A few years ago I was struck by a quote from Christina Graffner of the Swedish Medical Products Agency pinpointing the essence of a risk-based approach for assuring the quality of medicines. Risk management, she said, “is about doing things consciously”. Specifically, she had coined this sentence in a fairly narrow context of the then nascent “Quality by design” initiative of the ICH[i]. However, I have not found an application area of risk management for which this statement did not hold true. Risk management evaluates the uncertainties about achieving a goal and addresses them in a forward-looking way. In practice things tend to be even more complicated as organizations usually deal with multiple, sometimes competing goals like product quality, production efficiency and various internal and external compliance requirements at the same time. Process oriented risk management supports you in identifying, assessing, mitigating the different risks related to your business processes in a meaningful context and showing dependencies.
The need for a risk-based approach, rather than simple black-and-white rules usually increases dramatically with the complexity of a process or product and the number of possible interactions. The exact outcome and cost of molding polyethylene bottles is much more predictable than that of a multi-step biotechnological production. Similarly, assuring compliant customer communication during sales is easier when operated through an internet portal than for the complex interactions between pharmaceutical companies’ marketing and sales, doctors, payers and patients.
A thorough and demonstrable understanding about the underlying processes, their variability and how this may impact their outcome is the basis for conscious, differentiated decisions when simplistic black-and-white rules would strangle successful business operations. Another pillar of process-oriented risk management is the ability to define meaningful indicators for monitoring processes as they run and actually use the measurements for active process control.
While all this would already seem complex enough processes usually have to serve multiple goals: They shall produce the best possible quality in the eye of the customer, be cost efficient for the owner and comply with a society’s regulations. As a rule initiatives serving such different goals are segregated into individual projects and responsibilities. As if they were excluding each other as paths to business success. But when it comes to running the different excellence and compliance initiatives they just as regularly see themselves competing for the attention of the same limited number of people driving the operational processes. Confusion and frustration are pre-programmed with such an approach.
Keeping the operational processes in the focus is a simple yet effective approach to provide a common playing field between business and e.g. operational excellence and compliance. The integrated process map as used in business process management provides the tool set for modelling the actual processes and creating transparency about the different requirements and constraints. If set up appropriately, it even caters for the different levels of detail needed for initiatives as diverse as IT implementations, Lean kaizen, ISO certification or SOX compliance. In return for tying the different parties to a joint coordinate system you foster communication and reduce the risk of tunnel view.
So when risk management is about doing things consciously, BPM is about creating the transparency of processes, goals and performance as the required basis for conscious decisions.
If you are interested in this topic sign up for our upcoming webinar on process-oriented risk management. I will talk more about how to team-up BPM and risk management.