Occasional thoughts on business process management, eprocurement, customer service, the dark art of sales and the creatures that inhabit these worlds.

Tuesday, July 04, 2006

Do you manage risks or remove them?

Lots of meetings and conversations I am having at the moment seem to have a "risk management" component to them - everyone is looking for ways of managing the risks they have in their business. But hang on - if you are into risk management then you go looking for risks to manage - why not be into risk removal? Go looking for the risks and then identify how to remove the scale or nature of the risk rather than "manage" it through continuity/crisis planning.

Yet again Business Process Management comes to the fore in this - so many risks described to us invariably boil down to people or process problems - and rarely anything to do with the individual person - more often it is how the processes or procedures are allowing the person to fail in some way.

Plenty of risk always revolves around where people interact with eachother or a business management system - particularly those grey fuzzy areas of inter-departmental responsibility transfer. Opportunities for delay, ambiguity, misunderstanding, keyboard error etc abound. The classic time and cost driven risks. A Business Process Management Suite gives you a great framework for building rule sets and process steps around the people-to-people/system activity flow thereby removing a huge percentage of those potential risks.

Risk management struggles to add tangible value to the business process - risk removal catapults you into a new place entirely.


Phil Ayres said...

Neil, I agree with you up to a point.

In the US a lot of compliance regulation (or at least the big-four's translation of it) has focused on a risk based approach to improving business processes.

For example, Sarbanes-Oxley (SOX) required that organizations document and effectively improve any internal control / process that affects the financial reports of a company. The only way companies could work out where to focus on this mammoth task was to start with a risk analysis across the organization. The highest risk processes with the most likelihood of failure (or those that were just plain incorrect) were highlighted for remediation, potentially with BPM, or better handling in the ERP system. Others were placed lower down the priority list, requiring management over time, but were not considered deserving of a full-on fix in the first year or two.

Companies probably still have more business processes that have risks attached than they can manageably re-engineer within an unchanging organization, let alone one that is evolving over time. So because of this risk management is important. It enables compliance officers to focus on the most important risks by understanding in financial, operational and legal terms which are the greatest. Then they can concentrate on the risk mitigation or removal task using the most appropriate tools for the job.

Unfortunately for us (you and I who believe there is a better way), the majority of organizations are not yet ready to rework processes with BPMS, as they have barely got them documented to comply with the law. Give it a couple of years and the SAP shops will be leading the way in this.

If of course you see a way to implement BPM for a key financial business process in about 30 days, that is something that will sell now. Just be ready to show it in action.



Neil Richardson said...

Thanks Phil for that excellent response and watch this space.