establishing governance for business processes & risk ... governance for... · establishing...

Ian Walsh, VP Solutions Marketing

June 22, 2010

Establishing Governance for Business

Processes & Risk using ARIS

Panel Discussion

Karla Piñero

Director of Internal Audit, Risk and Compliance, Open Mobile

June 22, 2010

Establishing Internal Controls using Process

Governance

Get There Faster.29 June 2010 | ProcessWorld 2010 | 36/29/2010 | 3

Open Mobile – Since 2007

•Small telecom company – The leading no-contract, pay-in-advance wireless service and Internet mobile provider in Puerto Rico.

•Predecessor company filed for bankruptcy in November 2006. New investors bought and re-launched operations as Open Mobile in June 2007.

•Commanded 69% net add share in 2008 and 71% in 2009. Tripled market share from 4% to 11% in the last two years.

•Strong local commitment to Puerto Rico.

•400+ employees, but only 3 in Internal Audit!

Get There Faster.29 June 2010 | ProcessWorld 2010 | 4

Drivers for Creation of Internal Audit Team

In June 2008, the Board of Directors wanted to establish an Internal Audit Department to:

• Increase efficiency in processes

• Create basic controls

• Reduce instances of fraud

• Have direct presence in the company


Challenges Encountered in 2008

• Internal Audit Department did not exist

• No written procedures or processes

• No communication between departments - most worked as silos or “islands”

• No consistency between departments (personnel, communication, documentation)

• The previous company’s culture was crashing with the new one

• Management did not understand controls and how they reduced risks associated with objectives


Getting Started - Creation of Temporary Process and Policy Documentation Department

Objectives:

• We needed to review our core and support processes to understand which controls existed and which were needed

Actions:

• Since no processes were documented, we started project with a local firm for its documentation

• The processes documented were:

� Core Processes: Product and Services Development, Sales, Customer Service, Billing and Collections

� Support Processes: Logistics, Controllership, Administration, IT, Engineering and Marketing

• In the meantime, policies were updated and documented


ARIS Business Architect and Designer

Requirements for Solution:

• Intelligent documentation practices

• Easy access by process owners and internal audit team

• User friendly interfaces

• A product that could tie together related processes

• A product that could easily be merged with a Risk Module in the future

ARIS Business Architect and Designer met these requirements, as well as additional attributes such as documenting processes at various levels


ARIS Business Architect and Designer - Continued

• Two people were hired in our department, plus a student intern program was created (we have one intern working for our department).

� Process Documentation Auditor

� Corporate Auditor

� Junior Auditor

• Policies that were updated and written were integrated into the processes already documented in ARIS, and there was some creation of Entity Level Processes for those policies that did not have an existing process documented process.


Our team has to work as mediators, judges and psychologists to document, identify risks, establish controls and recommend better efficiency in processes!!!

ARIS Risk and Compliance Manager

• We implemented the ARIS Risk and Compliance Manager to tie the controls to the processes:

• Re-documenting controls already documented in a separate excel spreadsheet

• If controls are not related to documented processes, we create processes related to them

• Our team follows up on inefficient controls monthly

• We are also using ARIS designer flowcharts to identify and recommend lean practices for clearly inefficient processes


Next Steps

• Create Methodology Manual using ARIS software requirements – for example, Risk Types, Assertions, COSO component, etc.

• Finish entering policies into the process documentation

• Finish process documentation of support processes

• Introduce controls already documented outside of ARIS into the ARIS Risk and Compliance Manager

• Analyze process documentation to identify risks and implement controls

• Audit controls for effectiveness

John Suzanne, Sr. Project Manager, South Texas Project (STP) Nuclear Operating Company

Perspectives on Governance

Get There Faster.29 June 2010 | ProcessWorld 2010 | 1229 June 2010 | ProcessWorld 2010 | 12

South Texas Project Nuclear Operating Company1

• One of the newest and largest nuclear power facilities in the nation, providing clean energy to two million Texas homes.

• In February 2009, STP achieved a Total Safety Industrial Accident Rate of 0.0.

• Top ten percent of U.S. nuclear plants for personal safety.

• STP has earned more honors than any other nuclear plant nationwide, including the U.S. nuclear industry's highest honor, the B. Ralph Sylvia Best of The Best Award, which STP has received three times.

12


Speaker Introduction – John Suzanne

• John Suzanne, DSA, PMP, MBB, CGEITc is an Enterprise Solution Architect and Sr. Project Manager at South Texas Project (STP) Nuclear Operating Company

• Mr. Suzanne’s 22+ years experience spans multiple industries including

� Nuclear, Aerospace, Defense, Medical Devices & Pharma

� Alumni Member of the FedEx Global Revenue $Billion Club

• He has led global process improvement teams across 200+ countries, 24 time zones, 12+ VPs & thousands of stakeholders

• John has presented at ProcessWorld and Sapphire

• http://www.linkedin.com/in/johnsuzanne

13


STP Current-State Enterprise IT Governance Framework

∆•Audit findings•No CIO

•CobiT Solution not approved

•Fragmented: IT governance

•Shadow IT functions &

spending•ARIS not fully implemented

+•IT Benchmark Assessment ready

•CobiT 4.1 Solution identified

•ARIS & SAP acquired•SAP blueprint completed

•SQA process defined


Embedding Risk into Balanced Scorecard 8

“Risk management was siloed and considered more of a

compliance issue. … Now we see that identification, mitigation and management of risk has to be on an equal level with the

strategic process.”

Robert Kaplan, co-author of the balanced scorecard


Embed Risk Management throughout the SDLC

“Consider risk assessment at each deliverable and change request”

Value/Benefit

Perform.

Indicator Risk/Constraint

Risk

Indicator

Status Quo Do Nothing

Financial No additional capital or expense outlay required

Cash flow (OIB)

N/A N/A

Operations STP is currently an industry leader in fatigue rule compliance

Fatigue rule violations (SIB)

Current process is identified as cumbersome and time consuming

Time-to-callout worsens (SIB)

Customer N/A N/A Customer perceives lack of service

Survey(s)

Learning/Growth N/A N/A Current operational deficits may be the result of a training issue

Time-to-callout

Alternative #1 LEAN improvement

Financial No significant capital or expense outlay required

Cash flow (OIB)

None identified N/A

Operations Reduced cycle-time, improved throughput, error-proofing

Time-to-callout (SIB)

Resistance to change and institutionalization may constrain acceptance

Kaizen Attendance

Customer Improved customer experience Survey(s) N/A Time-to-callout (SIB)

Learning/Growth LEAN principles enrich the employee experience and reinvigorate the questioning attitude

KPIs/PIs Resistance to change and institutionalization may constrain acceptance

% Training Complete


STPNOC Proposed SDLC


Definitions

BSC Balanced Scorecard – Performance measurement framework that leverages a 'balanced' view of organizational performance

CGEIT Certified in the Governance of Enterprise Information and related Technologies (ISACA)

CGEITc CGEIT Candidate

CobiT Control Objectives for Information and related TechnologyA governance framework / best practice reference model

KPI/ KRI Key Performance Indicator/ Key Risk Indicator

INPO Institute of Nuclear Power Operations

ISACA Information Systems Audit and Control Association

NEI Nuclear Energy institute

OECD Organization for Economic Cooperation and Development

ITGI IT Governance Institute. The IT version of INPO/NEI

SDLC System Development Life Cycle – a repeatable process for building information systems tied to CobiT 4.1+/SOX

29 June 2010 | ProcessWorld 2010 | 18


References

1. http://www.stpnoc.com/About.htm, Downloaded on June 14, 2010.

2. Weil, Peter and Ross, Jeanne. IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Boston: Harvard Business School Press, 2003.

3. Pankey, Bill. Foundations of IT Governance. March 30, 2010

4. Boyle, Louis. VP Gartner EXP. http://www.gartner.com/it/products/podcasting/asset_141507_2575.jsp. Downloaded on 5/16/2010.

5. George, Michael L. LEAN SIX SIGMA FOR SERVICE How to Use Lean Speed & Six Sigma Quality to Improve Services and Transactions. New York: McGraw Hill, 2003.

6. ITGI. Board [of Directors] Briefing on IT Governance, 2nd Edition. ISBN 1-893209-64-4. 2003.

7. Gartner. CIO Toolkit. First 100 Days.

19

Abid Marchant, Global Solution Manager Architect

June 22, 2010

ARIS Process Governance at Pfizer


Agenda

•About Pfizer

•Functionality Used by Pfizer

•Drivers

• Implementation

•Key Benefits


About Pfizer

• Headquartered in Manhattan, New York

• Global leader in:

� Prescription Pharmaceuticals

� Non-prescription Consumer Health Care Products

� Pharmaceuticals for Animal Health

• Acquired Wyeth Pharmaceuticals in 2009


ARIS Functionality Used by Pfizer

•Model approval procedures

•Continuous improvement process

•Requirements management

•Policy management

•SAP rollout/implementation

•Modeling and analysis workflow

•Check in/check out

•Audit trail

•BPM service center processes


Release Cycle Management

Objective:

• Automate model promotions between Development, Review, and Production

• Automate approval process and audit trail

Intended Outcomes:

• Reduce risk of human errors

• Save time during promotions

• Transparency in approval processes to identify bottlenecks


Implementation

1. Established infrastructure to support APG

2. Installed APG on ARIS Test Server

3. Received training on APG Methods and Conventions

4. Customized APG Default Processes to Support Business Requirements

5. Performed APG Testing

6. Moved APG into Production


Key Benefits of Release Cycle Management

•Process transparency, quality, and flexibility - when promoting models between environments

•Automated task lists and escalation mechanisms, providing:

� Automatic notification

� Visibility into process changes

•Audit trails of release cycles

•Visualization of release cycle metrics via integration with ARIS PPM

Thank you!

establishing governance for business processes & risk ... governance for... · establishing...

Documents