What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto


Thursday, January 6, 2011

Operational Risk - Process Mapping


If an organization wants to engage in a risk exercise such as change management, Six Sigma, Basel II operational Risk, Solvency II, COSO, Sarbanes Oxley or ISO standards, gosh there are so many initiatives out there; the company is going to need to be mapped for risk.
  
Such a mapping program may seem straight forward enough but it can become extremely arduous quickly.

Several years ago I was involved in setting up a Basel II framework for a retail bank and before we could register any of the risks along with the associated controls, we needed to understand who actually owns these controls from an institutional perspective. You can nearly guarantee of course that without clearly defined accountability boundaries, finger pointing becomes a typical behavioral outcome on the days when service level agreements are missed in a business unit or worse, when a loss event actually occurs.

The problem with mapping for risk is that traditional flow charts are too granular and miss the main objective of capturing bottlenecks, role assignments and importantly, Product-To-Risk and Process-To-Risk relationships.

Click to read more on what mapping should facilitate.

What enterprise mapping should facilitate
What we are looking for in a functional process and product map in the context of risk is the facilitation of the following requirements:
  • Does the enterprise map show clear boundaries of accountability?
  • Does the enterprise map form a value chain so that outputs can be cleanly designated?
  • Will the enterprise map allow for institutional roll up and aggregation of registered risks. This is important for facilitation of a risk dashboard at a later date.
  • Can the impact from outages in central departments such as information technology be attributed to specific areas of the business?
  • Can the enterprise map of the business show product flow through various business units Front-To Back?
  • Can specific risk agendas such as credit or market risk be assigned to processes within the business?
  • Will the map support a holistic view which can be used for aspirations in performance enhancement, outsourcing, even staff rotation and coverage.
This all seems like a hard ask but one approach I dub as the Value Chain View (VCV) supports all of these separate preoccupations in one swoop.


In the VCV shown above, which is a lending line of a bank, all top level functions can be viewed. Additionally, the cause and impact of a risk can also be identified.  Key controls and processes are easy to register and role ownership is defined accordingly. In any business there are probably many of these Product to Process value chains not just one for lending or another for private banking or remittance and so on.

I have taken to include a complete VCV presentation which explains the concept in more detail.

This presentation can be downloaded by clicking this mapping presentation link.

Okay let’s say you’re sold on the VCV approach, the next question would be; how is this information map going to be stored so that various analysts around the company can retrieve and interact with the schematic?

A spreadsheet may seem appropriate but it will become pretty cumbersome to manage between different risk teams and even more so when many VCV's are registered within it.   
 
Products and Tools
One product I recommend is the Aris mapping tool. This software supports different levels of granularity including the VCV perspective we have highlighted here and it also runs on a multi-user server platform.

Process mapping is big business and building up an objective / risk taxonomy of cross functional processes allows for many interesting initiatives away from risk management to be included. One obvious exercise that comes to mind would be a control or performance enhancement program and the firm APQC has made a business out of this entire game. More information can be found on AQPC by following this link : APQC
  
Additionally, APQC have a tools section on their website which is quite insightful and covers topics including how to calculate the total cost of ownership or how to build a best practice organization using a screening template. In fact there are over a hundred pages of templates and articles that can be downloaded from the site directly.  If for nothing else, that is quite an achievement in the realm of process mapping without any question.

For those interested in implementing initiatives such as ISO 9001 or ISO 31000, I found this recent presentation by Kevin Gilson on process mapping quite useful. It is different to our VCV approach described here but it is nonetheless a novel idea and I particularly like the method Kevin has taken on slide 20 of his presentation.  Kevin goes about listing suppliers and inputs on the left, processes in the middle and outputs as well as customers on the right. One can even imagine a wire network between the left and right side of the chart to make it complete.
  
So that is about it for this post, process mapping is certainly a large activity for operational risk and I would be interested to hear from anyone on recommendations for software tools or approaches that make this exercise much easier to achieve or more intuitive once it is completed.

1 comment:

  1. This has to be one of the best help guides on process mapping, I have just downloaded a simulation software for my business process improvement and was looking for ways to best create my maps, this helps.

    ReplyDelete