Version manage enterprise risk, compliance, and resiliency. The Framework for Process Improvement. History

Similar documents
Version acquire, construct, and manage assets. The Framework for Process Improvement. History

PRODUCT AND SERVICE DEVELOPMENT DEFINITIONS AND KEY MEASURE

INFORMATION TECHNOLOGY DEFINITIONS AND KEY MEASURES

CUSTOMER SERVICE DEFINITIONS AND KEY MEASURES

DEFINITIONS AND KEY MEASURES

HUMAN CAPITAL DEFINITIONS AND KEY MEASURES

SUPPLY CHAIN DEFINITIONS AND KEY MEASURES

Process Classification Framework. Developed By APQC s International Benchmarking Clearinghouse In Partnership With Arthur Andersen & Co.

SEVEN TENETS OF PROCESS MANAGEMENT

Citizens Property Insurance Corporation Business Continuity Framework

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

BPM with a KM Twist Using the APQC Model to Guide Process & Knowledge Management

Open Standards Benchmarking Measure List

CERT Resilience Management Model, Version 1.2

Practical Risk Management: Framework and Methods

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Business Resilience: Proactive measures for forward-looking enterprises

The BEST Framework EDF Group s Expectations for Managing Health and Safety. The EDF Group BEST Framework

SOLUTION BRIEF RSA ARCHER PUBLIC SECTOR SOLUTIONS

Enhanced Risk Management Policy

IBM Service Management solutions To support your IT objectives. Create and manage value throughout the entire service management life cycle.

Risk management Principles and guidelines

CMMI V2.0 MODEL AT-A-GLANCE. Including the following views: Development Services Supplier Management. CMMI V2.0 outline BOOKLET FOR print.

Measuring the Digital Supply Chain Transformation

Using Metrics that Drive Bottom-Line Value. APQC s Process Conference Oct , 2012

PART THREE: Work Plan and IV&V Methodology (RFP 5.3.3)

Helping organizations worldwide work smarter, faster, and with greater confidence.

Safer Pipeline Operations: Smart Notifications for Faster Incident Response

TELECOMMUNICATIONS PROCESS CLASSIFICATION FRAMEWORK SM

COLGATE-PALMOLIVE COMPANY

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

City of Saskatoon Business Continuity Internal Audit Report

Exam Duration: 2 hours and 30 minutes

IBM Maximo Asset Management solutions for the oil and gas industry

ORACLE PROPERTY MANAGER

ISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. This is a free 6 page sample. Access the full version online.

ADDRESSING PEOPLE CHALLENGES THAT IMPACT EFFICIENCY

ZTE CORP. Driving Change Through Measuring the Digital Supply Chain. Interview conducted on June 12, Interviewee:

Enabling a Globally Integrated Enterprise With BPO

Good Governance and Anti-Corruption: The Role of Supreme Audit Institutions (SAIs)

Enterprise Digital Architect

Enterprise Risk Management And Beyond. Copyright WHA Insurance

Analytical Procedures

ISO INTERNATIONAL STANDARD. Risk management Principles and guidelines. Management du risque Principes et lignes directrices

External Supplier Control Obligations

Audit and Compliance Committee Enterprise Risk Management

Agreeing the Terms of Audit Engagements

IBM Sterling B2B Integrator

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Guidelines for information security management systems auditing

CGEIT Certification Job Practice

Sub-section Content. 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx

Business Continuity Management PHILIPPINES :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Design for Environmental, Health and Safety. Mark Harralson; Intel Corporation, Chandler, AZ

International Auditing and Assurance Standards Board ISA 500. April International Standard on Auditing. Audit Evidence

IBM Software Rational. Five tips for improving the ROI of your software investments

STRATEGIC PLAN WORKPLACE SAFETY AND INSURANCE BOARD

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

STREAM Integrated Risk Manager. ISO Application. How STREAM supports compliance with ISO 27001

Project, programme and portfolio management Guidance on portfolio management

REALIZING THE POTENTIAL FROM FINANCIAL ANALYSIS APPLICATION INVESTMENTS

Enterprise Risk Management Report

Sample Corporate Risk Management Policy

EMERGENCY MANAGEMENT... DEFINITION VISION MISSION PRINCIPLES

Business Continuity Framework

A Guide to Business Continuity

IT Management & Governance Tool Assess the importance and effectiveness of your core IT processes

Governance Institute of Australia Ltd

Taking the Next Step: Water Sector Steering Group Review of Effective Utility Management

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Agile CIO Operating Model

Small Enterprises Should Overcome the Silo Mentality to Successfully Implement a PSM Program

SKILLS FRAMEWORK FOR HOTEL AND ACCOMMODATION SERVICES SKILLS STANDARDS FOR PUBLIC RELATIONS MANAGER / MARKETING COMMUNICATIONS MANAGER

Enterprise Risk Management Montana State Fund

RISK MANAGEMENT STRATEGY AND POLICY

STRATEGIC PLANNING FOR KNOWLEDGE MANAGEMENT

Rethinking the way personal computers are deployed in your organization

EGI.eu IT Service Management Service Management Plan

Accenture Risk Management. Risk Analytics Network

Role Profile. Role Details. Grade 4 Business unit. Date produced or updated March 2017

Management systems: Part 1 of 2

IRM s Professional Standards in Risk Management PART 1 Consultation: Functional Standards

Are your profits tangled in the evolving web of fraud tactics?

Case Study. Technical Talent Management

Contents. viii. List of figures. List of tables. OGC s foreword. 6 Organizing for Service Transition 177. Chief Architect s foreword.

Leveraging Emerging Management System Standards to Create Improved EHS and Sustainability Performance

Project Management Professional (PMP) Examination Content Outline

Business Continuity & Risk Management

KEYSTONE FOODS. Corporate Social Responsibility Program Overview

Australian Hardware. Risk Management Plan

Bringing HSE Management Systems from Oil & Gas to Rail

Operational Excellence By Automating Operational Risk Management. February 4, 2016 Doug Hatler, EVP of Sales

1. This risk management policy (the policy) forms part of the agency s internal control and corporate governance arrangements.

Gleim CPA Review Updates to Business Environment and Concepts 2018 Edition, 1st Printing March 2018

COMPLIANCE TRUMPS RISK

DRAFT ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management system implementation guidance

Aligning IT risk management with strategic business goals

ISO/IEC INTERNATIONAL STANDARD. Information technology Service management Part 2: Code of practice

Selftestengine COBIT5 36q

Office of Internal Audit. The University of Texas Southwestern Medical Center Business Continuity/Disaster Recovery. Internal Audit Report 16:32

Transcription:

Manage Enterprise Risk, Compliance, and Resiliency DEFINITIONS AND KEY MEASURES Version 2.0.0 The Framework for Process Improvement Experience shows that benchmarking s potential to drive dramatic improvement lies squarely in making out-of-the-box comparisons and searching for insights not typically found within intra-industry paradigms. To enable this type of beneficial benchmarking, the APQC Process Classification Framework SM (PCF) serves as a highlevel, industry-neutral enterprise model that allows organizations to see their activities from a cross-industry process viewpoint. The PCF enables organizations to understand their inner workings from a horizontal process perspective, rather than a vertical functional viewpoint. The PCF does not list all processes within a specific organization, and every process listed in the framework is not present in every organization. Originally created in 1992 by APQC and a group of members, the framework has experienced more than twenty years of creative use by thousands of organizations worldwide. The PCF is supported by APQC s Open Standards Benchmarking research. It is continuously enhanced as APQC s Open Standards Benchmarking team further develops definitions, processes, and measures. Please visit APQC s web site periodically for updates. The PCF is available for organizations of all industries and sizes at no charge by visiting www.apqc.org/pcf. 10.0 Manage Enterprise Risk, Compliance, and Resiliency 1.0 develop vision and strategy operating Processes >>> 2.0 develop and manage Products and services >>> 3.0 market and sell Products and services >>> 4.0 deliver Products and services >>> management and support services 6.0 develop and manage human capital 7.0 manage Information Technology 8.0 manage Financial resources 9.0 acquire, construct, and manage assets 10.0 manage enterprise risk, compliance, and resiliency 5.0 manage customer service 11.0 manage external relationships History The Process Classification Framework was originally envisioned as a taxonomy of business processes. The initial design involved more than 80 organizations from the United States and worldwide. Since its inception, the PCF has been updated several times to reflect changes in the way organizations do business. 12.0 develop and manage Business capabilities In response to feedback from users of the PCF, APQC regularly engages practitioners, consultants, and academics to develop definitions based on real-world experience with the processes. That collaborative effort resulted in this document: a listing of processes with definitions and selected key performance indicators from APQC s Open Standards Benchmarking repository. This particular document was developed with assistance from IBM. The definitions contained in this document are to be considered in conjunction with the PCF. The content in this document will be updated according to research performed by APQC and subsequent updates to the PCF. This document was created using PCF version 6.0.0. Version 2.0.0 November 2012

10.0 Manage Enterprise Risk, Compliance, and Resiliency Definitions and Key Measures TABLE OF CONTENTS 10.1 Manage enterprise risk 3 Key Performance Indicators 3 10.1.1 Establish the enterprise risk framework and policies 3 10.1.2 Oversee and coordinate enterprise risk management activities 3 10.1.3 Coordinate business unit and functional risk management activities 3 10.1.4 Manage business unit and function risk 4 10.1.5 Manage regulatory compliance 4 10.2 Manage business resiliency 4 Key Performance Indicators 4 10.2.1 Develop and manage business resiliency 4 10.3 Manage environmental health and safety (EHS) 5 Key Performance Indicators 5 10.3.1 Determine environmental health and safety impacts 5 10.3.2 Develop and execute functional EHS program 5 10.3.3 Train and educate functional employees 5 10.3.4 Monitor and manage functional EHS management program 5 10.3.5 Ensure compliance with regulations 6 10.3.6 Manage remediation efforts 6 RIGHTS AND PERMISSIONS 2012 APQC. ALL RIGHTS RESERVED. APQC encourages the wide distribution, discussion, and use of the PCF and PCF definition documents for classifying and defining processes. APQC grants permission for use and adaptation of the PCF for internal use. For external use, APQC grants permission for publication, distribution, and use, provided that proper copyright acknowledgment is made to APQC. No modifications to the look or content should be made in external venues. About APQC APQC is a member-based nonprofit and one of the world s leading proponents of knowledge management, benchmarking, and best practices business research. Working with more than 750 organizations worldwide in all industries, APQC provides organizations with the information they need to work smarter, faster, and with confidence. Visit www.apqc.org or call +1-713-681-4020 and learn how to Make Best Practices Your Practices SM. Please use the following text when reusing the PCF in external print or electronic content. The PCF was developed by APQC and member companies as an open standard to facilitate improvement through process management and benchmarking regardless of industry, size, or geography. The PCF organizes operating and management processes into a number of enterprise-level categories, including categories, process groups, and over 1,000 processes and associated activities. The PCF and its associated measures and benchmarking surveys are available for download and completion at no charge at www.apqc.org. 2 Permission granted to photocopy for personal use. 2012 APQC. ALL RIGHTS RESERVED.

10.1 Manage enterprise risk (16438) This process group addresses enterprise risk management. Risk is the probability or threat of a negative occurrence caused by potential events. Strategic, operational, financial, and hazard risks categories are included in this group. Manage enterprise risk includes establishing an enterprise risk management framework and policies, overseeing enterprise risk management activities across the organization, and coordinating business unit/functional risk management processes. Based on the enterprise-level risk management frameworks and policies, business unit/functional risk management activities are executed and managed. This process group also covers the management of regulatory compliance to ensure the organization has the required procedures in place and follows regulatory requirements. Key Performance Indicators: Risk components: risk events and actions overall risk prediction ratio total cost of risk events per year enterprise risk management participation risk exposure reduction mitigated reductions cost savings Business interruption valuation Impact and likelihood assessments 10.1.1 Establish the enterprise risk framework and policies (16439) Establish the enterprise risk framework and policies involves determining an organization s risk tolerance, as well as developing and maintaining enterprise risk policies and procedures. After defining frameworks and policies, appropriate risk management tools are identified and implemented, and then risk management knowledge is distributed across the organization. This process includes preparing reports and communicating risk management procedures and activities to the organization s executive management team and/or board. 10.1.2 Oversee and coordinate enterprise risk management activities (16445) Oversee and coordinate enterprise risk management activities includes the identification and assessment of enterprise-level risks to determine which ones to mitigate at an enterprise level. An organization can choose to avoid, reduce, share, or accept risks. After the appropriate action is determined, risk mitigation and management strategies are developed, integrated into existing performance management processes, and communicated to the organization. In addition to enterprise-level risk management activities, this process includes verifying that business unit/functional risk mitigation plans are developed and implemented, while ensuring required risks and their mitigation actions are monitored. Finally, this process includes reporting on activities that monitor and manage risks. 10.1.3 Coordinate business unit and functional risk management activities (16452) Coordinate business unit and functional risk management activities ensures coherent, visible risk management procedures and activities throughout the organization. It includes ensuring that business units/functions follow common enterprise risk management and reporting processes, practices, and policies. Version 2.0.0 December 2012 3

( 10.1 Manage enterprise risk continued ) 10.1.4 Manage business unit and function risk (16455) Manage business unit and function risk consists of executing and managing business unit/functional risk activities. It includes the identification of business unit/functional-specific risks by assessing their probability and impact using enterprise risk framework policies and procedures. Based on the assessment, risk mitigation plans are developed, communicated to the organization, and implemented. Risks are continuously monitored, risk management activities are regularly analyzed, and plans are updated as needed. Risk activities are also regularly reported at the enterprise level. 10.1.5 Manage regulatory compliance (16463) Manage regulatory compliance involves developing the regulatory compliance strategy, identifying applicable regulatory requirements for technology solutions and business controls, and monitoring the regulatory environment for changes. Current policies, procedures, and architectures are assessed and weaknesses/shortfalls are identified; missing compliance controls/ policies are implemented and existing controls, policies, and architectures are strengthened as needed. Compliance positions and controls are monitored and tested on a regular basis, as defined by the regulatory compliance strategy, to identify controls that should be added, removed, or modified. An important part of regulatory compliance management is developing and maintaining relationships with regulators as appropriate. This process encompasses all aspects of regulatory compliance, such as financial reporting, health and safety regulations, environmental laws, export regulations, and product safety requirements. It therefore includes both industry-specific and cross-industry laws and regulations across all jurisdictions. 10.2 Manage business resiliency (11216) Manage business resiliency includes the processes that enable firms to rapidly adapt and respond to internal or external disruptions or threats and continue operations without significant negative impact to the business. Key Performance Indicators: Number of FTEs for manage business resiliency and risk per $1 billion revenue Total cost of the process Manage business resiliency and risk per $1,000 revenue 10.2.1 Develop and manage business resiliency (11217) Develop and manage business resiliency consists of developing the business resilience strategy, performing continuous business operations planning, and testing, and maintaining continuous business operations. Development of the business resilience strategy includes tasks related to identifying and prioritizing overall risks to the business, determining how risks relate to critical business processes, and creating and maintaining a risk mitigation strategy. Performing continuous business operations planning includes developing tasks to evaluate the current continuity, availability, and recovery capabilities of the enterprise architecture; identifying gaps between current capabilities and the desired state; and designing and implementing a resilient enterprise architecture to enable continuous business operations. Testing of continuous business operations includes developing tasks to test critical business operations and identifying weaknesses in the operation model and tools. Maintaining continuous business operations consists of tasks to execute business resiliency projects, maintain the business resiliency plan, and execute the recovery plan. This process also covers sharing knowledge of specific risks across the organization. 4 Permission granted to photocopy for personal use. 2012 APQC. ALL RIGHTS RESERVED.

10.3 Manage environmental health and safety (EHS) (11179) Manage environmental health and safety concerns the management of environmental, health, and safety risks, including: environment, occupational health and safety, community health and safety, and construction/decommissioning. This process group includes determining the environmental, health, and safety impacts of an organization s products, services, and operations; developing and executing business unit/functional EHS programs; and training and educating employees. It also covers monitoring and managing business unit/functional EHS management programs, ensuring compliance with regulations, and managing remediation efforts. Key Performance Indicators: Environmental citations OSHA recordable rate Lost time Number and type of incidents Percentage of employee/contractor training completed Timeliness of reporting Closure of corrective action items Number of observations Completed and open maintenance work orders 10.3.1 Determine environmental health and safety impacts (11180) Determine environmental health and safety impacts involves evaluating the impacts of organizational products, services, and operations. The process covers all the categories of EHS: environment, occupational health and safety, community health and safety, and construction/decommissioning. It also includes conducting health, safety, and environmental audits to ensure required EHS measures are in place and sufficient. 10.3.2 Develop and execute functional EHS program (11181) Develop and execute functional EHS program begins with identifying regulatory and stakeholder requirements, e.g., air emission regulations, building regulations, or communication and training requirements. Then risks and opportunities are assessed and EHS policies are created. Throughout this process, continuous recording and management of EHS events occurs. 10.3.3 Train and educate functional employees (11182) Train and educate functional employees involves communicating EHS issues to internal stakeholders, providing required training, and offering support where needed. 10.3.4 Monitor and manage functional EHS management program (11183) Monitor and manage functional EHS management program involves managing EHS costs and benefits, and it encompasses measuring and reporting functional EHS performance. This process also provides for the implementation of a functional emergency response program to ensure quick, effective responses to unexpected events. This process also includes the development of pollution prevention programs for the different types of waste produced by the organization and the creation of a system to provide EHS support to functional employees. Version 2.0.0 December 2012 5

( 10.3 Manage environmental health and safety continued ) 10.3.5 Ensure compliance with regulations (11184) Ensure compliance with regulations includes monitoring the organization s compliance, performing compliance audits, and assuring that operations comply with regulatory stakeholders requirements. 10.3.6 Manage remediation efforts (11185) Manage remediation efforts concerns the management of remediation efforts. It begins with defining remediation goals and creating remediation plans with the assistance of subject matter experts. Resources are identified and dedicated to their respective areas of responsibility. Legal aspects and causes of the incident are investigated and analyzed. Existing policies are amended or new policies are created to prevent further incidents from ocurring. 123 North Post Oak Lane, Third Floor Houston, Texas 77024-7797 800-776-9676 phone +1-713-681-4020 +1-713-681-8578 fax pcf_feedback@apqc.org www.apqc.org 6 Permission granted to photocopy for personal use. 2012 APQC. ALL RIGHTS RESERVED.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback