Michael zur Muehlen, Ph.D.Center of Excellence in Business Process InnovationHowe School of Technology ManagementStevens Institute of TechnologyHoboken NJMichael.zurMuehlen@stevens.edu

Process Innovation versus Governance, Risk and Compliance

1

2

3

4

What this Talk is AboutRisk: Driving Process Management

What are operational risks in the context of BPM?

How to identify operational risks

How to prioritize operational risks

How to make better decisions based on risk information

5

Governance, Risk, Compliance

6

G

R

C

Governance: Effective Process Management

Risk: The Probability of Process Failure

Compliance: Meeting Regulatory Requirements

7

MotivationDrivers for

Business Process Management (BPM)

Performance

Business Process ImprovementEngineering of Process-aware IS

Compliance

Mandated compliance (e.g. SOX)Desired compliance (e.g. ISO, ITIL)

8

High Performance ProcessesText2Insure: Provide Travel and Car Insurance via SMS

Provides Quote within 60 seconds

Reply “BUY”

Call from agent within 10 min for payment details

Cover2go: Accidental Death Insurance

Fees taken from cell phone bill

Text2Insure: Provide Travel and Car Insurance via SMS

Provides Quote within 60 seconds

Reply “BUY”

Call from agent within 10 min for payment details

Cover2go: Accidental Death Insurance

Fees taken from cell phone bill

High Compliance Processes

Sample Application: Rules engine with decision tree for underwriting and claims handling

Rules engine evaluates case in parallel with employee

If discrepancy between outcomes is detected, case is flagged and sent to manager

9

10

Great! Now What Do We Do

With It?

Process Innovation

Project Autograph

Usage-based Insurance Billing

New Process

New Technology

New Value Proposition

11

Process Innovation

Project Failed

Lack of Standard Process

Expensive Technology

Customers not ready

12

Learn from OutsideTelecom Billing Process

Free GPS

Rate depends on mileage driven

Industry-strength Billing Process

13

Operational Process Risk

14

15

Risk Management and BPM

BPM Risk ManagementFocus on providing value for stakeholders Focus on ensuring value for stakeholders

Performance depends on effectiveness of business processes

Risk is an inherent property of business processes

Performance is influenced by process design Risk is mitigated by process design

Feedback is obtained through Performance Indicators assigned to systems and processes

Feedback is obtained through Risk Indicators assigned to systems and processes

Performance objectives are achieved through optimized processes

Risk is mitigated through optimized processes

Compare Frew (2006)

Payroll date < 3

days from today

Enter Payroll run

information

Payroll run

information

entered

Approve Payroll

run

XOR

Payroll run

approved

Payroll run not

approved

Transmit Payroll

run information

to Bank

Payroll run

information

transmitted

Accounting Staff

Member

Supervisor 1

Supervisor 2

Payroll System

Payroll System

16

Payroll Process

Payroll date < 3

days from today

Enter Payroll run

information

Payroll run

information

entered

Transmit Payroll

run information

to Bank

Payroll run

information

transmitted

17

Process without Control Activities

Payroll date < 3

days from today

Enter Payroll run

information

Payroll run

information

entered

Transmit Payroll

run information

to Bank

Payroll run

information

transmitted

Data Entry

Mistake

!

Transmission

Failure

!

Sign-off Payroll

Run

Verify Transmission

Acknowledgement

18

Common Risk Modeling

Payroll date < 3

days from today

Enter Payroll run

information

Payroll run

information

entered

Accounting Staff

MemberPayroll System

Transmit Payroll

run information

to Bank

Payroll run

information

transmitted

Payroll System

Payroll Run

Request

19

Closer Look At The Process

Payroll date < 3

days from today

Enter Payroll run

information

Payroll run

information

entered

Accounting Staff

MemberPayroll System

Transmit Payroll

run information

to Bank

Payroll run

information

transmitted

Payroll System

Payroll Run

Request

Staff member not

available

!Payroll System

Failure

!

Payroll Run

Request made

public

!

Sign-off Failure

!Data Entry

Mistake

!Sign-off Payroll

Run

Staff member

enters fraudulent

data

!

Staff member not

sufficiently

qualified

Transmission

Failure

!Verify Transmission

Acknowledgement

20

Component Risk

Faults, Errors, Failures

21

22

Fault Latency

Fault

Inexperienced Staff Member

on Duty

Error

Failure

Payroll date < 3

days from today

Enter Payroll run

information

Payroll run

information

entered

Approve Payroll

run

XOR

Payroll run

approved

Payroll run not

approved

Transmit Payroll

run information

to Bank

Payroll run

information

transmitted

Accounting Staff

Member

Supervisor 1

Supervisor 2

Payroll System

Payroll System

Wrong Date Entered

Faulty Payroll Run Approved

Complacent Supervisors

Faulty Payroll Run Transmitted

Possible Event Sequences23

AFault exists

BError

occurs

CError is

identified

DAction is initiated

EAction is

completed

FPoint of no

return

GConsequence

ensues

Event Sequence

24

Hard and Soft ConstraintsHard Constraints: Process Rules

Data dependencies

Resource dependencies

Must not be violated

Failure leads to broken process

Soft Constraints: Business Rules

Risk mitigation activities

Documentation

Checks and Balances

Can be worked around

Failure leads to non-compliance

25

26

regulatory& oversight

value preserving

value adding

Balloon vs. Marble

27

“Lean” Process

Vulnerable to Outside Risk

Few, if any, Internal Controls

“Fat” Process

(Nearly) immune to Outside Risk

Strong Governance Component

Bottom line: Need to know context to choose

Alternative Control Patterns28

29

Alternative Control Patterns

Process Control Pattern

Payroll date < 3

days from today

Enter Payroll run

information

Payroll run

information

entered

Approve Payroll

run

XOR

Payroll run

approved

Payroll run not

approved

Transmit Payroll

run information

to Bank

Payroll run

information

transmitted

Accounting Staff

Member

Supervisor 1

Supervisor 2

Payroll System

Payroll System

Approve Payroll

run

XOR

Payroll run

approved

Payroll run not

approved

Supervisor 1

Supervisor 2

30

Control Patterns

31

FileNetImage System

24/7 Issue System Workflow and Rule Engine

App is Scanned and OCR’ed

Data EntryAnd Validation

Admin System

Rule Engine validatesApplication information

and Issues some policies

Underwriter reviews APS’s and some complex cases

Producer receives policy

for delivery.

Exception Based Underwriting

Expanded Rules with Automatic Interface functionality may include:

Straight-through processingIntelligent requirement processingAutomated issueMinimized admin system entryWorkload BalancingSource: Royce (2007)

TakeawaysBPM-based Process Governance creates room for Innovation

Operational Risk Management requires separation of

Value-adding activities

Control activities

BPM Solutions can help enforce Compliance

Access Control

Audit Trail Logging

Enforcement of QoS such as response times

32

Michael zur Muehlen, Ph.D.Center of Excellence in Business Process InnovationHowe School of Technology ManagementStevens Institute of TechnologyCastle Point on the HudsonHoboken, NJ 07030Phone: +1 (201) 216-8293Fax: +1 (201) 216-5385E-mail: mzurmuehlen@stevens.eduWeb: http://www.cebpi.orgslides: www.slideshare.net/mzurmuehlen

Thank You - Questions?

33