Risk and Compliance – embedding specific requirements in the Target State Business Architecture

Author(s)

Business Enterprise Architect, VicRoads

Risk and Compliance

Many companies across the globe are facing up to a whole new world where risk and compliance assurance must now be supported by reliable controls over which the level of transparency required to be provided by the business to the governance process is considerably onerous.

Furthermore the requirements on the company are written into statutory obligations and carry heavy penalties for those that fail to deliver.

Whilst industries such as construction and manufacturing have always embedded risk and compliance requirements into the design architecture, other industries have been relatively slow to adopt this assured approach.

For many it has been seen as too hard to break down the requirements of legislation in a manner that can be understood by operational staff. Further, the fear of misinterpretation and consequent non-compliance encourages most to simply train staff in the actual regulations and hope they can apply what they have learned in the processes as they recall their learning.

Make no mistake, Business Architecture can be used to accommodate the effective translation of legislation and identified business risk management into the clear specific requirements relating to each particular strategic and operational activity.

However, before describing a methodology that has operated with relative success I should firstly point out the biggest obstacle this particular approach faced initially goes to the heart of the methodology that was the unwillingness of legal based professionals to move beyond the complexity of legal language.

The unwillingness of the profession to express in relatively simple terms the requirements of legislation and regulations from legal speak into clear requirements to support those responsible for developing the design of business activities was disappointing but not surprising.

There is also a need for Risk Management requirements to be communicated in a manner such that business staff can understand and be clear in what is required to be changed in their activities to prevent the associated consequences.

From Obligations to Requirements

This particular example from the Australian financial industry relies initially upon the APRA (Australian Prudential Regulation Authority) risk guidelines. It is normal through experience of other risks at large in the business to allow the Risk Register to evolve into a reliable and representative base for the particular organisation. Compliance in this case included not only national and state legislation but also regulations and fund rules.

The diagram below outlines the steps involved in moving from identified risk and compliance requirements contained in the company registers to establishing particular design features within business activities for meeting the associated compliance requirement and/or managing the associated risk.


The associated description of the process that follows contains reference numbers to the actual steps in the diagram.

Methodology

The first step in determining the risk and compliance management to be embedded in each business activity is to access associated company risk. This starts by taking advantage of established risk categories that are usually contained in the company Risk Register (1). The next step is to access the legislation and regulation requirements contained in the Compliance Register (2).

Should such documents or databases not exist in the organisation, there are many industry and regulator based risk guidelines that can assist in building up reliable databases. Risk and Compliance registers should be held under strict version control in the corporate Information Management System (3) and always maintained in an up to date condition.

Risk

From analysis of the risk categories the associated Organisational Risks (4) and likely causes are determined (5). Each determined cause is subsequently identified with the business activities where it is considered likely or at least possible for it to occur (6).

The identified activities are subjected to analysis (7) in order to determine the required risk management design features and /or business rules that need to be embedded. The context of each identified cause is then inverted (12) to express the critical success factor (13) to be used for the ongoing associated risk to be managed by business process design.

Compliance

Working directly from the statutory requirements provided in the Compliance Register further analysis is conducted to break down the information into plain English compliance obligations (8). Working from easier to understand requirements elemental business requirements are formed (9). Each identified compliance requirement is subsequently identified with the business activities that are considered relevant for compliance purposes (10).

The identified activities are subject to analysis (11) in order to determine the required changes and /or business rules to be embedded in each activity. In addition each identified compliance requirement is expressed in the business architecture as the critical success factor (13) to be used for the ongoing protection of the compliant design.

Subsequently each process is to be redesigned (14) to meet all the identified related Risk and Compliance Critical Success Factors. The final step is to carry out a stress test (15) on the process design to assess for the risk of it failing to meet its overall objectives (Time, Cost, Quality, Risk and Compliance).

All business process designs are signed off by the Business Unit and subsequently presented in the Business Architecture (16) and published on the Intranet (17) for implementation purposes.

All associated business rules are controlled in the business rules data base (18). Ongoing auditing of the business processes for risk and compliance is undertaken by the Risk Management Framework (19) and Compliance Management Framework (20) respectively.

I hope it helps you deal with what is clearly a challenging area.

Similar Resources

Enhancing Your Team’s BPM Capabilities: The Value of External Expertise

Enhancing Your Team’s BPM Capabilities: The Value of External Expertise

Author(s):

Editor & Founder, BPMInstitute.org, BAInstitute.org and DBIZInstitute.org

Enhancing Your Team's BPM Capabilities: The Value of External Expertise In today’s dynamic business environment, managing and improving business processes is critical for any organization aiming to maintain a competitive edge. Many companies consider handling Business...

Exploring Shared Data Model and Notation (SDMN) and Its Role in BPM+

Exploring Shared Data Model and Notation (SDMN) and Its Role in BPM+

Author(s):

Editor & Founder, BPMInstitute.org, BAInstitute.org and DBIZInstitute.org

Exploring Shared Data Model and Notation (SDMN) and Its Role in BPM+ Introduction In the evolving landscape of Business Process Management (BPM), the introduction of Shared Data Model Notation (SDMN) marks a significant advancement. As businesses increasingly seek to...

Embracing the Future: Low-Code and No-Code Platforms in BPM+

Embracing the Future: Low-Code and No-Code Platforms in BPM+

Author(s):

Editor & Founder, BPMInstitute.org, BAInstitute.org and DBIZInstitute.org

Embracing the Future: Low-Code and No-Code Platforms in BPM+ Introduction In the realm of business process management (BPM), low-code and no-code platforms have emerged as transformative tools, reshaping how organizations develop applications and manage workflows....

Featured Certificate: BPM Specialist

Everyone starts here.

You're looking for a way to improve your process improvement skills, but you're not sure where to start.

Earning your Business Process Management Specialist (BPMS) Certificate will give you the competitive advantage you need in today's world. Our courses help you deliver faster and makes projects easier.

Your skills will include building hierarchical process models, using tools to analyze and assess process performance, defining critical process metrics, using best practice principles to redesign processes, developing process improvement project plans, building a center of excellence, and establishing process governance.

The BPMS Certificate is the perfect way to show employers that you are serious about business process management. With in-depth knowledge of process improvement and management, you'll be able to take your business career to the next level.

Learn more about the BPM Specialist Certificate

Courses

  •  

 

Certificates

  • Business Process Management Specialist
  • Earning your Business Process Management Specialist (BPMS) Certificate will provide you with a distinct competitive advantage in today’s rapidly evolving business landscape. With in-depth knowledge of process improvement and management, you’ll be able to take your business career to the next level.
  • BPM Professional Certificate
    Business Process Management Professional
  • Earning your Business Process Management Professional (BPMP) Certificate will elevate your expertise and professional standing in the field of business process management. Our BPMP Certificate is a tangible symbol of your achievement, demonstrating your in-depth knowledge of process improvement and management.

Certification

BPM Certification

  • Make the most of your hard-earned skills. Earn the respect of your peers and superiors with Business Process Management Certification from the industry's top BPM educational organization.

Courses

 

Certificates

  • Operational Excellence Specialist
  • Earning your Operational Excellence Specialist Certificate will provide you with a distinct advantage in driving organizational excellence and achieving sustainable improvements in performance.
 

 

OpEx Professional Certificate

  • Operational Excellence Professional
  • Earn your Operational Excellence Professional Certificate and gain a competitive edge in driving organizational excellence and achieving sustainable improvements in performance.

Courses

Certificate
  •  

  • Agile BPM Specialist
  • Earn your Agile BPM Specialist Certificate and gain a competitive edge in driving business process management (BPM) with agile methodologies. You’ll gain a strong understanding of how to apply agile principles and concepts to business process management initiatives.  
 

Business Architecture

 

Certificates

  • Business Architecture Specialist
  • The Business Architecture Specialist (BAIS) Certificate is proof that you’ve begun your business architecture journey by committing to the industry’s most meaningful and credible business architecture training program.

  • Business Architecture Professional
  • When you earn your Business Architecture Professional (BAIP) Certificate, you will be able to design and implement a governance structure for your organization, develop and optimize business processes, and manage business information effectively.

BA CertificationCertification

  • Make the most of your hard-earned skills. Earn the respect of your peers and superiors with Business Architecture Certification from the industry's top BPM educational organization.

Courses

 

Certificates

  • Digital Transformation Specialist
  • Earning your Digital Transformation Specialist Certificate will provide you with a distinct advantage in today’s rapidly evolving business landscape. 
 

 

  • Digital Transformation Professional
  • The Digital Transformation Professional Certificate is the first program in the industry to cover all the key pillars of Digital Transformation holistically with practical recommendations and exercises.

Courses

Certificate

  • Agile Business Analysis Specialist
  • Earning your Agile Business Analysis Specialist Certificate will provide you with a distinct advantage in the world of agile software development.

Courses

Certificate
  • DAS Certificate
  • Decision Automation Specialist
  • Earning your Decision Automation Certificate will empower you to excel in the dynamic field of automated decision-making, where data-driven insights are pivotal to driving business innovation and efficiency.