80% of your processes are putting your business at risk. Get PwC’s 5 indicators that your BPM and risk management efforts may fail.
Most processes follow a simple, happy path, right? For instance, the customer makes an inquiry, you send them a quote, they place an order, you check availability and deliver the product, and once you bill the customer they make payment.
That may be the case about 20% of the time. But when risk enters the equation, the reality is quite different. Few processes are immune to risk.
In James’ experience and according to PwC’s research, “Only around 20% of transactions follow what is defined as the happy flow. The remaining 80% follow a transactional flow that management may not be aware of, or that isn’t the defined flow for a particular process.”
Expect processes to be derailed by risk
Although the concepts of process, risk and controls are well understood within the BPM community, organizations experience significant challenges when it comes to documenting processes and managing risk.
Why is that?
Process teams generally focus on capturing what is meant to happen – that 20% of the time when everything goes according to the happy flow – along with the what, when and how.
But what process documentation frequently doesn’t capture is the checks and balances – what the controls are. They don’t consider what could go wrong and are even less likely to document what happens when processes break down.
The result is that senior management and the board don’t get a clear idea of the level of risk associated with a particular process. Ideally, senior executives need this information to be comfortable that the risks associated with business processes are being well managed.
4 Factors that put your processes at risk
The consequences of having unmitigated risks in your processes can be significant and could lead to your organization having to answer some challenging questions.
When the PwC audit team sees things go wrong in process and risk management, it’s usually because:
- 80% of the time, standard processes weren’t followed
- Not everyone knew what the processes were
- Senior execs didn’t anticipate the issues that could arise
- Insufficient controls were embedded in the processes
James suggests applying the Four Lines of Defence model to protect your organization and manage risks:
- First line of defense: Internal controls implemented by management
- Second line of defense: Management oversight and self-assurance
- Third line of defense: Internal audit
- Fourth line of defense: External financial audit
While you may not be able to make all your processes immune to risk, you will be able to rest easy that teams in your organization are aware of potential risks and know what to do when they arise.
Interested in better mapping and managing of your business processes? Click here to get a free trial of Nintex Promapp®.