Communicating about risk, and compliance, is never easy. It is done more easily, however, when the communications relate to what people do, and what is expected of them. What is expected of them can be communicated as the goals for what they do, and can be compared to the results of what they have done. And, both the results and the goals can best be seen as the end products of their work. Those end products are the outcomes – the results – of their assigned work – of their participation in the assigned business processes.
Although companies often organize policies, procedures, plans and controls by organization components and subject matter – by function – organizing information and communication by business process enables lower costs, more focus, and greater accountability, among other benefits. When business processes are the focus, then the emphasis on communication, risk management and control can be on the outputs of those business processes; and, in turn, those outputs are the focus of risk management (basically, the purpose of risk management is to eliminate or mitigate unacceptable levels of uncertainty in the outputs of business processes due to factors affecting the outputs of business processes).
In sum, to communicate efficiently and effectively throughout the organization about risk, a risk manual is a very useful tool. It enables presenting, by business process, the means of eliminating or mitigating risk in order to achieve acceptable levels of risk; and in doing so, enabling the integration of risk management, control, and compliance.
This course will show how a risk manual can be developed and used, to design, perform, monitor and communicate risk management. It begins with a review of a typical business process framework, which can be easily tailored to your organization, in the context of, and interacting with, outside related parties. These interactions are the bases for risk and compliance, and the organization’s responses are the basis of control, so that business process framework enables defining the range of process outcomes, of process outputs, and whether these ranges are acceptable from the standpoint of both internal and external compliance, and internal control.
Thissessionthen will illustrate a risk manual and the tools for designing, using and communicating risk. These examples will show practical approaches that organizations have used successfully.In closing, recommended actions for measuring and monitoring an integrated approach to risk, control and compliance management will be presented.
You should attend if you are afraid of stakeholder reactions to the bad press from such matters as auditor comments about poor risk management and control, of regulator comments and ensuing actions due to compliance issues, and/or of unexpected performance problems due to failures to mitigate risks effectively, or failures to anticipate risks. Building monitoring into all business processes by using a risk manual, and having in place objective means of measuring and reporting on monitoring of risk, control and compliance can reduce the concerns about exposures to bad press.
Beyond bad press are the fears and uncertainties of internal disharmony due to the inability of cross-functional teams to get the results desired from their efforts to manage risk and compliance. Cross-functional teams are the approach used by many organizations to address these matters, but there is a better answer, deriving from a business-process approach to managing risk, control and compliance. This approach will be presented in this webinar.
Uncertainty is built into risk, because the consequences of the causes of risk are shaped by the possibility of future events and the conditions that result from them. Good risk management can mitigate this uncertainty, by incorporating effective measuring and monitoring -- and, of course, effective planning and communication (which also should be monitored) – into business processes.
Some people feel that being able to measure the level of risk, control and compliance management is uncertain, and doubt that it can be done. However, if objective and relevant measures are applied to the outcomes – the outputs -- of business processes, then it is likely that these matters can be monitored, and reported, in a way that enable the organization to be more comfortable with its exposures to fears, uncertainties and doubts.
This session will begin by defining why a business-process focus enables better management and communication of risk, control and compliance.
The session then will define what a business process is, and will present a business process frame-workthat comprises the general scope of any organization by its component processes, activities and task; and then, for each activity, will identify its inputs, outputs, the controls and constraints on it, and the tools and mechanisms – including the performers themselves -- used to perform it, so that it provides an integrated view of work. That integrated view of the work can be documented in related policy and procedure, which should identify the who, what, why, where, when and how—or said more completely, who does the work, how the work is done, why the work is done, where the work is done, when the work is done, and what "the work" is.
The session will present IDEF as a framework for each activity of a business process, as well as a composite framework for the overall set of business processes. For this, the session will present Michaels Porter’s value chain of nine process sets – five in what he calls the value chain, and four process sets in what he identifies as infrastructure. From that, the session will use those nine process sets to dig down, through several levels of specificity, to components of each process set, down to activities, in many cases. These activities and their flows -- the who, what where, when, why and how -- will be defined in general, in what is called the logical design -- and then can be tailored to the conditions of the specific enterprise -- in what is called the physical design -- and then can be connected to each other because the output of one activity can become the input to another activity, and it is that output where risk, control and measuring and monitoring can reside, where compliance management is. Relevant metrics -- key risk and control indicators – will be presented and examples of their use will be described.
The session will look more closely at how business processes can be defined and organized, to shape measuring, monitoring, communicating and managing.An organization has three types of related and reinforcing business processes: design processes for defining and directing what is to be done, execution processes for doing what is to be done, and monitoring processes – is for confirming that by doing “it,” the intended results are achieved.
This categorization of process types and the processes themselves can shape the table of contents for a risk manual dealing with measuring and monitoring.
Such a manual can help you to determine -- by applying the tools to the areas discussed -- that all of the components of an activity are appropriate, evident and consistent, and if they link well to the preceding and the following activities. In effect, this framework can establish the basis – the content -- for each page of the manual, actual examples of which will be sown and discussed.
Learn how to apply business-process design, measurement, communication and monitoring – business-process management – for risk, control and compliance management; and why this approach is more effective and efficient than functional management
Leaders and members of cross-functional teams dealing with risk, control and compliance management. This can include operations, accounting, IT, auditing, and line and staff personnel
Until his recent retirement from PwC, Mr. Schwartz had been the partner responsible for the consumer products industry management consulting practice in its Eastern Region. He also had led the financial management practice. Previously, Mr. Schwartz was a senior vice president of Booz, Allen & Hamilton Inc., playing lead roles in the financial management, risk and controls, operations management, systems, and telecommunications practices; and had been responsible in the Eastern Region for the financial management services practice and for the administrative management services practice; and had been CFO. Typical consulting projects that he led include:
Mr. Schwartz also served in the U.S. Navy Civil Engineer Corps, concentrating in public works administration, construction project management, housing construction and administration, and transportation management.
Mr. Schwartz has written and spoken on governance, risk management, internal control, financial management, and productivity; has been an expert witness on industry and organization structure, and on cost management; and has addressed international audiences on controlling investments and productivity, risk management and controls, activity-based costing, and organization design; and has been contributing financial editor to technical journals. At PwC, he developed and led the activity-based costing practice; supported the development of business process reengineering; led the transition integration effort to create PwC from two separate firms, was one of the principal authors of Internal Control - Integrated Framework (ICIF); developed the risk assessment tools for the In-Control Practice; and developed related training for the for the Audit and Attest Practices. He was on several COSO task forces developing guidelines for using ICIF.
He received a BSE degree with honors from Princeton University, majoring in civil and general engineering, and was elected to Phi Beta Kappa. Also, he won the Class of 1883 English Prize for Freshmen in the School of Engineering. His undergraduate thesis was on “The Competitive Bid Construction Contract.”View all trainings by this speaker