Manage Enterprise Risk, Compliance, and Resiliency DEFINITIONS AND KEY MEASURES Version 2.0.0 The Framework for Process Improvement Experience shows that benchmarking s potential to drive dramatic improvement lies squarely in making out-of-the-box comparisons and searching for insights not typically found within intra-industry paradigms. To enable this type of beneficial benchmarking, the APQC Process Classification Framework SM (PCF) serves as a highlevel, industry-neutral enterprise model that allows organizations to see their activities from a cross-industry process viewpoint. The PCF enables organizations to understand their inner workings from a horizontal process perspective, rather than a vertical functional viewpoint. The PCF does not list all processes within a specific organization, and every process listed in the framework is not present in every organization. Originally created in 1992 by APQC and a group of members, the framework has experienced more than twenty years of creative use by thousands of organizations worldwide. The PCF is supported by APQC s Open Standards Benchmarking research. It is continuously enhanced as APQC s Open Standards Benchmarking team further develops definitions, processes, and measures. Please visit APQC s web site periodically for updates. The PCF is available for organizations of all industries and sizes at no charge by visiting www.apqc.org/pcf. 10.0 Manage Enterprise Risk, Compliance, and Resiliency 1.0 develop vision and strategy operating Processes >>> 2.0 develop and manage Products and services >>> 3.0 market and sell Products and services >>> 4.0 deliver Products and services >>> management and support services 6.0 develop and manage human capital 7.0 manage Information Technology 8.0 manage Financial resources 9.0 acquire, construct, and manage assets 10.0 manage enterprise risk, compliance, and resiliency 5.0 manage customer service 11.0 manage external relationships History The Process Classification Framework was originally envisioned as a taxonomy of business processes. The initial design involved more than 80 organizations from the United States and worldwide. Since its inception, the PCF has been updated several times to reflect changes in the way organizations do business. 12.0 develop and manage Business capabilities In response to feedback from users of the PCF, APQC regularly engages practitioners, consultants, and academics to develop definitions based on real-world experience with the processes. That collaborative effort resulted in this document: a listing of processes with definitions and selected key performance indicators from APQC s Open Standards Benchmarking repository. This particular document was developed with assistance from IBM. The definitions contained in this document are to be considered in conjunction with the PCF. The content in this document will be updated according to research performed by APQC and subsequent updates to the PCF. This document was created using PCF version 6.0.0. Version 2.0.0 November 2012
10.0 Manage Enterprise Risk, Compliance, and Resiliency Definitions and Key Measures TABLE OF CONTENTS 10.1 Manage enterprise risk 3 Key Performance Indicators 3 10.1.1 Establish the enterprise risk framework and policies 3 10.1.2 Oversee and coordinate enterprise risk management activities 3 10.1.3 Coordinate business unit and functional risk management activities 3 10.1.4 Manage business unit and function risk 4 10.1.5 Manage regulatory compliance 4 10.2 Manage business resiliency 4 Key Performance Indicators 4 10.2.1 Develop and manage business resiliency 4 10.3 Manage environmental health and safety (EHS) 5 Key Performance Indicators 5 10.3.1 Determine environmental health and safety impacts 5 10.3.2 Develop and execute functional EHS program 5 10.3.3 Train and educate functional employees 5 10.3.4 Monitor and manage functional EHS management program 5 10.3.5 Ensure compliance with regulations 6 10.3.6 Manage remediation efforts 6 RIGHTS AND PERMISSIONS 2012 APQC. ALL RIGHTS RESERVED. APQC encourages the wide distribution, discussion, and use of the PCF and PCF definition documents for classifying and defining processes. APQC grants permission for use and adaptation of the PCF for internal use. For external use, APQC grants permission for publication, distribution, and use, provided that proper copyright acknowledgment is made to APQC. No modifications to the look or content should be made in external venues. About APQC APQC is a member-based nonprofit and one of the world s leading proponents of knowledge management, benchmarking, and best practices business research. Working with more than 750 organizations worldwide in all industries, APQC provides organizations with the information they need to work smarter, faster, and with confidence. Visit www.apqc.org or call +1-713-681-4020 and learn how to Make Best Practices Your Practices SM. Please use the following text when reusing the PCF in external print or electronic content. The PCF was developed by APQC and member companies as an open standard to facilitate improvement through process management and benchmarking regardless of industry, size, or geography. The PCF organizes operating and management processes into a number of enterprise-level categories, including categories, process groups, and over 1,000 processes and associated activities. The PCF and its associated measures and benchmarking surveys are available for download and completion at no charge at www.apqc.org. 2 Permission granted to photocopy for personal use. 2012 APQC. ALL RIGHTS RESERVED.
10.1 Manage enterprise risk (16438) This process group addresses enterprise risk management. Risk is the probability or threat of a negative occurrence caused by potential events. Strategic, operational, financial, and hazard risks categories are included in this group. Manage enterprise risk includes establishing an enterprise risk management framework and policies, overseeing enterprise risk management activities across the organization, and coordinating business unit/functional risk management processes. Based on the enterprise-level risk management frameworks and policies, business unit/functional risk management activities are executed and managed. This process group also covers the management of regulatory compliance to ensure the organization has the required procedures in place and follows regulatory requirements. Key Performance Indicators: Risk components: risk events and actions overall risk prediction ratio total cost of risk events per year enterprise risk management participation risk exposure reduction mitigated reductions cost savings Business interruption valuation Impact and likelihood assessments 10.1.1 Establish the enterprise risk framework and policies (16439) Establish the enterprise risk framework and policies involves determining an organization s risk tolerance, as well as developing and maintaining enterprise risk policies and procedures. After defining frameworks and policies, appropriate risk management tools are identified and implemented, and then risk management knowledge is distributed across the organization. This process includes preparing reports and communicating risk management procedures and activities to the organization s executive management team and/or board. 10.1.2 Oversee and coordinate enterprise risk management activities (16445) Oversee and coordinate enterprise risk management activities includes the identification and assessment of enterprise-level risks to determine which ones to mitigate at an enterprise level. An organization can choose to avoid, reduce, share, or accept risks. After the appropriate action is determined, risk mitigation and management strategies are developed, integrated into existing performance management processes, and communicated to the organization. In addition to enterprise-level risk management activities, this process includes verifying that business unit/functional risk mitigation plans are developed and implemented, while ensuring required risks and their mitigation actions are monitored. Finally, this process includes reporting on activities that monitor and manage risks. 10.1.3 Coordinate business unit and functional risk management activities (16452) Coordinate business unit and functional risk management activities ensures coherent, visible risk management procedures and activities throughout the organization. It includes ensuring that business units/functions follow common enterprise risk management and reporting processes, practices, and policies. Version 2.0.0 December 2012 3
( 10.1 Manage enterprise risk continued ) 10.1.4 Manage business unit and function risk (16455) Manage business unit and function risk consists of executing and managing business unit/functional risk activities. It includes the identification of business unit/functional-specific risks by assessing their probability and impact using enterprise risk framework policies and procedures. Based on the assessment, risk mitigation plans are developed, communicated to the organization, and implemented. Risks are continuously monitored, risk management activities are regularly analyzed, and plans are updated as needed. Risk activities are also regularly reported at the enterprise level. 10.1.5 Manage regulatory compliance (16463) Manage regulatory compliance involves developing the regulatory compliance strategy, identifying applicable regulatory requirements for technology solutions and business controls, and monitoring the regulatory environment for changes. Current policies, procedures, and architectures are assessed and weaknesses/shortfalls are identified; missing compliance controls/ policies are implemented and existing controls, policies, and architectures are strengthened as needed. Compliance positions and controls are monitored and tested on a regular basis, as defined by the regulatory compliance strategy, to identify controls that should be added, removed, or modified. An important part of regulatory compliance management is developing and maintaining relationships with regulators as appropriate. This process encompasses all aspects of regulatory compliance, such as financial reporting, health and safety regulations, environmental laws, export regulations, and product safety requirements. It therefore includes both industry-specific and cross-industry laws and regulations across all jurisdictions. 10.2 Manage business resiliency (11216) Manage business resiliency includes the processes that enable firms to rapidly adapt and respond to internal or external disruptions or threats and continue operations without significant negative impact to the business. Key Performance Indicators: Number of FTEs for manage business resiliency and risk per $1 billion revenue Total cost of the process Manage business resiliency and risk per $1,000 revenue 10.2.1 Develop and manage business resiliency (11217) Develop and manage business resiliency consists of developing the business resilience strategy, performing continuous business operations planning, and testing, and maintaining continuous business operations. Development of the business resilience strategy includes tasks related to identifying and prioritizing overall risks to the business, determining how risks relate to critical business processes, and creating and maintaining a risk mitigation strategy. Performing continuous business operations planning includes developing tasks to evaluate the current continuity, availability, and recovery capabilities of the enterprise architecture; identifying gaps between current capabilities and the desired state; and designing and implementing a resilient enterprise architecture to enable continuous business operations. Testing of continuous business operations includes developing tasks to test critical business operations and identifying weaknesses in the operation model and tools. Maintaining continuous business operations consists of tasks to execute business resiliency projects, maintain the business resiliency plan, and execute the recovery plan. This process also covers sharing knowledge of specific risks across the organization. 4 Permission granted to photocopy for personal use. 2012 APQC. ALL RIGHTS RESERVED.
10.3 Manage environmental health and safety (EHS) (11179) Manage environmental health and safety concerns the management of environmental, health, and safety risks, including: environment, occupational health and safety, community health and safety, and construction/decommissioning. This process group includes determining the environmental, health, and safety impacts of an organization s products, services, and operations; developing and executing business unit/functional EHS programs; and training and educating employees. It also covers monitoring and managing business unit/functional EHS management programs, ensuring compliance with regulations, and managing remediation efforts. Key Performance Indicators: Environmental citations OSHA recordable rate Lost time Number and type of incidents Percentage of employee/contractor training completed Timeliness of reporting Closure of corrective action items Number of observations Completed and open maintenance work orders 10.3.1 Determine environmental health and safety impacts (11180) Determine environmental health and safety impacts involves evaluating the impacts of organizational products, services, and operations. The process covers all the categories of EHS: environment, occupational health and safety, community health and safety, and construction/decommissioning. It also includes conducting health, safety, and environmental audits to ensure required EHS measures are in place and sufficient. 10.3.2 Develop and execute functional EHS program (11181) Develop and execute functional EHS program begins with identifying regulatory and stakeholder requirements, e.g., air emission regulations, building regulations, or communication and training requirements. Then risks and opportunities are assessed and EHS policies are created. Throughout this process, continuous recording and management of EHS events occurs. 10.3.3 Train and educate functional employees (11182) Train and educate functional employees involves communicating EHS issues to internal stakeholders, providing required training, and offering support where needed. 10.3.4 Monitor and manage functional EHS management program (11183) Monitor and manage functional EHS management program involves managing EHS costs and benefits, and it encompasses measuring and reporting functional EHS performance. This process also provides for the implementation of a functional emergency response program to ensure quick, effective responses to unexpected events. This process also includes the development of pollution prevention programs for the different types of waste produced by the organization and the creation of a system to provide EHS support to functional employees. Version 2.0.0 December 2012 5
( 10.3 Manage environmental health and safety continued ) 10.3.5 Ensure compliance with regulations (11184) Ensure compliance with regulations includes monitoring the organization s compliance, performing compliance audits, and assuring that operations comply with regulatory stakeholders requirements. 10.3.6 Manage remediation efforts (11185) Manage remediation efforts concerns the management of remediation efforts. It begins with defining remediation goals and creating remediation plans with the assistance of subject matter experts. Resources are identified and dedicated to their respective areas of responsibility. Legal aspects and causes of the incident are investigated and analyzed. Existing policies are amended or new policies are created to prevent further incidents from ocurring. 123 North Post Oak Lane, Third Floor Houston, Texas 77024-7797 800-776-9676 phone +1-713-681-4020 +1-713-681-8578 fax pcf_feedback@apqc.org www.apqc.org 6 Permission granted to photocopy for personal use. 2012 APQC. ALL RIGHTS RESERVED.