The document discusses the importance of business process mapping in minimizing organizational risk by ensuring that risks and controls are well understood and embedded within processes. It highlights common pitfalls in documentation, such as neglecting to capture controls and potential risks, leading to a lack of awareness and insufficient management of risks. The four lines of defense model is presented as a framework to help organizations effectively manage and assure the risks associated with their business processes.

1. Why process is
critical to
minimizing risk.
James Goldsbury,
Senior Manager, PwC
Risk
Donna Outram,
Account Executive,
Promapp

2. Business Process
Mapping
Linking risks, controls and
assurance
February 2018
www.pwc.co.nz

3. PwC
Agenda
1. Todays presenter
2. What is a business process?
3. Risk and control and why does it matter?
4. Leveraging the four lines of defense
3
February 2018Business Process Mapping

4. PwC
Today’s Presenter
James Goldsbury – Senior Manager, PwC - Risk Assurance
4
February 2018Business Process Mapping
• James has over 9 years of experience advising on
risk and control within both NZ and USA.
• He has worked with large and small organisations
to assist them in documenting their business
processes as part of broader change / system
implementation projects
• He focusing on ensuring that risks within
business processes are fully understood and that
controls and assurance activities are embedded
within process map
• Most recently he has performed this for clients
implementing new ERP and payroll system and off-
shoring back office processes.

5. PwC
‘A set of linked activities that in combination provide a definable and
valuable output to either internal or external customers”
So, what is a business process?
5
Customer
inquiry or
sales activity
Prepare and
send quote
Update
customer
details – log
order
Check
product
availability
Deliver
product
Bill the
customer
Process
payment or
pass to
credit
control
Business processes comprise a set of sequential sub-processes or activities, with alternative paths
depending on certain conditions, performed to achieve a given objective or produce given outputs.

6. PwC
What is not a process?
A process is not a job description - instead of following a staff member through their job, a process
follows an input through the organisation
A process is not a departmental procedure manual - though the manual might provide useful
information for creating a process map
A process is not a department – even when it has the same name as a department
And, most importantly, a process is not a plan, program, or policy; processes should support plans,
programs, and policies
Most processes were not “designed” in the first place.
Like a foot path, somebody did it once and it was
eventually paved or “automated”…
6

7. PwC 7
February 2018Business Process Mapping
What is a risk?
A risk is….
“ The possibility of an act or
event occurring that would
have an adverse effect on
the organisation and
impact its ability to meet its
objectives

8. PwC
What is a control?
8
February 2018Business Process Mapping
”“ A control is an activity put
in place to mitigate a risk

9. PwC
So – a business process seems simple enough,
what are the challenges / pitfalls in documenting
them?
9
February 2018Business Process Mapping
• We see a high level of variation between organisations in the level of documentation
for their core business processes
• Documentation often captures ‘what is meant to happen’ – What, When, How?
But,
• Documentation often doesn’t capture the checks / balances (controls)
• Doesn’t consider what could go wrong, and what happens when things go wrong
Therefore, it doesn’t give management a clear view of the risk associated with the process.

10. PwC
So what – why does this matter?
10

11. PwC
So what – why does this matter?
11
Investigations into events similar to these often identify that:
• The process ‘as designed’ was not followed
• There was a lack of awareness of what the process was
• Management didn’t understand the risks associated with failure within the process
• There were insufficient controls embedded within the process to manage the risk
• Management didn’t understand what level of assurance they had (or needed)
over the controls

12. PwC
How can business process mapping protect you?
The Four Lines of Defence
12

13. PwC
Embedding the Four Lines of Defence within
Process Documentation
13
• RACM to support business process maps
• Controls mapped to risks

14. PwC
Embedding the Four Lines of Defence within
Process Documentation
14
Customer
inquiry or
sales
activity
Prepare
and send
quote
Update
customer
details –
log order
Check
product
availability
Deliver
product
Bill the
customer
Process
payment
or pass to
credit
control
Have we identified all the risks associated with the process?
For Example:
• Customer master file data is not accurate
• Sales orders are not completely and accurately recorded
• Cash receipts are not completely and accurately recorded

15. PwC
Embedding the Four Lines of Defence within
Process Documentation
15
Customer
inquiry or
sales
activity
Prepare
and send
quote
Update
customer
details –
log order
Check
product
availability
Deliver
product
Bill the
customer
Process
payment
or pass to
credit
control
What controls are in place to manage these risks?
For Example:
• All changes to customer master file are reviewed
• Sales orders must be authorised inline with delegations
• A reconciliation of cash receipts is performed on a daily basis

16. PwC
Embedding the Four Lines of Defence within
Process Documentation
16
Customer
inquiry or
sales
activity
Prepare
and send
quote
Update
customer
details –
log order
Check
product
availability
Deliver
product
Bill the
customer
Process
payment
or pass to
credit
control
How do we get comfort that these controls are in-place and operating?

17. PwC
Linking Process Objectives, Risks and Controls
17
Risk
Invalid, unauthorised
or otherwise
inaccurate payments
are made.
Key control
Vendor details entered into
FMIS are checked against the
application request form and
approved by a person
independent of the initial entry
prior to being finalised.
Not all invoices are
added to the FMIS.
Only staff within the Accounts
Payable team are able to load
new vendors. FMIS prevents
the user who entered customer
details from approving them.
A report is reviewed to identify
new vendors loaded into the
system that have yet to be
approved. Aged open invoices
are escalated for approval.
Assurance
Management self assertion
Internal Audit of Revenue
process.
External Audit

18. PwC
Leveraging Promapp to document risk and control
18

19. PwC
Leveraging Promapp to document risk and control
19

20. PwC
Final thoughts / key takeaways
20
1. Most organisations fail to understand and document the risks and controls within
their processes
2. This leads to a lack of understanding of the underlying risks associated within
business processes – potentially leaving an organisation at risk of significant damage
3. The four lines of defence provides a model by which management can ensure that the
risks associated within each process are appropriately managed and assured.

21. Thank you
This publication has been prepared for general guidance on matters of interest only, and does
not constitute professional advice. You should not act upon the information contained in this
publication without obtaining specific professional advice. No representation or warranty
(express or implied) is given as to the accuracy or completeness of the information contained
in this publication, and, to the extent permitted by law, [insert legal name of the PwC firm], its
members, employees and agents do not accept or assume any liability, responsibility or duty of
care for any consequences of you or anyone else acting, or refraining to act, in reliance on the
information contained in this publication or for any decision based on it.
© 2018 PwC. All rights reserved. In this document, “PwC” refers to [insert legal name of the
PwC firm] which is a member firm of PricewaterhouseCoopers International Limited, each
member firm of which is a separate legal entity.

22. Questions?
www.promapp.com