BPM Risk management
Various IT tools are increasingly used in order to effectively analyze and report risk. From spreadsheets to IT systems dedicated to risk management.
Blue Energy, using its 10 years of experience in the implementation of projects in the field of broadly understood risk management, has prepared a BPM system module enabling the automation of the risk management process in various areas of activity.
The BPM Risk Management module enables the organization to support the implementation of the risk management methodology developed in accordance with various standards available on the market, including ISO 31000, ISO 9001, ISO 14001, ISO 45001, COSO II, RODO / GDPR and others.
The module is a unique solution that differs from other IT tools available on the market by its high flexibility of adaptation to the specificity of the organization, a wide configuration range, including a variety of risk assessment criteria depending on the configuration area. In addition, the tool allows you to conduct risk reviews for different configuration areas  at the same time independently.
In order to ensure the comparability of the results of risk assessment in various management areas in the organization, the system is based on the configuration of the risk cube or the conversion formula in determining the risk level.
Thanks to the automation of the process, each authorized user can start the risk reporting process in the system. Each reported risk in the organization’s operations is submitted to the risk owner designated for a given thematic scope (process or asset or organizational unit) for approval. Such owner each time decides on the legitimacy of the reported risk, as well as performs periodic, comprehensive reviews of the risk register for a given subject area in order to confirm whether the risk at a given level is still present or needs to be changed.
The risk management module has a wide range of development possibilities, e.g. risks identified in the module can be analyzed during internal audits or when using the Objectives and indicators module (link to the website). From the Infrastructure module (link to the website) in the risk management module, it is possible to identify the risks associated with the asset registered in this module. In addition, if an event is registered in the BPM Incydenty module (link to the page), it is possible to analyze the risks associated with the identified events.
The module also integrates:
- with the Business Continuity module (link), i.e. for critical resources, for which information classification is not conducted, it is possible to conduct a risk analysis in the Operational Risk Management module;
- The module library of documents (link) in the scope of the possibility of indicating risk control mechanisms in the form of internal regulations.
For the risks identified in the module, for which the necessity to implement a risk treatment plan has been established, the system enables the design of this plan, assigning specific actions in the plan for implementation to specific users with an indication of the date by which the action should be performed. In addition, for each action in the risk management plan, it is possible to specify whether the person supervising the implementation of the plan is to receive periodic reports on the progress of the action implementation or not, as well as the frequency of this reporting. After approval of the risk treatment plan in the system, activities related to its implementation are assigned to the appropriate people. The system communicates to users the tasks assigned in the system for execution by e-mail. Each time it informs about a task that needs to be completed. Reports on the progress in the implementation of activities are also assigned as tasks and, after their completion, sent to the persons supervising activities as part of the risk management plan by e-mail. The described mechanism ensures that the user does not have to log into the system to check whether any tasks have been assigned to him, because each time he receives e-mail information about these events and can go to the appropriate task in the system from the level of the e-mail message.
Thanks to innovative solutions, the system enables ongoing monitoring of the progress in the implementation of risk minimization plans, generating reports, among others. in xlsx format, both from the register of all reported risks and from risk treatment plans. Thanks to the reporting module, it is possible to generate reports predefined in the system, e.g. Hierarchy of risks or Risk Ranking.
An additional functionality supporting the Risk Management module is the dashboard module, which presents charts and statements predefined for the risk management module. Each user can independently configure which dashboards are to be displayed in his management panel.
An interesting functionality made available in the module is the possibility of reporting risks causing threats to the conducted activity, but also risks causing opportunities and conducting their assessment based on criteria in the context of a threat or opportunity, respectively. The possibility of assessing risks in the context of opportunities is a decision of the organization and can be included in the system configuration.
BPM Risk Management module is a solution operating in a web browser and communicating with users through tasks assigned in the system, as well as e-mail messages addressed to system users. Moreover, the system enables:
- Configuring risk assessment criteria in the context of threats and opportunities;
- Configuring risk management areas, indicating which criteria are to be used in which areas;
- Reporting of risks in the indicated areas of identified risks by users who have been granted authorization;
- Risk owners making decisions about the reported risk;
- Defining and supervising the implementation of risk treatment plans in the system, including reporting on the progress of the implementation of activities under the risk treatment plans;
- Conducting comprehensive reviews of the relevance of identified risks and creating risk registers for them as part of the review;
- Optional reviews of the validity of the ratings assigned to individual risks, with a frequency depending on the designated risk level;
- Generating reports on risks registered in the system and risk treatment plans in the form of xlsx files;
- Generating predefined reports available in the system, e.g. Risk hierarchy, Risk ranking;
- Availability of predefined risk-related dashboards;
- Possibility to design reports / dashboards in line with the needs / expectations of the client;
- High flexibility of the system in designing new functionalities for the individual needs of the Ordering Party.
Risk management of the organization’s activity is a topic discussed both among small, medium and large enterprises, as well as in public administration units.
The operational risk management module is intended for all those organizations that want to collect information on events that may cause risk to their business from various organizational units.
If your organization carries out the identification and risk assessment for the conducted activity / implemented tasks or processes, the BPM Risk Management Module is the solution for you.
Operational risk management is often supported by commonly available IT tools, such as, for example, spreadsheets. This solution works well for small organizations, simple risk assessment methodologies, low frequency of analyzes, a small group of people involved and low risk volatility.
In other cases, this solution will not be sufficiently effective, because the analysis of the data collected in this way in terms of variability in relation to the previous results is each time time-consuming and has a high probability of errors.
An excellent alternative to this approach is the BPM Risk Management module, in which the automation of actions necessary to perform is carried out, and the data subject to changes are reported by the system, which reduces the number of possible errors in the results of the analysis of the collected data to almost 0.
The experience of many organizations shows that in the case of a large number of risks identified in organizational units and a high frequency of risk analyzes, risk assessors want to simplify processes and find the so-called “Simplified path”. This is not always consistent with the organization’s goals, but in the absence of processes that automate such situations, such situations are much more likely.
What to do to protect the organization from such problems?
Whenever possible, a mechanism should be used to automate and protect against changes without introducing justification for the changes. The most effective solution in this respect will be the introduction of a workflow, in which there is a mechanism that verifies the correctness of the entered data, as well as substantive verification of reported / changed risks.
Blue Energy meets these needs by providing an IT tool that ensures not only the automation of the risk assessment process, but also substantive verification of reported risks by authorized users.
A large enterprise in the energy industry, involving all cell managers in the process of risk identification and review, conducting a risk analysis in a spreadsheet and preparing one summary report from all collected sheets. The implementation of BPM with the Risk Management module resulted in a reduction of the time related to the preparation of the risk review report by 90% and eliminated errors related to the incorrect determination of the risk level and methods of responding to risk.
A public administration entity conducting risk identification in 3 different areas using different risk assessment criteria decided to solve the problem with the inability to analyze the results of risk identification on the scale of the entire organization. The implementation included the introduction of the Risk Management module with the functionality of daschboards, which resulted in the reduction of the time necessary to compile the results of risk identification in all areas to 0 in the scale of the entire organization.
A medium-sized entity dealing with production activities, in many locations keeping a risk register in the records shared on a network share, was looking for a solution that would limit the freedom to report emerging risks. The implementation of the Risk management module resulted in cataloging the reported risks and reducing the time associated with reporting to the Management Board of the organization of risks and their level in various areas and locations of activity, along with the development of their hierarchy.
Related blog articles
Krajowy System Cyberbezpieczeństwa to wymagania dla operatorów usług kluczowych oraz usług cyfrowych. Czym są te wymagania opisane w dość oszczędny sposób w Ustawie? Co mówi sama ustawa o tym jak zapewnić bezpieczeństwo i ciągłość realizacji usług kluczowych?
Częstym problemem organizacji jest zapewnienie efektywnego i gwarantującego właściwą rozliczalność kanału komunikacji wewnętrznej, np. związanej z realizacją praw podmiotów danych, czy zgłaszaniem i obsługą naruszeń ochrony danych osobowych
Ile faktycznie zajmuje identyfikacja i realizacja praw podmiotu danych? Czy nasz rejestr czynności wspiera realizację praw? Czy potrafimy automatyzować procesy realizacji praw podmiotu danych?