Hands-On Process-Oriented Risk Management

Published on

By Timotheus Kampik

This blog post gets you started with a process-oriented risk management approach that helps facilitate efficiency and quality of your risk management initiative.

Risk management is a systematic approach to identify and mitigate risks in your organization. For example, a bank’s customer service department needs to reduce the risk of issuing a credit to a defaulting customer, while their IT department needs to address the risk of a denial-of-service attack against mission critical systems.

During a risk management initiative, you identify risks within your business area, classify them and identify measures to mitigate these risks – so-called controls.

Typically, organizations kick-off their first risk management initiative when it becomes an urgent requirement within a specific business area and start with creating a simple set of documents and spreadsheets.

When scaling the risk initiative, however, they usually encounter the following problems:

  • A structured and easy-to-understand documentation of the to-be-analyzed business areas doesn’t exist.
  • It’s hard to ensure risks are maintained when the business environment – meaning the business processes – change.
  • Managing changes that apply to all risk management documents requires so much effort that it’s hardly possible to keep track.

Business Process Management offers a fix for these issues and provides an ideal basis for risk management efforts:

  • In business process diagrams, you can understand what is going on at a glance.
  • You can integrate risk management seamlessly into your BPM initiative by triggering a risk analysis update every time changes are made to your processes.
  • You can centrally manage risks and controls in the Dictionary when using the Signavio Process Editor, and thus control consistency and facilitate reusability.

Process-Oriented Risk Management

Of course, process-oriented risk management requires process documentation. Let’s have a look at the credit quote (loan offer terms) creation process of a bank.

The BPMN diagram provides a concise overview of the process activities. As such, domain experts and risks analysts can identify risks easily.

In our example, we can identify the risk customer provides faulty data.

You can specify a risk definition directly within the corresponding diagram element.

For each risk, you can add single or multiple controls. In our example, we can define the control conduct background check.

However, once you define risks and controls for a large set of processes or process activities, you need a tool that allows you to re-use re-occurring risk and control objects. For example, the risk customer provides faulty data might also be relevant for the money withdrawal process of the bank’s service desk. That’s where Signavio’s new centralized risks and controls management feature comes into play.

Getting Started With Centralized Risks and Controls

Hint: This section describes a feature that for now is available as a beta version. The stable version of this feature will be deployed with a later release.

Configure custom risk and control data types and manage risk and control objects in the Signavio Dictionary with our new centralized risk and control management feature.

In this way, you can ensure your risks and controls are consistent throughout your process landscape and facilitate re-use of those already defined.

Let’s get started with centralized risk management in the Signavio Process Editor.

First, we need to configure the risks and controls settings in our workspace.

  • Create dictionary categories for risks and controls.
    In the Signavio Explorer, open the attribute configuration dialog (SetupDefine notations/attributes), switch to the Dictionary tab and create two new categories; one for risks…


    …and one for controls.

    Be aware to set the type of the category respectively to Risks/Controls.
    To customize your risks and controls definition, add additional attributes to these categories. The attributes resemble the table headers in your risk or control tables, for example severity, control interval, or responsibility.

  • Configure risks and controls dictionary categories and element attributes in your workspace configuration settings.
    In the same dialog, switch to the Modeling Language tab and create a custom Risks and controls attribute. When configuring the attribute, reference the newly created Risks and Controls categories.

Now you can start to define risk and controls for diagrams in our process landscape.

  • Add risks and controls as centrally managed objects to the Dictionary.
    Open the Signavio Dictionary and create new entries of the type risks and controls.

    You can also create new risks and controls directly in the Editor.

  • Reference the centralized risks and controls in your diagram.
    When you add a risk or control to a diagram or diagram element, Signavio suggests existing risks automatically.

    Thus, you can easily re-use risk and control definitions. Moreover, the suggestion feature and the Dictionary’s risk repository can help risk analysts to identify risks that have been identified in a similar scenario.To narrow down the suggestions for your users based on the type of the risk or control, you can add multiple risk/control dictionary categories and custom attributes.

When you need to update a specific risk or control, you can to this centrally in the Signavio Dictionary. The update will affect all diagrams that reference this risk or control immediately.

To ensure your risks and controls definitions are updated when a process changes, you can employ approval workflows that enforce a review by a risk management specialist before a process revision is published in the Collaboration Portal or otherwise released into a production environment.

Conclusion

Employing a process-oriented approach helps you to scale your risk management initiative and to ensure your risks are continuously aligned to your evolving process landscape. Signavio’s risk management capabilities further facilitate the success of your risk management initiative by allowing you to ensure the consistency of your risks and controls throughout your process landscape and to facilitate re-use of already defined risks and controls.

Signavio Risk Management Roadmap

As of now this is available on request. In the upcoming release, we will deploy the new risks and controls feature as a beta version for all users of the Corporate and Ultimate Edition. In further releases of the Signavio Process Editor, we will add the following improvements:

  • Full support of centralized risks and controls in all Signavio applications and reports
  • Improved user experience for risks and controls in the Collaboration Portal