Process-oriented GRC – Process Maps as a Basis for the
Integration of Key Management Systems

What you can expect

  • The process map as a platform for integrated GRC
  • The composition of a typical process map
  • The process map as a starting point for different initiatives

Author

Thomas Müllner is a consultant
and account manager focused on
Governance, Risk & Compliance
at BOC Group.

In the Three Lines of Defence model, operational management plays a key role. Its fundamental task is to create a common foundation for the integration of GRC functions into operational processes. In practice, a process map, whose creation and maintenance fall under the responsibility of operational management, has proven to be a successful tool for this purpose.

As mentioned in the abstract, a process map, with the possibility of hierarchization and the associated detailed levels of a process, is the optimal platform for the integration of GRC functions. Process maps serve to structure the individual operational processes into departments without going too granular with the details. They also provide a bird’s eye view of the processes and are usually more than just a structuring element –⁠ they give insights into how an organization thinks and operates with these processes too.

Abbildung 1: Die Prozesslandkarte der ADOMONEY BANK

Figure 1: Example of a process map

It is exactly this level of detail, that those responsible for risk management, ICS and compliance management need in order to set up a process-oriented and integrated GRC.

Relying on the process map as a basis, several topic-specific operational management initiatives can be carried out. This concerns, for example, risk analysis and the assignment of relevant controls to the essential process steps. However, processes or process maps can also be used to assign legal requirements to an area of responsibility, or to document processing activities of personal data in accordance with the GDPR requirements.

The typical process map blueprint

The typical process map blueprint takes place in 2 to 3 levels, where the top level of the map often represents end-to-end processes and then breaks them down into the categories of management, core and support processes. One or two levels below this is the representation of the value chain (typically structured according to the dimensions for the product or service and the life cycle). At this level, the individual (sub-)processes are maintained with their most important information, without providing a detailed flow representation. This basic information of a process includes:

  • Responsibilities
  • Goals and purpose
  • Textual description
  • Result
  • IT systems or other technical resources used
  • Relevant documents

This information is recorded and serves as a starting point for the various operational tasks for GRC systems. Some of these tasks are listed here as examples:

1  Risk Analysis

The processes of the second level map are subjected to a risk analysis in order to identify and evaluate the risks which may occur during process execution and make it difficult or impossible to achieve the process objectives.

Figure 2: The risk portfolio view of a process map

2   Anchoring the internal control system

The processes of the map serve as a context to identify which manual or semi-automatic controls are in place. With the help of a matrix representation, it’s possible to quickly identify which control measures are carried out in the context of which processes. In addition, the effectiveness of the ICS for the processes under consideration can be determined by an automatic assessment of the control quality.

Figure 3: The anchoring of controls in a process map

3   Assignment of regulatory requirements

In the context of compliance management, the process map is used to assign regulatory requirements to the processes at a high level of aggregation, as well as to highlight the responsibility of the process owner more clearly.

Figure 4: The compliance maturity assessment of a process map

4  Dependency analysis as part of security management

The processes of the map are the starting point for the dependency analysis within the framework of security management, which must be performed for information security as well as for physical security in order to determine the importance of the corporate assets and their protection requirements.

Figure 5: The analysis of critical assets using a process map

5  Basic Data Protection Regulation

In the context of processing activities, the processes represent the purpose of processing activities.

Figure 6: Anchoring of processing activities in the process map

These examples are intended to show the possibilities that exist for fulfilling various tasks of operational management with a central data basis –⁠ the process map, and thus ensure the most efficient approach possible.

Start with the process map towards an integrated GRC

The advantages of setting up an integrated GRC system are obvious. In practice, the use of the process map as the basis of such a system is the best option. Thanks to this, the operational management is relieved and cross-sectional considerations are possible. The process-oriented approach also creates a stable basis for integrating additional GRC functions, which may still be operating in isolation, without a high initial outlay.

The success factors of a process-oriented and integrated GRC system are:

  • Collaboration across the lines, based on the process map
  • Use of a common foundation for historical comparisons and cross-sectional analyses
  • Conducting integrated audits or assessments to make ongoing improvements and increase the maturity of the GRC system

BOC Group has many years of experience in consulting and implementing an integrated GRC system. We offer expert advice, comprehensive tool support and training for a successful implementation and ongoing operation. We would be pleased to master –⁠ together with you –⁠ the establishment of a process-oriented, integrated GRC system!

GET IN TOUCH WITH US

Lay the foundation for an efficient, integrated GRC!