A point that a GRC expert shared with me last month continues to echo in my mind. The expert mentioned that each manager and employee possesses his or her own risk profile. If organizational tone and GRC processes are not strong enough, the risk health of a company relies much more heavily on dozens, hundreds or thousands of these individual risk profiles.
It’s a troubling thought, but it’s also a reality of business – and human nature.
Even with sufficient GRC processes in place, these individual risk profiles still go a long way toward determining the quality of a company’s GRC culture. There are just too many GRC- and ethics-related judgment calls – organizational gray matter – for processes and technology to completely address the human element.
That’s why technology-skeptical ears perked up when another GRC expert mentioned the phrase “human process management” (HPM) this month. HPM focuses on bringing visibility and structure to the “unstructured, ad-hoc human-to-human interactions,” according to Jacob Ukelson, the chief technology officer of ActionBase.
I asked Ukelson to flesh out HPM and explain how it helps organizations address their gray (risk) matters.
Eric Krell: What is "human process management?"
Action Base CTO Jacob Ukelson: Today, most processes in an organization of any size are tacit interactions (human-to-human processes) which are executed using standard office technology (documents and e-mail) leading to missed opportunities, operational issues and e-mail overload. Eighty percent of daily work consists of these human processes or tacit interactions that are carried out using e-mail correspondence, meetings and plain documents, with only 20 percent being standardized. Human process management (HPM) collates the benefits of process management with the flexibility of collaboration all within Office documents (Word and Excel), as well as within Outlook. It caters primarily to audit and compliance, and is intriguing to mid- to- large organizations where regulations and procedures are essential. It greatly assists in large multinational global projects, especially where several entities are involved. The processes managed are disruptive to manual operations where inefficient exchanges of e-mail messages and Word documents were the only means to collaborate on critical and regulated issues, and as a consequence, audit and audit trails were close to impossible. Other methods are proved to be inefficient or unfriendly to users, thus resulting in users deploying inadequate solutions. By using human process management, companies have a system of record of the current status of any process. It collects and aggregates all of the data needed so that its human processes can be analyzed and improved.
Most human processes are executed using standard office technology (e.g., e-mail, documents), but are not managed by the technology. Rather, users rely on standard management techniques -- e.g., process descriptions, benchmarks, measurements, follow-up, and reminders -- with no, or minimal, system support. Key requirements in managing human processes are to provide a best practice for the process that is flexible and can be easily modified by the people executing the process, the ability to know the status of the process at anytime and the ability to retrieve historical information about process execution and outcomes.
Krell: How is it different from business process management?
Ukelson: HPM systems are complementary to BPM (Business Process Management), CRM (Customer Relationship Management), SFA (SalesForce Automation) and other out-of-the-box or bespoke process management tools. The primary difference is that HPM focuses on unstructured, ad-hoc human-to-human interactions, while the other tools focus on structured process -- many times human-to-system based processes.
HPM systems also are very useful as extensions to existing business process management tools. Structured process tools have either an explicit model of the process to be managed or an implicit model. For example, a BPMN (Business Process Markup Notation) can be used to create an explicit model of a process for BPM systems, and out-of-the-box CRM systems have an implicit model of how customer relations are managed. In any case, whether explicit or implicit, process models cannot take into account unforeseen circumstances or every possible process execution path, so exceptions have to be handled by hand. For example, one Microsoft survey looked at B2B Electronic Data Interchange (EDI) purchase order transactions at a small business and found that though there was one standard process with 65 different variations depending on the nature of the order.
A standard way of handling these exceptions is via e-mail, which kicks off a human process or tacit interaction "secondary" to the main process. The e-mail is either generated directly from the structured process management system or by the user. In either case, this secondary process then runs its course, with the final step being someone (hopefully) updating the original system with the results. These secondary processes are unmanaged, unmonitored and completely disconnected from the original process and system. An HPM system enables these secondary human processes to be managed, monitored and incorporated as part of the primary process. An added benefit is that these secondary processes can also be tracked and investigated, and if there are instances that recur frequently, they can be incorporated back into the primary process management system.
Krell: Why is it important from an enterprise risk management perspective?
Ukelson: Human process management lowers risk and minimizes losses through better process visibility and control. Risk managers need to create a coherence of processes and reporting for risk management across the organization. This requires putting controls in place to manage unstructured processes. Given the lack of tools available for managing unstructured processes, users realize the benefit of increased attention to the area of risk management (the Hawthorne Effect), and from the visibility across silos. Using Human Process Management provides robust tooling to support this challenge at a low cost. The problem is turned from a reporting exercise to a real-time operational excellence exercise. Leveraging a human process management system enables risk executives to quickly create an enterprise risk management plan with an ad-hoc procedure for handling the process on top of existing e-mail and documents, automatically achieving management, "auditability" and tracking of the process with no extra cost.
Krell: Are there any types of processes (or process characteristics) that are particularly ripe for errors, fraud or other risks?
Ukelson: Yes. For example, let's say a new critical regulation is announced such as the new "breach notification" of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The regulation requires HIPAA-covered entities to promptly notify affected individuals of a breach, as well as the HHS secretary and the media in cases where a breach affects more than 500 individuals. Since this is a new regulation without any tool support, the only way for the risk executive to handle compliance would be to assign someone as the breach process owner. The process owner would normally send out instructions on how to handle a breach. Alternatively, the first step can be when a breach is discovered, an e-mail is sent to the breach process owner. At that point, he or she will need to organize a response to the breach, making sure to meet the regulatory requirements and any relevant internal processes. This ensures affected individuals are notified and, if needed, the HHS secretary is notified. The breach process owner may also launch an internal investigation of the breach (investigations are another type of unstructured process, since they are human processes and, once started, they take on a life of their own based on the information collected). All this will mostly likely be done via documents and e-mail, making it impossible to manage, track and audit compliance with the regulations -- except by after-the-fact, manual reporting.
Krell: In what parts of their companies are clients applying your "HPM" tool?
Ukelson: ActionBase works with global IT leaders including BG group, Orange, Texas Instruments and Amdocs, and specializes in complex industries such as financial services, process manufacturing, oil and gas, utility and telecom. The HPM system is implemented in enterprise departments that need to gain the visibility and control over a highly distributed workforce, stringent and dynamic HSE regulations, requirements for quality compliance and an on-going need for operational excellence. User cases include but are not limited to the following:
- Compliance and audit managers can track the entire audit process.
- Board of directors and executive management can track corporate decisions and work plans.
- Operational managers and procurement departments can control and govern contracts and deadlines.
- Health Safety & Environmental officers can track compliance and incident management.
- Fraud and complaint investigators can manage and track investigations to completion.