How to effectively implement Business Process Overview?

It´s not that difficult.

Start with understanding the current state – document and evaluate current business processes. Remember to include criticality and granularity of those processes!

Then move to the proactive part – based on the documentation and evaluation, identify gaps and changes to mitigate those gaps.

Once you know what to do, seek approval to implement proposed changes.

As every good manager, move then to scheduling and implementing the changes.

And finally evaluate results of the changes and gather feedback!

Which basically means:

  1. Document and evaluate current business processes.
  2. Identify gaps and changes to mitigate those gaps.
  3. Seek approval for implementing changes.
  4. Schedule and implement changes.
  5. Evaluate results and gather feedback.

Following functions contribute to organizational resiliency. Remember to include them in your analysis and implementing changes!

  1. Business Continuity.
  2. Audit(s).
  3. Information Security.
  4. Controls.
  5. Ongoing and Planned Projects,
  6. Change Management.


Fundamental Governance and Risk Management Questions

First Governance. I try to get my head around:

  1. Are we doing the right things?
  2. Are we doing them the right way?
  3. Are we getting them done well?
  4. Do we see expected benefits?

Secondly I try to see where I am at in terms of culture:

  1. Is it a Vulnerable-kind of organization?
  2. Is it a Reactive-kind of organization?
  3. Is it a Compliant-kind of organization?
  4. Is it a Proactive-kind of organization?
  5. Is it a Resilient-kind of organization?

Then, going slightly deeper:

  1. Should we analyse Access Risks?
  2. Should we analyse Availability Risks?
  3. Should we analyse Cyber and Information Risks?
  4. Should we analyse Emerging Technology Risks?
  5. Should we analyse Infrastructure Risks?
  6. Should we analyse Integrity Risks?
  7. Should we analyse 3RD Party Risks?

And then the hard questions:

  1. Have we identified any risks in those categories?
  2. Have we already analysed, evaluated and assessed those risks?
  3. Do we have respond strategies?
  4. How do we control and report those risks?

Only then the real fun starts!