process innovation vs. governance, risk and compliance
DESCRIPTION
Presentation on the interplay of risk and innovation, given at the 2008 International BPM Standards Conference in Seoul, Korea on Oct 17th, 2008.TRANSCRIPT
Michael zur Muehlen, Ph.D.Center of Excellence in Business Process InnovationHowe School of Technology ManagementStevens Institute of TechnologyHoboken [email protected]
Process Innovation versus Governance, Risk and Compliance
1
2
3
4
What this Talk is AboutRisk: Driving Process Management
What are operational risks in the context of BPM?
How to identify operational risks
How to prioritize operational risks
How to make better decisions based on risk information
5
Governance, Risk, Compliance
6
G
R
C
Governance: Effective Process Management
Risk: The Probability of Process Failure
Compliance: Meeting Regulatory Requirements
7
MotivationDrivers for
Business Process Management (BPM)
Performance
Business Process ImprovementEngineering of Process-aware IS
Compliance
Mandated compliance (e.g. SOX)Desired compliance (e.g. ISO, ITIL)
8
High Performance ProcessesText2Insure: Provide Travel and Car Insurance via SMS
Provides Quote within 60 seconds
Reply “BUY”
Call from agent within 10 min for payment details
Cover2go: Accidental Death Insurance
Fees taken from cell phone bill
Text2Insure: Provide Travel and Car Insurance via SMS
Provides Quote within 60 seconds
Reply “BUY”
Call from agent within 10 min for payment details
Cover2go: Accidental Death Insurance
Fees taken from cell phone bill
High Compliance Processes
Sample Application: Rules engine with decision tree for underwriting and claims handling
Rules engine evaluates case in parallel with employee
If discrepancy between outcomes is detected, case is flagged and sent to manager
9
10
Great! Now What Do We Do
With It?
Process Innovation
Project Autograph
Usage-based Insurance Billing
New Process
New Technology
New Value Proposition
11
Process Innovation
Project Failed
Lack of Standard Process
Expensive Technology
Customers not ready
12
Learn from OutsideTelecom Billing Process
Free GPS
Rate depends on mileage driven
Industry-strength Billing Process
13
Operational Process Risk
14
15
Risk Management and BPM
BPM Risk ManagementFocus on providing value for stakeholders Focus on ensuring value for stakeholders
Performance depends on effectiveness of business processes
Risk is an inherent property of business processes
Performance is influenced by process design Risk is mitigated by process design
Feedback is obtained through Performance Indicators assigned to systems and processes
Feedback is obtained through Risk Indicators assigned to systems and processes
Performance objectives are achieved through optimized processes
Risk is mitigated through optimized processes
Compare Frew (2006)
Payroll date < 3
days from today
Enter Payroll run
information
Payroll run
information
entered
Approve Payroll
run
XOR
Payroll run
approved
Payroll run not
approved
Transmit Payroll
run information
to Bank
Payroll run
information
transmitted
Accounting Staff
Member
Supervisor 1
Supervisor 2
Payroll System
Payroll System
16
Payroll Process
Payroll date < 3
days from today
Enter Payroll run
information
Payroll run
information
entered
Transmit Payroll
run information
to Bank
Payroll run
information
transmitted
17
Process without Control Activities
Payroll date < 3
days from today
Enter Payroll run
information
Payroll run
information
entered
Transmit Payroll
run information
to Bank
Payroll run
information
transmitted
Data Entry
Mistake
!
Transmission
Failure
!
Sign-off Payroll
Run
Verify Transmission
Acknowledgement
18
Common Risk Modeling
Payroll date < 3
days from today
Enter Payroll run
information
Payroll run
information
entered
Accounting Staff
MemberPayroll System
Transmit Payroll
run information
to Bank
Payroll run
information
transmitted
Payroll System
Payroll Run
Request
19
Closer Look At The Process
Payroll date < 3
days from today
Enter Payroll run
information
Payroll run
information
entered
Accounting Staff
MemberPayroll System
Transmit Payroll
run information
to Bank
Payroll run
information
transmitted
Payroll System
Payroll Run
Request
Staff member not
available
!Payroll System
Failure
!
Payroll Run
Request made
public
!
Sign-off Failure
!Data Entry
Mistake
!Sign-off Payroll
Run
Staff member
enters fraudulent
data
!
Staff member not
sufficiently
qualified
Transmission
Failure
!Verify Transmission
Acknowledgement
20
Component Risk
Faults, Errors, Failures
21
22
Fault Latency
Fault
Inexperienced Staff Member
on Duty
Error
Failure
Payroll date < 3
days from today
Enter Payroll run
information
Payroll run
information
entered
Approve Payroll
run
XOR
Payroll run
approved
Payroll run not
approved
Transmit Payroll
run information
to Bank
Payroll run
information
transmitted
Accounting Staff
Member
Supervisor 1
Supervisor 2
Payroll System
Payroll System
Wrong Date Entered
Faulty Payroll Run Approved
Complacent Supervisors
Faulty Payroll Run Transmitted
Possible Event Sequences23
AFault exists
BError
occurs
CError is
identified
DAction is initiated
EAction is
completed
FPoint of no
return
GConsequence
ensues
Event Sequence
24
Hard and Soft ConstraintsHard Constraints: Process Rules
Data dependencies
Resource dependencies
Must not be violated
Failure leads to broken process
Soft Constraints: Business Rules
Risk mitigation activities
Documentation
Checks and Balances
Can be worked around
Failure leads to non-compliance
25
26
regulatory& oversight
value preserving
value adding
Balloon vs. Marble
27
“Lean” Process
Vulnerable to Outside Risk
Few, if any, Internal Controls
“Fat” Process
(Nearly) immune to Outside Risk
Strong Governance Component
Bottom line: Need to know context to choose
Alternative Control Patterns28
29
Alternative Control Patterns
Process Control Pattern
Payroll date < 3
days from today
Enter Payroll run
information
Payroll run
information
entered
Approve Payroll
run
XOR
Payroll run
approved
Payroll run not
approved
Transmit Payroll
run information
to Bank
Payroll run
information
transmitted
Accounting Staff
Member
Supervisor 1
Supervisor 2
Payroll System
Payroll System
Approve Payroll
run
XOR
Payroll run
approved
Payroll run not
approved
Supervisor 1
Supervisor 2
30
Control Patterns
31
FileNetImage System
24/7 Issue System Workflow and Rule Engine
App is Scanned and OCR’ed
Data EntryAnd Validation
Admin System
Rule Engine validatesApplication information
and Issues some policies
Underwriter reviews APS’s and some complex cases
Producer receives policy
for delivery.
Exception Based Underwriting
Expanded Rules with Automatic Interface functionality may include:
Straight-through processingIntelligent requirement processingAutomated issueMinimized admin system entryWorkload BalancingSource: Royce (2007)
TakeawaysBPM-based Process Governance creates room for Innovation
Operational Risk Management requires separation of
Value-adding activities
Control activities
BPM Solutions can help enforce Compliance
Access Control
Audit Trail Logging
Enforcement of QoS such as response times
32
Michael zur Muehlen, Ph.D.Center of Excellence in Business Process InnovationHowe School of Technology ManagementStevens Institute of TechnologyCastle Point on the HudsonHoboken, NJ 07030Phone: +1 (201) 216-8293Fax: +1 (201) 216-5385E-mail: [email protected]: http://www.cebpi.orgslides: www.slideshare.net/mzurmuehlen
Thank You - Questions?
33