Tools for Risk Executives

I was reading KPMG’s report on the need for Risk Executives. The job of a risk executive is to “establishes governance, policy, and risk management discipline” in the business. In short their job is to create a coherence of processes and reporting for risk management across the organization. That requires putting controls into a lot of unstructured processes.  Given the  lack of tools available for managing unstructured processes – the benefit will be mostly from increased attention to the area of risk management (the Hawthorne Effect), and from the visibilty across silos.

Using a Human Process Management System could actually provide robust tooling to support this at very little cost, and turn it from a reporting exercise to a real time operational excellence exercise. Lets say some new, critical regulation is announced, for example the new “breach notification” provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The regulations require HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Since this is new regulation, without any tool support, the only way for the risk executive to handle compliance would be to assign someone as the breach process owner. The process owner would probably send out instructions on how to handle a breach. The first step could be when a breach is discovered, an email should be sent to the breach process owner. At that point they would need to organize a response to the breach making sure to meet the regulatory requirements, and any relevant internal processes. That means ensuring affected individuals are notified, and if needed the HHS secretary is notified. They may also launch an internal investigation of the breach (investigations are another type of unstructured process, since they are human processes and once started they take on a life of their own based on the information collected). All this will probably be done via documents and email – making impossible to manage, track and audit compliance with the regulations – except by after the fact manual reporting.

On the other hand, leveraging a human process management system like ActionBase would enable the risk executive to quickily create an ad-hoc procedure for handling the process on top of existing email and documents – and automatically achieving manaement, auditability and tracking of the process – with no extra cost.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: