Risk and Compliance
Many companies across the globe are facing up to a whole new world where risk and compliance assurance must now be supported by reliable controls over which the level of transparency required to be provided by the business to the governance process is considerably onerous.
Furthermore the requirements on the company are written into statutory obligations and carry heavy penalties for those that fail to deliver.
Whilst industries such as construction and manufacturing have always embedded risk and compliance requirements into the design architecture, other industries have been relatively slow to adopt this assured approach.
For many it has been seen as too hard to break down the requirements of legislation in a manner that can be understood by operational staff. Further, the fear of misinterpretation and consequent non-compliance encourages most to simply train staff in the actual regulations and hope they can apply what they have learned in the processes as they recall their learning.
Make no mistake, Business Architecture can be used to accommodate the effective translation of legislation and identified business risk management into the clear specific requirements relating to each particular strategic and operational activity.
However, before describing a methodology that has operated with relative success I should firstly point out the biggest obstacle this particular approach faced initially goes to the heart of the methodology that was the unwillingness of legal based professionals to move beyond the complexity of legal language.
The unwillingness of the profession to express in relatively simple terms the requirements of legislation and regulations from legal speak into clear requirements to support those responsible for developing the design of business activities was disappointing but not surprising.
There is also a need for Risk Management requirements to be communicated in a manner such that business staff can understand and be clear in what is required to be changed in their activities to prevent the associated consequences.
From Obligations to Requirements
This particular example from the Australian financial industry relies initially upon the APRA (Australian Prudential Regulation Authority) risk guidelines. It is normal through experience of other risks at large in the business to allow the Risk Register to evolve into a reliable and representative base for the particular organisation. Compliance in this case included not only national and state legislation but also regulations and fund rules.
The diagram below outlines the steps involved in moving from identified risk and compliance requirements contained in the company registers to establishing particular design features within business activities for meeting the associated compliance requirement and/or managing the associated risk.
The associated description of the process that follows contains reference numbers to the actual steps in the diagram.
Methodology
The first step in determining the risk and compliance management to be embedded in each business activity is to access associated company risk. This starts by taking advantage of established risk categories that are usually contained in the company Risk Register (1). The next step is to access the legislation and regulation requirements contained in the Compliance Register (2).
Should such documents or databases not exist in the organisation, there are many industry and regulator based risk guidelines that can assist in building up reliable databases. Risk and Compliance registers should be held under strict version control in the corporate Information Management System (3) and always maintained in an up to date condition.
Risk
From analysis of the risk categories the associated Organisational Risks (4) and likely causes are determined (5). Each determined cause is subsequently identified with the business activities where it is considered likely or at least possible for it to occur (6).
The identified activities are subjected to analysis (7) in order to determine the required risk management design features and /or business rules that need to be embedded. The context of each identified cause is then inverted (12) to express the critical success factor (13) to be used for the ongoing associated risk to be managed by business process design.
Compliance
Working directly from the statutory requirements provided in the Compliance Register further analysis is conducted to break down the information into plain English compliance obligations (8). Working from easier to understand requirements elemental business requirements are formed (9). Each identified compliance requirement is subsequently identified with the business activities that are considered relevant for compliance purposes (10).
The identified activities are subject to analysis (11) in order to determine the required changes and /or business rules to be embedded in each activity. In addition each identified compliance requirement is expressed in the business architecture as the critical success factor (13) to be used for the ongoing protection of the compliant design.
Subsequently each process is to be redesigned (14) to meet all the identified related Risk and Compliance Critical Success Factors. The final step is to carry out a stress test (15) on the process design to assess for the risk of it failing to meet its overall objectives (Time, Cost, Quality, Risk and Compliance).
All business process designs are signed off by the Business Unit and subsequently presented in the Business Architecture (16) and published on the Intranet (17) for implementation purposes.
All associated business rules are controlled in the business rules data base (18). Ongoing auditing of the business processes for risk and compliance is undertaken by the Risk Management Framework (19) and Compliance Management Framework (20) respectively.
I hope it helps you deal with what is clearly a challenging area.
