Process mapping plays a critical role in building understanding throughout organisations of how things "should be done". While understanding how business processes operate is important, it is also necessary for organisations to understand how risk is managed.
Watch this webinar recording to learn from James Goldsbury, Senior Manager, PwC Risk Assurance to understand how organisations can leverage business process mapping to better understand how risks are managed with assurance.
James will share lessons learnt and best practice recommendations including:
- How organisations can enhance documentation to ensure that they have the right processes and controls in-place
- Common pitfalls in documenting processes and controls
- How management can obtain comfort and assurance that processes are operating as they expect
- Four lines of defence - a concept within process mapping.
3. PwC
Agenda
1. Todays presenter
2. What is a business process?
3. Risk and control and why does it matter?
4. Leveraging the four lines of defense
3
February 2018Business Process Mapping
4. PwC
Today’s Presenter
James Goldsbury – Senior Manager, PwC - Risk Assurance
4
February 2018Business Process Mapping
• James has over 9 years of experience advising on
risk and control within both NZ and USA.
• He has worked with large and small organisations
to assist them in documenting their business
processes as part of broader change / system
implementation projects
• He focusing on ensuring that risks within
business processes are fully understood and that
controls and assurance activities are embedded
within process map
• Most recently he has performed this for clients
implementing new ERP and payroll system and off-
shoring back office processes.
5. PwC
‘A set of linked activities that in combination provide a definable and
valuable output to either internal or external customers”
So, what is a business process?
5
Customer
inquiry or
sales activity
Prepare and
send quote
Update
customer
details – log
order
Check
product
availability
Deliver
product
Bill the
customer
Process
payment or
pass to
credit
control
Business processes comprise a set of sequential sub-processes or activities, with alternative paths
depending on certain conditions, performed to achieve a given objective or produce given outputs.
6. PwC
What is not a process?
A process is not a job description - instead of following a staff member through their job, a process
follows an input through the organisation
A process is not a departmental procedure manual - though the manual might provide useful
information for creating a process map
A process is not a department – even when it has the same name as a department
And, most importantly, a process is not a plan, program, or policy; processes should support plans,
programs, and policies
Most processes were not “designed” in the first place.
Like a foot path, somebody did it once and it was
eventually paved or “automated”…
6
7. PwC 7
February 2018Business Process Mapping
What is a risk?
A risk is….
“ The possibility of an act or
event occurring that would
have an adverse effect on
the organisation and
impact its ability to meet its
objectives
8. PwC
What is a control?
8
February 2018Business Process Mapping
”“ A control is an activity put
in place to mitigate a risk
9. PwC
So – a business process seems simple enough,
what are the challenges / pitfalls in documenting
them?
9
February 2018Business Process Mapping
• We see a high level of variation between organisations in the level of documentation
for their core business processes
• Documentation often captures ‘what is meant to happen’ – What, When, How?
But,
• Documentation often doesn’t capture the checks / balances (controls)
• Doesn’t consider what could go wrong, and what happens when things go wrong
Therefore, it doesn’t give management a clear view of the risk associated with the process.
11. PwC
So what – why does this matter?
11
Investigations into events similar to these often identify that:
• The process ‘as designed’ was not followed
• There was a lack of awareness of what the process was
• Management didn’t understand the risks associated with failure within the process
• There were insufficient controls embedded within the process to manage the risk
• Management didn’t understand what level of assurance they had (or needed)
over the controls
13. PwC
Embedding the Four Lines of Defence within
Process Documentation
13
• RACM to support business process maps
• Controls mapped to risks
14. PwC
Embedding the Four Lines of Defence within
Process Documentation
14
Customer
inquiry or
sales
activity
Prepare
and send
quote
Update
customer
details –
log order
Check
product
availability
Deliver
product
Bill the
customer
Process
payment
or pass to
credit
control
Have we identified all the risks associated with the process?
For Example:
• Customer master file data is not accurate
• Sales orders are not completely and accurately recorded
• Cash receipts are not completely and accurately recorded
15. PwC
Embedding the Four Lines of Defence within
Process Documentation
15
Customer
inquiry or
sales
activity
Prepare
and send
quote
Update
customer
details –
log order
Check
product
availability
Deliver
product
Bill the
customer
Process
payment
or pass to
credit
control
What controls are in place to manage these risks?
For Example:
• All changes to customer master file are reviewed
• Sales orders must be authorised inline with delegations
• A reconciliation of cash receipts is performed on a daily basis
16. PwC
Embedding the Four Lines of Defence within
Process Documentation
16
Customer
inquiry or
sales
activity
Prepare
and send
quote
Update
customer
details –
log order
Check
product
availability
Deliver
product
Bill the
customer
Process
payment
or pass to
credit
control
How do we get comfort that these controls are in-place and operating?
17. PwC
Linking Process Objectives, Risks and Controls
17
Risk
Invalid, unauthorised
or otherwise
inaccurate payments
are made.
Key control
Vendor details entered into
FMIS are checked against the
application request form and
approved by a person
independent of the initial entry
prior to being finalised.
Not all invoices are
added to the FMIS.
Only staff within the Accounts
Payable team are able to load
new vendors. FMIS prevents
the user who entered customer
details from approving them.
A report is reviewed to identify
new vendors loaded into the
system that have yet to be
approved. Aged open invoices
are escalated for approval.
Assurance
Management self assertion
Internal Audit of Revenue
process.
External Audit
20. PwC
Final thoughts / key takeaways
20
1. Most organisations fail to understand and document the risks and controls within
their processes
2. This leads to a lack of understanding of the underlying risks associated within
business processes – potentially leaving an organisation at risk of significant damage
3. The four lines of defence provides a model by which management can ensure that the
risks associated within each process are appropriately managed and assured.