Successful organizations that adopt risk management and compliance disciplines use an Internal Control System to define risks and controls for their business processes. This article focuses on one aspect of implementation: how to automatically schedule internal controls, based on a custom risks and controls framework.
Managing risks & controls
Like business process management, risk management is principally a broad management discipline that can be applied in almost any industry. In practice, drivers such as compliance regulations, have led to risk management becoming more mature in specific industries, such as banking and insurance.
A key technique in risk management implementation is to develop a risks and controls framework that identifies risks and the associated controls that address those risks. Each control corresponds to a task that addresses the risk associated with the control. These tasks are part of the work of risk management: checking whether risks have materialized and deciding whether to take corrective action.
Control tasks are often repeated periodically as part of an ongoing risk management process. In this approach, each control defines a frequency for these checks. The result of this is an Internal Control System that defines a control process as well as a set of controls to perform.
Using an Internal Control System
Organizations that use an Internal Control System to manage risk typically perform three related activities:
- Maintaining a risks and controls framework
- Periodically scheduling internal controls
- Keeping track of current and past controls, and their results
A risks and controls framework is the core of an Internal Control System and includes a risk register or list of identified risks. When you model business processes, you can use business process models to identify and indicate where and when risks occur. The next level of detail is to identify internal controls for each risk.
Maintaining a risks and controls framework
Internal controls define the periodic tasks for identifying and handling risks. Each control typically refers to the risk it helps manage. In an Internal Control System, each control includes several additional attributes:
- Frequency - how often the control is performed, e.g. monthly or quarterly
- Type - a classification for related controls, e.g. for Sarbanes-Oxley compliance
- Owner - the person responsible for defining the control
- Performer - the person responsible for performing the check
- Reviewer - the person responsible for reviewing the result of the check
In practice, you need software tools to manage this information, and to actually schedule the controls in a way that makes it possible to keep track of which controls have been performed.
Software tools like SAP Signavio Process Manager help you manage risks and controls definitions. You can define custom attributes and link risk, controls, and process models. This combination of a defined framework and software tools that capture these definitions makes it possible to maintain a single, up-to-date risks and controls framework for the organization. The next step is workflow automation.
Periodically scheduling internal controls
A well-managed Internal Control System defines controls and relates them to identified risks, but doesn’t do anything by itself. The benefits come from actually applying the controls. For recurring monthly controls, this means scheduling tasks for employees.
Scheduling internal control tasks manually is error-prone and time-consuming, which is why successful organizations automate scheduling. You can use workflow automation to automatically schedule internal controls as follows.
- Use the controls defined in the Risks & Controls framework
- Start a case for each control according to its defined frequency, e.g. monthly
- Automatically assign control workflow tasks to the control’s roles, e.g. reviewer
- Send email notifications to control case task assignees
This automated approach makes the process more reliable, and reduces the cost of scheduling, not least because workflows automate status updates. As well as the direct benefits of automation, Signavio Process Governance delivers another important benefit: management visibility.
Keeping track of controls
When you automatically schedule internal controls using workflow automation, the software’s reporting capabilities give managers the information they need to do their jobs. These reports summarize current and past control cases, such as:
- Currently open control cases, identifying tasks that have not been performed yet
- Cases performed during a previous month, showing compliance with procedure
- Control cases where issues were found - input for risk management meetings
Most importantly, flexible reporting allows risk managers to choose their own feedback mechanisms. This feedback is vital input for improvements to the underlying Internal Control System and overall risk management approach.
Risk management is a fundamental management technique in all organizations, but not every organization successfully drills down via an Internal Control System to the benefits of automated controls. Signavio’s Process Transformation Suite makes this possible, using Signavio Process Governance to automatically schedule internal controls. Try it for yourself! Register for our free 30-day trial.