Process Innovation versus
Governance, Risk and Compliance
Michael zur Muehlen, Ph.D.
Center of Excellence in Business Process Innovation
Howe School of Technology Management
Stevens Institute of Technology
Hoboken NJ
Michael.zurMuehlen@stevens.edu
1

2

3

4

What this Talk is About
Risk: Driving Process Management
What are operational risks in the context of BPM?
How to identify operational risks
How to prioritize operational risks
How to make better decisions based on risk information
5

Governance, Risk, Compliance
G Governance: Effective Process Management
R Risk: The Probability of Process Failure
C Compliance: Meeting Regulatory Requirements
6

Motivation
Drivers for
Business Process Management (BPM)
Performance Compliance
Business Process Improvement Mandated compliance (e.g. SOX)
Engineering of Process-aware IS Desired compliance (e.g. ISO, ITIL)
7

High Performance Processes
Text2Insure: Provide Travel and
Car Insurance via SMS
Provides Quote within 60 seconds
Reply “BUY”
Call from agent within 10 min for
payment details
Cover2go: Accidental Death
Insurance
Fees taken from cell phone bill
8

High Compliance Processes
Sample Application: Rules engine with decision tree
for underwriting and claims handling
Rules engine evaluates case in parallel with employee
If discrepancy between outcomes is detected, case is
flagged and sent to manager
9

Great!
Now What Do We Do
With It?
10

Process
Innovation
Project Autograph
Usage-based Insurance
Billing
New Process
New Technology
New Value Proposition
11

Process
Innovation
Project Failed
Lack of Standard Process
Expensive Technology
Customers not ready
12

Learn from Outside
Telecom Billing Process
Free GPS
Rate depends on mileage driven
Industry-strength Billing Process
13

Operational Process Risk
14

BPM Risk Management
Focus on providing value for
Focus on ensuring value for stakeholders
stakeholders
Performance depends on effectiveness Risk is an inherent property of business
of business processes processes
Performance is influenced by process
Risk is mitigated by process design
design
Feedback is obtained through Feedback is obtained through Risk
Performance Indicators assigned to Indicators assigned to systems and
systems and processes processes
Performance objectives are achieved Risk is mitigated through optimized
through optimized processes processes
Compare Frew (2006)
Risk Management and BPM
15

Payroll date < 3
days from today
Payroll Process Payroll System
Enter Payroll run
information
Accounting Staff
Member
Payroll run
information
entered
Supervisor 1
Approve Payroll
run
Supervisor 2
XOR
Payroll run Payroll run not
approved approved
Transmit Payroll
Payroll System run information
to Bank
Payroll run
information
transmitted
16

Payroll date < 3
days from today
Enter Payroll run
information
Payroll run
information
entered
Transmit Payroll
run information
to Bank
Payroll run
information
transmitted
Process without Control Activities
17

Payroll date < 3
days from today
Enter Payroll run Data Entry
! Sign-off Payroll
information Mistake Run
Payroll run
information
entered
Transmit Payroll
run information
Transmission
! Verify Transmission
Failure Acknowledgement
to Bank
Payroll run
information
transmitted
Common Risk Modeling
18

Payroll date < 3
days from today
Enter Payroll run Accounting Staff
Payroll System Member
information
Payroll run
Payroll Run information
Request entered
Transmit Payroll
Payroll System run information
to Bank
Payroll run
information
transmitted
Closer Look At The Process
19

Payroll date < 3
days from today Data Entry
! Sign-off Payroll
!
Sign-off Failure
Mistake Run
!
Payroll System
Payroll System
Enter Payroll run Accounting Staff
Member
!
Staff member not
Failure information available
Payroll Run ! Payroll Run
Payroll run
Staff member !
enters fraudulent
Request made information data
Request entered
public
Staff member not
sufficiently
Transmit Payroll qualified
Payroll System run information
to Bank
Transmission
! Verify Transmission
Failure Acknowledgement
Payroll run
information
transmitted
Component Risk
20

Faults, Errors, Failures
21

Fault Latency Payroll date < 3
days from today
Inexperienced
Staff Member
on Duty
Wrong Date
Enter Payroll run Accounting Staff
Payroll System Member
information
Entered
Fault Payroll run
information
entered
Complacent
Supervisors
Supervisor 1
Error
Approve Payroll
run Faulty Payroll
Supervisor 2
Run Approved
XOR
Failure Payroll run Payroll run not
approved approved
Faulty
Payroll System
Transmit Payroll
run information Payroll Run
Transmitted
to Bank
Payroll run
information
transmitted
22

Event
Sequence
A B C D E F G
Fault Error Error is Action is Action is Point of no Consequence
exists occurs identified initiated completed return ensues
Possible Event Sequences
23

Hard and Soft Constraints
Hard Constraints: Process Rules Soft Constraints: Business Rules
Data dependencies Risk mitigation activities
Resource dependencies Documentation
Must not be violated Checks and Balances
Failure leads to broken process Can be worked around
Failure leads to non-compliance
24

25

regulatory
& oversight
value
preserving
value
adding
26

Balloon vs. Marble
“Lean” Process “Fat” Process
Vulnerable to Outside Risk (Nearly) immune to Outside Risk
Few, if any, Internal Controls Strong Governance Component
Bottom line: Need to know context to choose
27

Alternative Control Patterns
28

Alternative Control Patterns
29

Payroll date < 3
days from today
Enter Payroll run Accounting Staff
Payroll System Member
information
Payroll run
information Process Control Pattern
entered
Supervisor 1
Supervisor 1
Approve Payroll Approve Payroll
run run
Supervisor 2
Supervisor 2
XOR XOR
Payroll run Payroll run not Payroll run Payroll run not
approved approved approved approved
Transmit Payroll
Payroll System run information
to Bank
Payroll run
information
Control Patterns
transmitted
30

Exception Based Underwriting
Underwriter reviews APS’s
and some complex cases
Rule Engine validates
App is Scanned Data Entry Application information
and OCR’ed And Validation and Issues some policies
FileNet 24/7 Issue System Workflow Admin System
Image System and Rule Engine
Expanded Rules with Automatic Interface Producer
functionality may include: receives policy
Straight-through processing for delivery.
Intelligent requirement processing
Automated issue
Minimized admin system entry
31
Source: Royce (2007) Workload Balancing

Takeaways
BPM-based Process Governance creates room for Innovation
Operational Risk Management requires separation of
Value-adding activities
Control activities
BPM Solutions can help enforce Compliance
Access Control
Audit Trail Logging
Enforcement of QoS such as response times
32

Thank You - Questions?
Michael zur Muehlen, Ph.D.
Center of Excellence in Business Process Innovation
Howe School of Technology Management
Stevens Institute of Technology
Castle Point on the Hudson
Hoboken, NJ 07030
Phone:
+1 (201) 216-8293
Fax:
+1 (201) 216-5385
E-mail:
mzurmuehlen@stevens.edu
Web:
http://www.cebpi.org
slides: www.slideshare.net/mzurmuehlen
33