December 12th 2012

New governmental regulations require many organizations to implement internal control systems as an integral part of their corporate governance.

Having the ability to look at your organization’s processes combined with the related risks enables you to optimize your internal activities while at the same time analyze them for potential risk.
Signavio, being a recognized leader in business process modeling and documentation, is also focusing on risks and controls. It broadens its scope from process management to risk management by offering the possibility to document risks and processes in an integrated manner.
But first, let us have a look at some of the backgrounds of risk management and compliance.

Internal Control System

Organizations today are faced with an increasing demand for enterprise transparency. Enterprise risk management (ERM) includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.

Creating greater awareness of an organization’s processes and related risks provides valuable insights for successfully managing the organization, while also providing a critical opportunity to limit its exposure.


In 2008, a worldwide standard for risk management has been established. The international ISO Norm “ISO 31000 for Risk Management” includes specifications for successful risk management systems. The norm is built on three basic pillars: (1) risk management has to be defined as management task, (2) a top-down approach is desired and (3) the norm offers a generally valid basis for covering all risks related to the organization. ISO 31000 aims at combining risk management with already existing management systems. That means that this norm strives to change the mindsets within the organization – from a passive way of handling damage to an active and preventive risk control.

The German stock corporation law (Aktiengesetz) also defines a specific paragraph identifying guidelines for successful risk management. With regard to § 91 para.2 AktG, the organizations board of directors is obliged to define appropriate control measurements to detect potential risk at an early stage.

Besides specific laws regulating risk management, there are also associations, such as COSO (Committee of Sponsoring Organizations of the Treadway Commission) which strive to optimize risk management within the organizations. In 1992, COSO published the COSO-model – a framework including the documentation, analysis and creation of internal controls. The COSO model is divided into three main aspects: operative risks, financial reporting and compliance. Today, the COSO model is officially recognized by the SEC (Securities and Exchange Commission).

Managing risks

An Internal Control System (ICS) enables you to manage risks related to the organization’s processes. Besides providing a detailed overview of the risks the company is facing, the ability to assign controls to each risk presents a major feature of an Internal Control System. These controls should be employed to ensure that the risk does not occur in the defined process.

Signavio – Internal Control System

With Signavio’s integrated Internal Control System (ICS), process modelers now have the ability to define risks and controls directly at any process step within the process model. These risks and controls can be defined and associated with the corresponding activities. For easy identification, they can also be highlighted in a graphical representation on the process model. To obtain an overview of potential risks and related controls, an automatic report can also be generated. This report summarizes all information about the risks and controls in the selected process models. In addition, the report highlights risks that are currently not covered by a defined control.

The ability to view the assigned controls for specific process activities provides important information to the team responsible for enterprise risk management and internal auditors responsible for checking corporate compliance with applicable laws and regulations. If a process includes a risk that is not covered by a control, it will be identified with the relevant process activity.


  • An internal control system is a core management tool for companies that seek transparency within their organization or are looking to achieve or maintain regulatory compliance.
  • Knowing about risks related to your processes helps you to improve your internal organization
  • An ICS helps you to create transparency within your organization
  • Signavio is the ideal platform for administering risks and controls related to your processes

Getting started

1. Sign up for a free 30-day trial of Signavio
2. Document key processes
3. Use the attribute Risk and Controls to attach risks to individual tasks or the process as a whole
4. For each risk define the controls
5. Use the visualization in the Signavio Process Editor or the reporting functionality to get an overview of where in your processes you should deal with risks