By Timotheus Kampik
Risk management is a systematic approach to identify and mitigate risks in your organization. For example, a bank’s customer service department needs to reduce the risk of issuing a credit to a defaulting customer, while their IT department needs to address the risk of a denial-of-service attack against mission critical systems.
During a risk management initiative, you identify risks within your business area, classify them and identify measures to mitigate these risks – so-called controls.
Typically, organizations kick-off their first risk management initiative when it becomes an urgent requirement within a specific business area and start with creating a simple set of documents and spreadsheets.
When scaling the risk initiative, however, they usually encounter the following problems:
Business Process Management offers a fix for these issues and provides an ideal basis for risk management efforts:
Of course, process-oriented risk management requires process documentation. Let’s have a look at the credit quote (loan offer terms) creation process of a bank.
The BPMN diagram provides a concise overview of the process activities. As such, domain experts and risks analysts can identify risks easily.
In our example, we can identify the risk customer provides faulty data.
You can specify a risk definition directly within the corresponding diagram element.
For each risk, you can add single or multiple controls. In our example, we can define the control conduct background check.
However, once you define risks and controls for a large set of processes or process activities, you need a tool that allows you to re-use re-occurring risk and control objects. For example, the risk customer provides faulty data might also be relevant for the money withdrawal process of the bank’s service desk. That’s where Signavio’s new centralized risks and controls management feature comes into play.
Hint: This section describes a feature that for now is available as a beta version. The stable version of this feature will be deployed with a later release.
Configure custom risk and control data types and manage risk and control objects in the Signavio Dictionary with our new centralized risk and control management feature.
In this way, you can ensure your risks and controls are consistent throughout your process landscape and facilitate re-use of those already defined.
Let’s get started with centralized risk management in the Signavio Process Editor.
First, we need to configure the risks and controls settings in our workspace.
…and one for controls.
Be aware to set the type of the category respectively to Risks/Controls.
To customize your risks and controls definition, add additional attributes to these categories. The attributes resemble the table headers in your risk or control tables, for example severity, control interval, or responsibility.
Now you can start to define risk and controls for diagrams in our process landscape.
You can also create new risks and controls directly in the Editor.
Thus, you can easily re-use risk and control definitions. Moreover, the suggestion feature and the Dictionary’s risk repository can help risk analysts to identify risks that have been identified in a similar scenario.To narrow down the suggestions for your users based on the type of the risk or control, you can add multiple risk/control dictionary categories and custom attributes.
When you need to update a specific risk or control, you can to this centrally in the Signavio Dictionary. The update will affect all diagrams that reference this risk or control immediately.
To ensure your risks and controls definitions are updated when a process changes, you can employ approval workflows that enforce a review by a risk management specialist before a process revision is published in the Collaboration Portal or otherwise released into a production environment.
Employing a process-oriented approach helps you to scale your risk management initiative and to ensure your risks are continuously aligned to your evolving process landscape. Signavio’s risk management capabilities further facilitate the success of your risk management initiative by allowing you to ensure the consistency of your risks and controls throughout your process landscape and to facilitate re-use of already defined risks and controls.
As of now this is available on request. In the upcoming release, we will deploy the new risks and controls feature as a beta version for all users of the Corporate and Ultimate Edition. In further releases of the Signavio Process Editor, we will add the following improvements: