Welcome to the Regulatory Compliance DSIG Wiki
RFP: Management of Regulation and Compliance
September 22, 2009: the OMG has issued a new RFP, “Management of Regulation and Compliance” (MRC), developed by the Regulatory Compliance DSIG and sponsored by the Business Modeling and Integration (BMI) Task Force.
For details see MRC page
Joint development with the OMG BMI Task Force
[Henk de Man - Jan 14]
Just a few draft bullets to start:
Enterprise risk relates to Enterprise Governance. Enterprise Governance is about steering an enterprise into good direction. Enterprise Governance is about business drivers (and issues), objectives (and/or goals), rules (or directives), transformation initiatives (or courses of action) and changes, etc. etc. Typically BMM context, but elaborated further.
From a performance perspective it is common to talk about “business drivers”, “Objectives” and “rules/directives”, and there counterparts from conformance (or compliance) perspective: Regulations, control objectives and (internal) controls.
Enterprise Governance is “driven” from multiple sides: At strategic level, assessment of external business drivers leads to formulating goals or strategic/tactical objectives, and to meet these, tranformation initiatives are suggested, and balanced in a portfolio of initiatives. Etc. At operational level, where issues show up, continuous improvement activities are conducted. And from here, transformation initiatives can be suggested/requested as well, and added to the portfolio. When initiatives are selected for execution, analysis has to take place (as is, to be, etc.). What has recently been suggested as “SOA value chain”, “Robust Value chain” or “Value Delivery Model” will be an excellent first-order analysis model in this context. Analysis will lead to suggested/proposed changes (possibly accompanied by “operational” rules/directives), which are to be implemented in the operations. At operational level, monotoring will take place, which might lead to detecting new issues, etc. (…. and here the cycle starts again …).
Risk relates to both performance and conformance aspects. E.g. undertaking initiatives (or “courses of action”) to meet performance objectives (or maybe deciding to not undertake them) might lead to risk. Undertaking initiatives to meet “control” objectives might decrease risk. Deciding to not undertake them might lead to risk. Sometimes people might intentionally take risk.
- As performance aspects (cost, time, quality, availability) can be analyzed based on value delivery model, probably elements of “conformance” and “risk” can be analysed based on such a model as well.
Risk has to be definable and measurable (like also performance is). Risk indicators might have some analogy with performance indicators (KPIs). (… not sure …)
Risk is mitigated by implementation of controls (“internal controls”). Controls can be implemented in many ways, including web-services (maybe implemented as processes), business rules, etc.) There should be relationships all the way down: driver/regulation ⇒ objective ⇒ rule/directive and implented controls.
Monitoring is required to detect non-conformance events, or any issue (that relates to risk), which might be analyzed on root-cause, etc. Monitoring can be done at multiple levels: real-time events (possibly complex events), as well as “KPI”-like measures.
From the above it is clear that “conformance” and “risk” are “red threads” throughout the entire Enterprise Governance framework. This also relates to many elements of business modeling. From BMM+ down to Process, webservices, etc.
[Jeremiah Albrant - 29 Jan]
(Draft) is expected to be published this year, it covers risk management, we should be aligned with it and not duplicating work.
Powerpoint presentation from Fred Cummins [posted by John Hall 13 February 2009]
Measurement of the probable impact on an enterprise of changes in circumstances.
Includes threats and opportunities
Expressed in terms of probability X potential loss
Addresses specific risks as well as composite risk
Exposes risks of coincident circumstances
Define a framework for computation and reporting of risk for
Define a standard for the aggregation of risk to create an enterprise risk profile
Probability of occurrence X cost of consequences
Loss or missed opportunity
Cost of consequences
Propagation of effect
Feedback, synergy (co-occurrence)
Time to recover
Risks may be modeled and computed in different ways in different contexts
The results of specific risk assessments should be incorporated in an enterprise risk measure or profile
Composite risk should reflect
Mitigation of risk
Risk metrics should reflect mitigation
Risk is mitigated or amplified as a result of feedback or common underlying causes
Business growth or decline
Feedback mechanisms that impact stability
Market reactions to enterprise effects
Identification of risks
Analysis of assumptions
Acceptable limits on variables
Variance of outcomes
Taxonomy of risk factors to consider
Probabilities of occurrence of external factors
Model to capture risk factors, their impact and dependencies
Technique for analysis of enterprise stability and agility
Henk de Man's response (12 Feb 2009)
I think we can proceed with your input as a core piece.
I have some questions/suggestions here. Can you (and the others) give your opinion on them.
Do we need to focus on mitigation as well? But then we also need to relate risks to “controls” and model “controls”. Possibly also to business events. Or generally: next to risk we also might need to model “issues” ? Because “risks” manifest themselves as “issues”. When issues are observed you need “course of action” to correct and prevent them. This is part of governance. From objectives, some of which maybe be there to mitigate (or even take) certain risks, you also need courses of action to meet the objectives. Etc. Here we are again in the enterprise governance arena.
[FAC] I would limit our (current) consideration of mitigation to the effects on the risk assessment. So when a high risk is identified and mitigated, the assessment should reflect the reduced risk as a result of the mitigation. Tnat does not mean you need to model the mitigation, per se, but only the impact it has on the associated risk. Generally, all risks will be mitigated to some extent in the normal course of business–the mitigation you raise is more likely the things you do to reduce risks when you decide they are not tolerable.
So, how can we envisage risk analysis/management/mitigation in such a way, that we don't get a “risk xyz silo”, but where generic things are taken generically, in the broader and potential business modeling/enterprise governance framework.
[FAC] The model needs to capture the relationships between risks including risks that occur as a result of the same event, and risks that are dependent in some way so that the either compound each other or mitigate each other. For example, if the production line goes down due to a problem, another problem will not make it worse except that it may take additional time and resource to resolve it. Or the power goes down, so all production lines stop (single precipitating event).
[HdM 13 February] One more general comment: there seem to be three overlapping circles: “Enterprise risk xyz”, “Enterprise Governance” and “(Corporate) Compliance”. We might need to come up with a conceptual model that focuses on the intersection of all three.
[John Hall 13 February 2009]
Risk in a nutshell
Risks can be characterized with two kinds of measure:
“How likely?”, measured by the probabilities that a particular kind of undesirable situation will occur.
“How much?”, estimates of the impact of the undesirable situation on your business, in as many dimensions as are relevant – direct financial costs, disruption, legal penalties etc. Some may be unfavorable in some dimensions but favorable in others.
Risk modeling is about:
Identifying the kinds of undesirable situation that could affect your business (to the etent that you need to protect against them) and the probabilities that they will occur
Estimating their impact on your business
Creating categorization schemes so that types of undesirable situation can be grouped and analyzed, compared, reviewed, etc.
Identifying relationships between identified types of undesirable situation, e.g. “If one of these occurred, which others would be affected?” – for example, have increased or reduced probabilities
Monitoring the actual occurrences of the undesirable situations (inside your business and - if possible - in wider contexts) and refining the measures
Risk management is about:
Adopting courses of action in your business that will:
Defining quantified goals for the courses of action
Developing and adopting policies for resolving conflicts between courses of action
Monitoring and measuring what actually happens and:
If the courses of action and policies are effective and goals are being reached, assessing whether they can be made more effective
If the courses of action or policies are not as effective as expected or goals are not being reached, assessing why, and deciding how they can be improved
The Business Motivation Model (BMM) provides a good framework for this.