responsibility. And be aware that controls are not necessarily mitigating risks that occur within that same process. It is also possible to prevent or detect risks occurring in other processes. Furthermore, knowing whom to address to get better insight in background or answering questions related to R&C assets should be self-evident.?

Using ARIS and the content made available in it helps showing dependencies and answering these questions. All items can be used for reports and queries.??

Risks?

Let us look at the typical connections a risk could have. First, you should define responsibilities to collect and document relevant risks belonging to a specific topic. You should define a risk manager as that person, who takes care of these risks, and keeps the library up to date.??

But let us now focus on risks and their business context. Apart from responsibilities, assignment to items that are or can be affected by risks gives insight into a second kind of connections. Of course, as they are in the spotlight of ARIS usage, connecting risks to processes is key in most cases. Whether you assign this risk to value chain element or to subordinated process flow level – both are possible. This decision depends on which level you would like to execute your analysis later (and what level of detail is useful – in many cases you do not need to deep dive into the specific process step). Risks can also affect IT systems, organizational structures (cost center, locations, departments, etc.), and the fulfillment of requirements coming from regulations or standards. Thus, business as well as risk and compliance context within the company can (and should) be mapped. Depending on the stakeholders you would like to include in the system, you can include these views already in the beginning or add them later.??

A third area of interest is which measures are in place to mitigate the risks. This could be controls, policies, and others like insurances, etc. In ARIS, a specific model helps you to visualize and maintain all these connections: the Business Controls Diagram. ARIS supports you getting insight into the triangle of structures and responsibilities, business context and mitigating measures.?

To find out what are the most relevant risks, and to reach the next level of maturity, the company can initiate risk assessments to rank the risks accordingly and define where there is a need to act. In that case, additional people will have to be involved in risk management activities: people to execute risk assessments (risk owner) and people to review risk assessments (following the four eyes principle). If you decide to take that step, you can again benefit from a tool that is flexible enough to support you with appropriate workflows, automatically informs people about their tasks, remaindering and audit proof documentation of results.?

Controls?

Let us now look at controls. The Business Controls Diagram is not only used to describe controls with their responsibilities, but also to map them in R&C and a business context. Defining a control owner is - analogous to risk manager – the first step. He/she is responsible for keeping the control well designed, effective and up to date. Building a control library can help keep overview and clarity. ?

And as in risk management, there is also a next level of maturity: you can regularly check and test whether the controls are designed in an appropriate way and if they are executed correctly. That means you can enhance the tool to set up a workflow system that regularly initiates control tests (also following the four-eyes principle, based on responsibilities defined). Based on the results of these tests, you can improve and adapt your way of work.?

And again, the business context enables stakeholders to be informed about which controls are relevant in their area of responsibility. Process owners know which controls are incorporated in their processes, responsible for IT systems know, which controls are implemented in their applications.??

Mapping controls as mitigating measures to risks was already mentioned above. In that way, you can build the initial?link into the risk and compliance context. If desired, it is also possible to directly map a control to a regulation or a standard. That helps the subject matter expert to also be easily informed about the situation and status.?

Policies?

Instead of or in addition to controls, companies often use policies to guide their employees on how to proceed in compliance with internal or external requirements or to mitigate risks.??

Documentation of which policies exist (policy inventory), and structuring policies is supported with the Business Rule Architecture Diagram.??

Defining responsibilities (policy owner/manager), mapping into business context, be it processes or organizational scope, as well as into risk and compliance context – all these complements stakeholders need for information. The Business Controls Diagram offers all the building blocks needed.??

And again, for the next level of maturity, ARIS offers capabilities to initiate roll-out of policies (with or without approval of the stakeholders and with or without confirmation of addressees) as well as regular or ad-hoc reviews.?

Regulations?

The last item I would like to light up are regulations, norms, and standards. Knowing and communicating which external and internal framework conditions the company must satisfy is key in compliance management.?To make that possible, ARIS offers in addition to the already mentioned Regulation Model for structuring and categorizing, the Regulation Allocation Diagram to derive business requirements (as legal texts are not easily understood, you can “translate” them in business requirements)?and to document responsibilities (regulation manager) and here too the business context. And if you decide to use requirements objects, all relevant assignments for these are documented in the Requirement Allocation Diagram: influencing policies, connected risks, processes, IT systems, etc.?

Of course, these items are also used in the next level of maturity to initiate tasks for regulatory reviews, change management and compliance assessments. ?

Resumé?

For each of the mentioned items, covering BPA or Risk and Compliance related aspects, ARIS offers a wide range of capabilities to gain transparency and build a common basis to include the different stakeholders.?

Specific models to structure, categorize, and break down the objects of interest help to get a clear and understandable overview about relevant content.?

Furthermore, models to document and define responsibilities on various levels (and offering the ability to distinguish specific roles (like manager, owner, or others).?

Mapping the different objects to clarify the existing net between them. This net can then be used by the different stakeholders to analyze and navigate between all areas and to better understand the complex reality in the company.?

And finally, use this transparency and comprehensibility as first step to operationally manage risk and compliance-related topics in a structured way. ARIS Risk and Compliance Management helps you to benefit and move up to the next maturity level: use this content and set up an operational system that regularly (or ad hoc) starts workflows to assess, review, test, and improve your integrated BPA and Risk and Compliance system build on a single point of truth.?

Follow us: ARIS on LinkedIn.