Toward Compliant Performance: You Need to Tightly Link Enterprise Risk Management and Compliance Initiatives with BPM Principles and Practices
Downing, Bruce D., Spanyi, Andrew, Strategic Finance
THE RULES OF THE GAME HAVE CHANGED. Increasing regulatory pressures and legal requirements have forced finance professionals to intensify their focus on internal controls and compliance. But at what cost? Now there's a way to assure effective risk management and compliance programs and concurrently identify and implement operational improvements. The key is to tightly link enterprise risk management and compliance initiatives with business process management (BPM) principles and practices.
COMPLIANCE AND BPM
Since the industrial revolution, the role of finance professionals has been to guide management on achieving business goals while providing protection against negative events/risks. Over the past decade, the forces of globalization and commoditization have driven an increasing emphasis on designing business processes that make an organization more competitive, lean, flexible, and agile.
Yet most enterprises rely on standard organizational models based on typical functional areas or departments such as operations, sales and marketing, accounting, and customer service. Their efforts regarding business process improvements have focused on improving processes within these standard functional areas. Similarly, many companies have attempted to achieve compliance in the absence of a cross-functional view of the business in process terms. They continue to see the business in the context of a departmental view because that's how organizations have evolved-with budgets and financial measures structured along these functional lines. When organizations implement new controls to assure compliance within this traditional context, compliance attainment is typically accompanied by significantly higher operating costs. When controls are designed solely along traditional functional lines, the added costs for monitoring and compliance are realized with little offsetting operating benefit to the organization. Higher auditing and information systems costs are typical in this approach, and opportunities for operational improvements aren't even considered in such efforts.
More recently, there has been a growing recognition that the greatest benefits of modern BPM methods accrue when a cross-functional view of the organization is adopted along with the primary goal of establishing processes that provide value to the customer. A large number of real-world examples have emerged that demonstrate great benefits in adopting a customer-centric, cross-functional view of key processes. Organizations as diverse as Air Products, Caterpillar, and Nokia have realized impressive operational benefits as a result of a business process orientation.
The successes found with BPM methods and practices not only provide for operational improvements but can also deliver significantly improved approaches to legal and regulatory compliance requirements that would otherwise continue to simply add costs.
DRIVERS FOR COMPLIANCE
Major current motivators for examining internal controls as part of risk management are conditions and obligations based on regulatory requirements and the increasing risks and costs associated with litigation. For public companies, the Sarbanes-Oxley Act (SOX) has created an atmosphere in which they have needed to substantially modify their practices with respect to internal controls and methods of compliance. For nonpublic companies and other organizations, the law has changed the rules for records retention and related issues for producing evidence in litigation. Add in the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPPA) for medical records and the already existing regulations for specific industries, and the risk management issues with accompanying costs become a growing problem for all organizations. The requirements to develop, document, and test internal controls and the legal responsibilities for executives to attest to the accuracy of financial statements and transaction records dictate practices that most corporations (public, private, and nonprofit) haven't addressed before. …