Tip Doctor, Insider Learning Network.
The following tip has been taken from Jamie Croudace at Turnkey Consulting’s presentation “Tips and Tricks for a successful Process Control Implementation” which took place during the GRC 2011 conference in Las Vegas, March 8-11.
4 tips for a successful implementation of Process Control
1. Don’t Try and Conquer the World All at Once
- Many companies fail as they try to “do it all” and wind up not doing any part right
- Business buy-in is hard to get — business does not see the value; won’t take time to help
- Internal compliance specialists don’t have time to find the value adds — can only concentrate on the mandated compliance requirements
- Internal compliance specialists viewed as auditors here to hinder, not to help
2. Start with One or Two Processes
- Pick a process that is:
- Very key to the business (maybe very risky or inefficient?)
- Known to have a great deal of business input — stakeholder with the right attitude towards controls
- Good IT integration with the business; good communication already established
- Will enable management buy-in as you will have a successful process to demonstrate added value and proven results
- This method supports rapid prototyping or a modular project- based approach on a process-by-process approach
3. Know Your Direction
- Many companies fail as they get lost in the detail
- The more controls the better, right?
- If you start with no idea of what you are trying to accomplish, you won’t be able to establish any innovative ideas
- Historic processes remain unchanged and unchallenged
- Know your risks before you start
- Understand from a high level what your key areas of concern within the process are:
- What are the compliance risks?
- What are you complying with (specifically)?
- What are the minimum requirements?
- Understand from a high level what your key areas of concern within the process are (cont.):
- What are your operational risks?
- Is the process inefficient?
- Do clients complain? Do you get poor client feedback?
- Are you losing money on late payments?
- Are your employees raising issues with the process internally?
- Do you have other legal risks associated with the process? (e.g., payroll process and data privacy, health and safety)
- Are there other risks specific to your business?
- You may not know all the risks in the beginning
- You can do research before starting (e.g., client and internal
questionnaires, looking into statistics on process-related data, etc.)
- You can always add more risks as you go!
- Prioritize the risks in order of importance to the organization
4. Take Stock of What You Have
- Next step is to walk through the current processes
- Gain an understanding of:
- Current controls in place and nature of the controls (preventive, detective, manual, or automated)
- Effort vs. effectiveness of those controls
- Control operator understanding of the controls and concerns with the process (may find more risks)
- Control owner understanding of the controls and concerns with the process (may find more risks)
- How centralized and standardized are the processes within the business unit? What about globally?