establishing governance for business processes & risk ... governance for... · establishing...
TRANSCRIPT
Ian Walsh, VP Solutions Marketing
June 22, 2010
Establishing Governance for Business
Processes & Risk using ARIS
Panel Discussion
Karla Piñero
Director of Internal Audit, Risk and Compliance, Open Mobile
June 22, 2010
Establishing Internal Controls using Process
Governance
Get There Faster.29 June 2010 | ProcessWorld 2010 | 36/29/2010 | 3
Open Mobile – Since 2007
•Small telecom company – The leading no-contract, pay-in-advance wireless service and Internet mobile provider in Puerto Rico.
•Predecessor company filed for bankruptcy in November 2006. New investors bought and re-launched operations as Open Mobile in June 2007.
•Commanded 69% net add share in 2008 and 71% in 2009. Tripled market share from 4% to 11% in the last two years.
•Strong local commitment to Puerto Rico.
•400+ employees, but only 3 in Internal Audit!
Get There Faster.29 June 2010 | ProcessWorld 2010 | 4
Drivers for Creation of Internal Audit Team
In June 2008, the Board of Directors wanted to establish an Internal Audit Department to:
• Increase efficiency in processes
• Create basic controls
• Reduce instances of fraud
• Have direct presence in the company
Get There Faster.29 June 2010 | ProcessWorld 2010 | 56/29/2010 | 5
Challenges Encountered in 2008
• Internal Audit Department did not exist
• No written procedures or processes
• No communication between departments - most worked as silos or “islands”
• No consistency between departments (personnel, communication, documentation)
• The previous company’s culture was crashing with the new one
• Management did not understand controls and how they reduced risks associated with objectives
Get There Faster.29 June 2010 | ProcessWorld 2010 | 66/29/2010 | 6
Getting Started - Creation of Temporary Process and Policy Documentation Department
Objectives:
• We needed to review our core and support processes to understand which controls existed and which were needed
Actions:
• Since no processes were documented, we started project with a local firm for its documentation
• The processes documented were:
� Core Processes: Product and Services Development, Sales, Customer Service, Billing and Collections
� Support Processes: Logistics, Controllership, Administration, IT, Engineering and Marketing
• In the meantime, policies were updated and documented
Get There Faster.29 June 2010 | ProcessWorld 2010 | 76/29/2010 | 7
ARIS Business Architect and Designer
Requirements for Solution:
• Intelligent documentation practices
• Easy access by process owners and internal audit team
• User friendly interfaces
• A product that could tie together related processes
• A product that could easily be merged with a Risk Module in the future
ARIS Business Architect and Designer met these requirements, as well as additional attributes such as documenting processes at various levels
Get There Faster.29 June 2010 | ProcessWorld 2010 | 8
ARIS Business Architect and Designer - Continued
• Two people were hired in our department, plus a student intern program was created (we have one intern working for our department).
� Process Documentation Auditor
� Corporate Auditor
� Junior Auditor
• Policies that were updated and written were integrated into the processes already documented in ARIS, and there was some creation of Entity Level Processes for those policies that did not have an existing process documented process.
Get There Faster.29 June 2010 | ProcessWorld 2010 | 9
Our team has to work as mediators, judges and psychologists to document, identify risks, establish controls and recommend better efficiency in processes!!!
ARIS Risk and Compliance Manager
• We implemented the ARIS Risk and Compliance Manager to tie the controls to the processes:
• Re-documenting controls already documented in a separate excel spreadsheet
• If controls are not related to documented processes, we create processes related to them
• Our team follows up on inefficient controls monthly
• We are also using ARIS designer flowcharts to identify and recommend lean practices for clearly inefficient processes
Get There Faster.29 June 2010 | ProcessWorld 2010 | 10
Next Steps
• Create Methodology Manual using ARIS software requirements – for example, Risk Types, Assertions, COSO component, etc.
• Finish entering policies into the process documentation
• Finish process documentation of support processes
• Introduce controls already documented outside of ARIS into the ARIS Risk and Compliance Manager
• Analyze process documentation to identify risks and implement controls
• Audit controls for effectiveness
John Suzanne, Sr. Project Manager, South Texas Project (STP) Nuclear Operating Company
Perspectives on Governance
Get There Faster.29 June 2010 | ProcessWorld 2010 | 1229 June 2010 | ProcessWorld 2010 | 12
South Texas Project Nuclear Operating Company1
• One of the newest and largest nuclear power facilities in the nation, providing clean energy to two million Texas homes.
• In February 2009, STP achieved a Total Safety Industrial Accident Rate of 0.0.
• Top ten percent of U.S. nuclear plants for personal safety.
• STP has earned more honors than any other nuclear plant nationwide, including the U.S. nuclear industry's highest honor, the B. Ralph Sylvia Best of The Best Award, which STP has received three times.
12
Get There Faster.29 June 2010 | ProcessWorld 2010 | 1329 June 2010 | ProcessWorld 2010 | 13
Speaker Introduction – John Suzanne
• John Suzanne, DSA, PMP, MBB, CGEITc is an Enterprise Solution Architect and Sr. Project Manager at South Texas Project (STP) Nuclear Operating Company
• Mr. Suzanne’s 22+ years experience spans multiple industries including
� Nuclear, Aerospace, Defense, Medical Devices & Pharma
� Alumni Member of the FedEx Global Revenue $Billion Club
• He has led global process improvement teams across 200+ countries, 24 time zones, 12+ VPs & thousands of stakeholders
• John has presented at ProcessWorld and Sapphire
• http://www.linkedin.com/in/johnsuzanne
13
Get There Faster.29 June 2010 | ProcessWorld 2010 | 1429 June 2010 | ProcessWorld 2010 | 14
STP Current-State Enterprise IT Governance Framework
∆•Audit findings•No CIO
•CobiT Solution not approved
•Fragmented: IT governance
•Shadow IT functions &
spending•ARIS not fully implemented
+•IT Benchmark Assessment ready
•CobiT 4.1 Solution identified
•ARIS & SAP acquired•SAP blueprint completed
•SQA process defined
Get There Faster.29 June 2010 | ProcessWorld 2010 | 1529 June 2010 | ProcessWorld 2010 | 15
Embedding Risk into Balanced Scorecard 8
“Risk management was siloed and considered more of a
compliance issue. … Now we see that identification, mitigation and management of risk has to be on an equal level with the
strategic process.”
Robert Kaplan, co-author of the balanced scorecard
Get There Faster.29 June 2010 | ProcessWorld 2010 | 1629 June 2010 | ProcessWorld 2010 | 16
Embed Risk Management throughout the SDLC
“Consider risk assessment at each deliverable and change request”
Value/Benefit
Perform.
Indicator Risk/Constraint
Risk
Indicator
Status Quo Do Nothing
Financial No additional capital or expense outlay required
Cash flow (OIB)
N/A N/A
Operations STP is currently an industry leader in fatigue rule compliance
Fatigue rule violations (SIB)
Current process is identified as cumbersome and time consuming
Time-to-callout worsens (SIB)
Customer N/A N/A Customer perceives lack of service
Survey(s)
Learning/Growth N/A N/A Current operational deficits may be the result of a training issue
Time-to-callout
Alternative #1 LEAN improvement
Financial No significant capital or expense outlay required
Cash flow (OIB)
None identified N/A
Operations Reduced cycle-time, improved throughput, error-proofing
Time-to-callout (SIB)
Resistance to change and institutionalization may constrain acceptance
Kaizen Attendance
Customer Improved customer experience Survey(s) N/A Time-to-callout (SIB)
Learning/Growth LEAN principles enrich the employee experience and reinvigorate the questioning attitude
KPIs/PIs Resistance to change and institutionalization may constrain acceptance
% Training Complete
Get There Faster.29 June 2010 | ProcessWorld 2010 | 1729 June 2010 | ProcessWorld 2010 | 17
STPNOC Proposed SDLC
Get There Faster.29 June 2010 | ProcessWorld 2010 | 18
Definitions
BSC Balanced Scorecard – Performance measurement framework that leverages a 'balanced' view of organizational performance
CGEIT Certified in the Governance of Enterprise Information and related Technologies (ISACA)
CGEITc CGEIT Candidate
CobiT Control Objectives for Information and related TechnologyA governance framework / best practice reference model
KPI/ KRI Key Performance Indicator/ Key Risk Indicator
INPO Institute of Nuclear Power Operations
ISACA Information Systems Audit and Control Association
NEI Nuclear Energy institute
OECD Organization for Economic Cooperation and Development
ITGI IT Governance Institute. The IT version of INPO/NEI
SDLC System Development Life Cycle – a repeatable process for building information systems tied to CobiT 4.1+/SOX
29 June 2010 | ProcessWorld 2010 | 18
Get There Faster.29 June 2010 | ProcessWorld 2010 | 1929 June 2010 | ProcessWorld 2010 | 19
References
1. http://www.stpnoc.com/About.htm, Downloaded on June 14, 2010.
2. Weil, Peter and Ross, Jeanne. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Boston: Harvard Business School Press, 2003.
3. Pankey, Bill. Foundations of IT Governance. March 30, 2010
4. Boyle, Louis. VP Gartner EXP. http://www.gartner.com/it/products/podcasting/asset_141507_2575.jsp. Downloaded on 5/16/2010.
5. George, Michael L. LEAN SIX SIGMA FOR SERVICE How to Use Lean Speed & Six Sigma Quality to Improve Services and Transactions. New York: McGraw Hill, 2003.
6. ITGI. Board [of Directors] Briefing on IT Governance, 2nd Edition. ISBN 1-893209-64-4. 2003.
7. Gartner. CIO Toolkit. First 100 Days.
19
Abid Marchant, Global Solution Manager Architect
June 22, 2010
ARIS Process Governance at Pfizer
Get There Faster.29 June 2010 | ProcessWorld 2010 | 2129 June 2010 | ProcessWorld 2010 | 21
Agenda
•About Pfizer
•Functionality Used by Pfizer
•Drivers
• Implementation
•Key Benefits
Get There Faster.29 June 2010 | ProcessWorld 2010 | 2229 June 2010 | ProcessWorld 2010 | 22
About Pfizer
• Headquartered in Manhattan, New York
• Global leader in:
� Prescription Pharmaceuticals
� Non-prescription Consumer Health Care Products
� Pharmaceuticals for Animal Health
• Acquired Wyeth Pharmaceuticals in 2009
Get There Faster.29 June 2010 | ProcessWorld 2010 | 2329 June 2010 | ProcessWorld 2010 | 23
ARIS Functionality Used by Pfizer
•Model approval procedures
•Continuous improvement process
•Requirements management
•Policy management
•SAP rollout/implementation
•Modeling and analysis workflow
•Check in/check out
•Audit trail
•BPM service center processes
Get There Faster.29 June 2010 | ProcessWorld 2010 | 2429 June 2010 | ProcessWorld 2010 | 24
Release Cycle Management
Objective:
• Automate model promotions between Development, Review, and Production
• Automate approval process and audit trail
Intended Outcomes:
• Reduce risk of human errors
• Save time during promotions
• Transparency in approval processes to identify bottlenecks
Get There Faster.29 June 2010 | ProcessWorld 2010 | 2529 June 2010 | ProcessWorld 2010 | 25
Implementation
1. Established infrastructure to support APG
2. Installed APG on ARIS Test Server
3. Received training on APG Methods and Conventions
4. Customized APG Default Processes to Support Business Requirements
5. Performed APG Testing
6. Moved APG into Production
Get There Faster.29 June 2010 | ProcessWorld 2010 | 2629 June 2010 | ProcessWorld 2010 | 26
Key Benefits of Release Cycle Management
•Process transparency, quality, and flexibility - when promoting models between environments
•Automated task lists and escalation mechanisms, providing:
� Automatic notification
� Visibility into process changes
•Audit trails of release cycles
•Visualization of release cycle metrics via integration with ARIS PPM
Thank you!