I read an interesting article on the origin of the brown M&M clause in Van Halen’s concert contracts at snopes.com. Van Halen’s standard contract would specify that a bowl of M&Ms should be provided backstage, with all the brown M&Ms removed. The reason was that Van Halen used this clause as an easy way to test whether the contract had been read and executed with sufficient attention.
Probably not an everyday occurrence for most contracts, but it made me think about the processes that need to be put in place to ensure that contractual obligations are fulfilled. It is a different type of compliance issue (business compliance instead of regulatory compliance) – but still is an operational risk issue.
Even a relatively simple contract requires a lot of management, tracking and followup to make sure the terms are met. This process is another example of an ad-hoc, unstructured human process that would be significantly enhanced by using a human process management system like ActionBase.
The way we would handle it is to have to have the contract owner assign the different clauses to the appropriate people directly from the contract document, and provide the owner a way to track and understand where the implementation of any process related to any clause stands. We can help make sure the brown M&M’s are removed, and if not, at least let you know why.
I was reading KPMG’s report on the need for Risk Executives. The job of a risk executive is to “establishes governance, policy, and risk management discipline” in the business. In short their job is to create a coherence of processes and reporting for risk management across the organization. That requires putting controls into a lot of unstructured processes. Given the lack of tools available for managing unstructured processes – the benefit will be mostly from increased attention to the area of risk management (the Hawthorne Effect), and from the visibilty across silos.
Using a Human Process Management System could actually provide robust tooling to support this at very little cost, and turn it from a reporting exercise to a real time operational excellence exercise. Lets say some new, critical regulation is announced, for example the new “breach notification” provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The regulations require HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Since this is new regulation, without any tool support, the only way for the risk executive to handle compliance would be to assign someone as the breach process owner. The process owner would probably send out instructions on how to handle a breach. The first step could be when a breach is discovered, an email should be sent to the breach process owner. At that point they would need to organize a response to the breach making sure to meet the regulatory requirements, and any relevant internal processes. That means ensuring affected individuals are notified, and if needed the HHS secretary is notified. They may also launch an internal investigation of the breach (investigations are another type of unstructured process, since they are human processes and once started they take on a life of their own based on the information collected). All this will probably be done via documents and email – making impossible to manage, track and audit compliance with the regulations – except by after the fact manual reporting.
On the other hand, leveraging a human process management system like ActionBase would enable the risk executive to quickily create an ad-hoc procedure for handling the process on top of existing email and documents – and automatically achieving manaement, auditability and tracking of the process – with no extra cost.
I was reading an Aberdeen report on “The Reinvention of the Internal Audit” which has lots of interesting statistics about internal audits and auditors. What was most interesting for me was that they came to same conclusion as Michael Rasmussen in his post on the the largest GRC vendor – Excel and Outlook (and a little Sharepoint) are the standard Internal Audit Platform – which by default makes Microsoft the largest Internal Audit Platform provider.
It was also interesting to me that they used the term Internal Audit Platform distinct from GRC.
In any case this meshes with what we see with our Audit.Tracker solution – the use of Excel and Outlook is pervasive for internal audits. Given the changes in the regulatory environment, this is going to be a real problem.
I read a very interesting post by Michael Rasmussen showing that Microsoft is the largset GRC (Governance, Risk and Compliance) vendor – because of the widespread usage of Office, Outlook(and now Sharepoint) as the tool of preference for GRC management in most organizations. He estimates the size of that market (GRC implemented in MS tools) to be around $24B-$26B.That certainly fits with what we see in Risk Management Processes (Audits, Compliance etc.) market – Word, Excel and Outllook reign supreme.
He would like to see companies move to other platforms for GRC, making process management much simpler (especially regarding non-repudiation, audit & integrity and data overload). . We on the other hand see this as a great opportunity for Human Process Management in general, and ActionBase in particular. We think that letting people remain in their familiar Office and Outlook environments, while providing the structure, monitoring and management needed is a better way to go forward. People get to stay in their familiar environment – but now the organization ensures non-repudiation, audit & integrity and data overload.
That is what I called GRC JuJitsu – instead of fighting the widespread usage of Office and Outlook – lets leverage it.
I’d like to invite you all to check out Alan Radding’s great post on his Big Fat Finance blog in light of his conversation with our CTO. It was very interesting talking to Alan following the release of Audit.Tracker . So much is happening within email and plain documents, it’s a bit scary to even think about it, and with all the new compliance regulations companies need to be well prepared and start managing the unmanaged.
I have been trying to understand how organizations think about the operational risk caused by their processes. It makes logical sense – companies have scores of processes (some with guidelines and procedure manuals, some automed using BPM or other tools, many completely ad-hoc and unstructured ) that drive the business. Looking at the risks related to these process should be something that a CRO (Chief Risk Officer) or Corporate Audit Committee is looking at. So I tried to find some information on managing process risk.
I found a few pointers to BPMN tools that allow you to make risk considerations part of the model (but it wasn’t clear to me how that got translated to the actual implementation), and I found one good screen show talking about process risk. – and thats about it. Either I am missing something, or this area is being completely ignored.
One chart in presentation I found caught my eye. It shows that execution, delivery and process management make up about 40% percent of the losses generated by operational risk – much more than by internal or external fraud. If that is true, I would be expecting companies to be trying to understand the linkages between processes (structured and unstructured), and attempting to manage the risk. Here is the slideshow:
ActionBase is a passionate group of people determined to make your work more productive. We would like to share our thoughts about ActionBase, productivity, action tracking, saving time and working more efficiently. We would also like to tell you all about the new emerging field called Human Process Management (HPM), we are proud to be part of its evolvement.
We’d love to hear your thoughts! Feel free to contact us at
blog@actionbase.com
