Mapping risks and controls to your process map is a great way to manage risk and measure severity in context.
Last week we considered how process modeling has a synergy with managing data access, in so far as including data within your process maps and mapping data to specific activities and roles helps with the design of data access controls. There is a second natural synergy that I’ve commonly seen, and that is in the area of risk management. In this post I’ll delve a little deeper into the details of implementing this in your process maps.
Risk is the natural outcome of doing something – that is, risks naturally attach to specific actions that you undertake. In the process modeling arena, this means that specific risks attach to specific activities within the process map. To mitigate the risks that are involved with executing a particular activity, you apply controls to the execution of that activity – extra steps that you undertake within the activity to try and counteract the probability or the effects of the risk.
What this means for the purpose of process modeling is that both risks and controls should be mapped to specific activities within the process map. It also means that a given control for an activity in the process map should be mapped to at least one given risk attached to the same activity in the process map. How you are able to do this specifically is going to depend on the modeling tool used.
Now, there’s a number of different ways that you can choose to classify risks – ranging from a simple ‘finger in the air’ high/ medium/ low approach to highly sophisticated evaluation methods. As always, it’s a question of balancing precision against ease of use and matching the right level to the needs to the organization and situation. One decent compromise approach is the Open FAIR methodology from the Open Group, where you rate risks on a number of factors from very low to very high and then combine the estimations for a final assessment.
So – what are the conclusions and recommendations that we can draw from the above analysis?
First of all, the process modeling tool that you use for this effort needs the ability to map activities, risks and controls to each other to take advantage of this approach. It’s quite possible that the tool will have this as an out of the box configuration. Some tools allow you to define new entities and relations (the meta-model, in other words), some do not.
Next, what capability does the process modeling tool allow for recording the severity levels that you assign to risks? And what flexibility is there in the scale of risk severity? Some tools offer more flexibility in recording attributes than others do.
The final question to consider is to examine what reporting is allowed by the process mapping tool that you are using. Models, after all, are not decorative – we don’t create them for fun (in my own personal experience), process maps and other models exist to provide insight into some complex situation. So what reporting is available on the information that we record? Can the tool flag risks that are not mapped to any controls? Can the tool report on risks by severity? Can the tool identify and list all process that contain activities linked to risks with high severity?
Want to get stuck in? We've got some great free visio stencils to help you get started. And for a more comprehensive solution, why not start comparing more advanced process modeling tools to map your risk management?