IETEC COLLEGE

Daniel Massiére Birchal

MODEL OF GOVERNANCE, RISK AND COMPLIANCE USING

BUSINESS PROCESS MODELING

Belo Horizonte

2018

Daniel Massiére Birchal

MODEL OF GOVERNANCE, RISK AND COMPLIANCE USING BUSINESS PROCESS MODELING

Dissertation presented to the Ietec Master's Program, as a partial requirement to obtain a Master's degree in Engineering and Management of Processes and Systems. Area of concentration: Engineering and Management of Processes and Systems Research Line: Process, Systems and Project Management Supervisor: Prof. Dr. Fernando Hadad Zaidan Co-supervisor: Prof. Dr. José Luís Braga Ietec College

Belo Horizonte Ietec College

2018

Birchal, Daniel Massiére. B617m Model of governance, risk and compliance using business

process modeling / Daniel Massiére Birchal. - Belo Horizonte, 2018.

56 f., enc. Advisor: Fernando Hadad Zaidan. Coadvisor: José Luís Braga. Thesis (master) – Faculdade Ietec. Bibliography: f. 55-56 1. Business Process Model. 2. GRC. 3. Integrated GRC. 4. BPMN. I. Zaidan, Fernando Hadad. II. Faculdade Ietec. Master's Degree in Engineering and Management of Processes and Systems. III. Title.

CDU: 658.015

Daniel Massiére Birchal. Engineering and Management of Processes and Systems

MODEL OF GOVERNANCE, RISK AND COMPLIANCE USING

MODELING OF BUSINESS PROCESSES

Dissertation presented to the Ietec Master's Program, as a partial requirement to obtain a Master's degree in Engineering and Management of Processes and Systems. Area of concentration: Engineering and Management of Processes and Systems Research Line: Process, Systems and Project Management Supervisor: Prof. Dr. Fernando Hadad Zaidan Co-supervisor: Prof. Dr. José Luís Braga Ietec College

Approved by the examining board constituted by the professors:

Belo Horizonte, December 7th 2018.

Postgraduate Program in Engineering and Management of Processes and Systems

Ietec College

Dedication

I would like to dedicate this work to my wife, Adriana, my little daughter, Alice, and to

my parents, Renato e Anny. I would like to thank you for your dedication,

understanding, support and incentive.

GREETINGS

Finished this particularly important stage of my life, I have no words to express my

thankfulness for all of those who have supported me in this long journey. They have

substantially contributed to the conclusion of this work.

I would like to thank Prof. Dr. Fernando Hadad Zaidan for his supervision, teachings,

dedication, and friendship and for having identified my potential and invited me to

engage in this outstanding master program.

Prof. Dr. José Luís Braga also helped me immensily with his teachings, his

supervision, support, dedication, professionalism and objectivity.

Mr. Ronaldo Gusmão and the IETEC College deserve a special mention for their

support to the Brazilian technological development, granting scholarships, such as

the one that made this research feasible.

I would like to thank Prof. Dr. Wanyr Romero Ferreira, coordinator of the master

program, for her extraordinary lectures, support and incentive.

Sirlene Maria, librarian at the IETEC College, gave immense support in reviewing

and editing this work. Thank you very much.

I would like to thank my cousin Sérgio Birchal for his support.

Last but not least, I am grateful to all members of IETEC’s team, faculty and staff. I

am grateful to my mates in the master program for their friendship and for the

relevant discussions in and outside of the classroom.

Epigraph

“The task is not so much about see what nobody saw, but to think what nobody else

has yet thought about what everybody sees.”

Arthur Schopenhauer

ABSTRACT

Following the scandal of Enron and the global financial crisis of 2008, demands for

transparency and new regulations, such as the Sarbanes-Oxley (SOX), Basel and

anti-money laundering laws, have made Governance, Risks and Compliance (GRC)

a priority in organisations’ agenda. In this context, the objective of this dissertation is

to present an integrated GRC model, using business process modeling that eases

the planning of GRC implementation in organizations through the visualization of

their processes and interactions. The research method used was the Design Science

Research (DSR), which aims at creating knowledge from the design of artifacts. In

this work the integrated GRC model materialized in a business process model. A

bibliographic review was carried out to obtain models that used GRC, which served

as a basis for the foundation of this work, as well as the creation of business process

models for GRC and integrated GRC. The notation used for modeling was the Object

Management Group’s (OMG) and the Business Process Model and Notation

(BPMN). The models were developed separately in each one of the GRC domains

and were validated comparing it with models proposed by the Committee of

Sponsoring Organizations of the Treadway Commission (COSO) and the

International Organization for Standardization (ISO), as suggested by DSR.

Following, the models were integrated and a new validation was performed

comparing the obtained integrated model to an integrated GRC maturity model,

which was adapted for this purpose. The integrated GRC business process model

obtained in this work allows a view of the GRC process as a whole, thus contributing

to a better understanding of processes related to the integrated GRC and its inherent

interdependencies to a multidisciplinary and complex process such as the integrated

GRC.

Keywords: GRC, Integrated GRC, Business Process Model, BPMN.

LIST OF FIGURES

Figure 1 - Adapted Risk management process ......................................................... 16

Figure 2 - COSO contextual business model ............................................................ 17

Figure 3 - Integrated internal control framework COSO ............................................ 18

Figure 4 - Integrated GRC model .............................................................................. 20

Figure 5 - Wieringa regulatory cycle .......................................................................... 25

Figure 6 - Process Flow (DSR method) ..................................................................... 26

Figure 7 - An adapted governance model ................................................................. 28

Figure 8 - Governance Process ................................................................................ 30

Figure 9 - Governance policy definition process ....................................................... 31

Figure 10 - Performance evaluation process ............................................................ 32

Figure 11 - Policy management process ................................................................... 32

Figure 12 - The adapted Risk model ......................................................................... 33

Figure 13 - Risk domain processes ........................................................................... 35

Figure 14 - Risk Management Process ..................................................................... 36

Figure 15 - Risk identification process ...................................................................... 37

Figure 16 - An adapted model of compliance ............................................................ 38

Figure 17 - Process of Compliance ........................................................................... 40

Figure 18 - Manage audits process ........................................................................... 40

Figure 19 - Subprocesses inspect processes and inspect internal controls .............. 41

Figure 20 - Subprocess re-assess risks .................................................................... 41

Figure 21 - Integrated GRC process model............................................................... 42

LIST OF TABLES

Table 1 - GRC maturity model for hospitals .............................................................. 21

Table 2 - Relationship between the stages of the regulatory cycle and research

activities ...................................................................................................... 26

Table 3 - Processes and sub-processes identified in the area of governance .......... 28

Table 4 - Process versus phase in which the process occurs ................................... 29

Table 5 - Processes and subprocesses in the Risk management domain identified 34

Table 6 - Correspondence between main processes identified in the model of

Vicente & Silva (2011) and ISO 31000 ABNT ............................................ 34

Table 7 - Correspondence between sub-processes of the risk management process

identified in the model of Vicente & Silva (2011) and ISO 31000 ABNT .... 36

Table 8 - Identified processes and subprocesses of Compliance ............................. 38

Table 9 - Correspondence between compliance processes identified in the Vicente &

Silva (2011) model and the Integrated Internal Control Framework COSO 39

Table 10 - Prerequisite assessment of the Compliance model processes ................ 39

Table 11 - Evaluation of GRC maturity model for hospitals ...................................... 45

Table 12 - Correspondence between the scope of the dimensions of the GRC

maturity model for hospitals and the activities of the proposed model ....... 50

LIST OF ABBREVIATIONS AND ACRONYMS

ABNT Associação Brasileira de Normas Técnicas

ABPMP Association of Business Process Management Proffessionals

BPMI Business Process Management Initiative

BPMN Business Process Model and Notation

BPD Business Process Diagram

CCO Chief Compliance Officer

COSO Committee of Sponsoring Organizations of the Treadway Commission

CRO Chief Risk Officer

DS Design Science

DSR Design Science Research

ERP Enterprise Resource Planning

ERM Enterprise Risk Management

GRC Governance, Risk e Compliance

KPI Key Performance Indicator

KRI Key Risk Indicator

OMG Object Management Group

PDCA Plan Do Check Action

P&C Planning and Control

SUMARY

1 INTRODUCTION ........................................................................................ 11

1.1. Structure of the dissertation........................................................................ 12

2 OBJECTIVES ............................................................................................. 13

2.1 General objective ........................................................................................ 13

2.2 Specific objectives ...................................................................................... 13

3 THEORETICAL FRAMEWORK ................................................................. 14

3.1 Business Process Model and Notation (BPMN) ......................................... 14

3.2 Governance, Risk and Compliance ............................................................ 15

3.3 ABNT NBR ISO 31000 – Risk Management – Principles and guidelines ... 15

3.4 COSO Conceptual Business Model of Governance ................................... 16

3.5 COSO Internal control integrated framework.............................................. 17

3.6 Related work ............................................................................................... 19

3.6.1 Conceptual model for integrated GRC ....................................................... 19

3.6.2 GRC maturity model for hospitals ............................................................... 20

4 METHODOLOGY ....................................................................................... 24

5 THE CONSTRUCTION OF MODELS ........................................................ 27

5.1 Governance ................................................................................................ 27

5.1.1 Define governance policies process ........................................................... 30

5.1.2 Performance evaluation processes and policy management process ........ 31

5.2 Risk Management ....................................................................................... 33

5.2.1 Risk Management Process ......................................................................... 35

5.2.2 Risks Identification Subprocess .................................................................. 37

5.3 Compliance ................................................................................................ 37

5.3.1 Audit management process ........................................................................ 40

5.4 The GRC integrated model ......................................................................... 41

6 RESULTS AND DISCUSSION ................................................................... 43

6.1 Adjusting the scope of dimensions of the hospital GRC maturity model .... 43

6.2 Evaluation of the business process model ................................................. 47

7 CONCLUSIONS ......................................................................................... 52

7.1 Limitations of the research ......................................................................... 53

7.2 Suggestion to future researches ................................................................. 53

REFERENCES .......................................................................................................... 54

11

1 INTRODUCTION

Historically Risk Management, Corporate Governance and Compliance were treated

as totally independent activities and without any interaction. From the integration of

these activities comes the concept of Governance, Risk, and Compliance (GRC) that

integrates these efforts promoting efficiency gains and savings from synergy,

information sharing, and increased efficiency.

As with Enterprise Resource Planning (ERP), according to Gill and Purushottam

(2008), GRC are steadily gaining importance in corporations. This is mainly due to

globalization, increasing demands for transparency and new regulations such as the

Basel agreement, the Sarbanes-Oxley Act, money laundering laws, and, in the

Brazilian case, Law 13303/16, which sets new standards of GRC to public

companies, mixed-capital companies, and their subsidiaries.

Although they are significant, scientific research on integrated GRC initiatives is

insufficient (RACZ et al., 2010) and the existing literature on GRC implementation

indicates that there are many aspects that have not yet been investigated (SPANAKI;

PAPAZAFEIROPOULOU, 2015).

For the elaboration of the models, it will be used the Design Science Research

(DSR) method, which guides the construction of knowledge emphasizing problem-

solving (WIERINGA, 2009). The models will be developed using the Business

Process Model and Notation (BPMN), which is a notation that provides a simple and

robust symbology to model aspects of business processes.

In addition, to carry out this research, a search was made for publications related to

the topic. This research was based on the main work found, "A Conceptual Model for

Integrated Governance, Risk and Compliance", that was published by Vicente &

Silva in 2011. In addition, several related works were identified that contributed to

this research and it will be described in chapter 3.

12

1.1. Structure of the dissertation

In addition to this introduction, chapter 2 will present the objective. In chapter 3 a

bibliographic review will be carried out covering the concept of GRC, BPMN notation,

and the main models used as the basis for the elaboration and validation of the

models proposed in this work.

Chapter 4 deals with the DSR method, which was the method adopted in this

research and the methodological approach. Subsequently, in chapter 5 there is a

detailed explanation of how each of the proposed models was elaborated. Next, in

chapter 6, the integrated model is evaluated, validated and the results and

discussions about the research are presented. Chapter 7 presents the final

considerations, the limitations, and suggestions of future work followed by

bibliographical references.

13

2 OBJECTIVES

This chapter will present the general objective and specific objectives of this

research.

2.1 General objective

To present a business process model based on the conceptual model for integrated

GRC proposed by Vicente & Silva (2011) using the BPMN notation, which facilitates

the planning of GRC implementation in organizations through the visualization of

their processes, interactions and sequences.

2.2 Specific objectives

a) Analyze the models proposed by Vicente & Silva (2011) identifying its main

processes and subprocesses;

b) To propose new models of Governance, Risk, Compliance and integrated

GRC applying the DSR in its design, based on the models of Vicente & Silva

(2011), ABNT ISO 31000 (2018), the COSO’s contextual business model

(2014) and COSO's Integrated Internal Control Framework (2013);

c) Compare the integrated model developed to a GRC maturity model and

evaluate it.

14

3 THEORETICAL FRAMEWORK

In this section, it will be discussed works that will serve as the theoretical framework

to the research.

3.1 Business Process Model and Notation (BPMN)

The BPMN notation was conceived in 2004 in its first version by the Busines Process

Management Initiative (BPMI) and with the aim of standardizing the graphical

representation of business processes. Subsequently, the Object Management Group

(OMG) took over the BPMN and several revisions were published, the most recent of

which, BPMN 2.0, was published by OMG in 2011 and will be used in this research.

The main goal of BPMN, according to OMG (2011), is to provide a business process

notation that is readily understandable to everyone, including business analysts,

developers, and executives. According to OMG (2011), BPMN reduces the technical

gap between process design and implementation, as well as providing organizations

with the ability to understand their internal or external business processes, as well as

their interdependencies.

BPMN modeling is based on flowcharts and graphically represents Business Process

Models (BPM) using Business Process Diagrams (BPD).

According to OMG (2011), the elements for the preparation of BPMN 2.0 diagrams

were grouped into the following categories:

a) Flow objects: represent events, activities or decisions.

b) Data: represent data object, a data collection object, data entry or data output.

c) Connection objects: represent the connection flows, message flows, and

associations.

d) Swimlanes: which are forms of grouping graphical representation and can be

in the form of pool or lane which is a subdivision of a pool.

e) Artifacts: which provide additional information about the represented process

and can be annotations or groups of graphic elements.

15

3.2 Governance, Risk and Compliance

The term GRC, according to Steinberg (2011), originated in the management

consultancy sector and represents the combination of Governance, Risks, and

Compliance and reflects the combination of concepts, which although dispersed,

present a great possibility of synergy. According to Moeller (2011), each GRC

dimension is composed of four components: strategy, processes, technology, and

people.

Thus, Governance can be defined as the "allocation of power by the board,

management, and stakeholders” but according to Steinberg (2011), the term is also

used to encompass a set of actions taken by senior management to the

management of the company. According to Vicente (2011), governance policies play

an essential role because they represent the point of view of the board and top

management of how the company should be managed. In addition, it defines

stakeholder expectations about what should be done (MOELLER, 2011).

Similarly, the term "risk" refers to risk management, and according to Steinberg

(2011), it can take a variety of forms from a simple risk assessment to a complete

ERM (Enterprise Risk Management) process. According to Vicente (2011), it is not

possible to benefit from all the characteristic benefits of Risk management without

compliance and governance being implemented. This is because governance is

necessary for better alignment with business objectives. In addition, it can contribute

to Compliance in improving internal controls, which will help identify and prevent

risks.

Likewise, Compliance represents the company's adherence both to current local

legislation and internal policies consolidated by corporate governance.

3.3 ABNT NBR ISO 31000 – Risk Management – Principles and guidelines

NBR ISO 31000 (ABNT, 2018) divides the Risk management process into six main

processes as can be seen in Figure 1. The process begins with setting the context,

followed by the process of risk assessment, the process of risk management and the

16

registration and reporting process. The processes of communication and

consultation and monitoring and critical analysis should be carried out in parallel

throughout the risk management process. In addition, the risk assessment process

can be divided into three stages: risk identification, risk analysis and risk

assessment.

Figure 1 - Adapted Risk management process

Source: ABNT, 2018.

3.4 COSO Conceptual Business Model of Governance

COSO has developed a holistic view of governance and managerial processes

based on the PDCA, as seen in Figure 2. The process begins with strategic planning

defining the vision and mission of the organization followed by the configuration of

the strategy. The strategy environment sets the context for business planning

through a high-level plan for what the organization wants to achieve in the planning

horizon. The business planning stage formalizes the objectives or roadmaps of how

the operation management will contribute to achieving the strategic objectives, while

the execution consists of the operation management carrying out the activities

established in the business plan. The monitoring stage is basically composed of

17

activities of the management of supervision and control of the operation. The last

step is adapting that refers to the adoption of corrective actions that result in changes

in strategy, business plan, or tactical plan.

Figure 2 - COSO contextual business model

Source: DELOACH; THOMSON, 2014.

3.5 COSO Internal control integrated framework

COSO (2013) suggests that there are three categories of objectives: operational,

reporting and compliance, and defines internal control as a process designed to

provide reasonable assurance of the achievement of these objectives.

Internal control consists of five components:

a) Control environment: the control environment is a set of standards, processes

and structures that promote the basis of internal controls in the organization.

b) Risk assessment: risk assessment is an iterative process for identifying and

assessing risks to the attainment of objectives

c) Control activities: actions are established through policies and procedures that

help ensure that the risk mitigation policies for achieving the objectives are

implemented.

d) Information and communication: it is the continuous and iterative process of

providing and sharing the necessary information both internally and externally.

18

e) Monitoring activities: ongoing evaluations, separate evaluations or a

combination of the two are used to make sure that each of the five

components of internal controls is present and working. Continuous

assessments are embedded in the process and deliver information in real

time, while separate assessments are conducted periodically with scope and

frequency based on risk assessment, effectiveness of ongoing evaluations,

and other management considerations.

According to COSO (2013), there is a direct relationship between the objectives, the

internal control components, and the organizational structure. This relationship can

be represented in the form of a cube according to Figure 4. The objectives are

represented on the upper face of the cube, while the internal control components are

represented on the front face and the organizational structure on the side face.

Figure 3 - Integrated internal control framework COSO

Source: COSO, 2013.

In the following section, it will be presented the GRC maturity model for hospitals.

19

3.6 Related work

In this section will be presented scientific papers related to this research.

3.6.1 Conceptual model for integrated GRC

In this section, it will be presented the conceptual model for integrated GRC

proposed by Vicente & Silva (2011). Initially, each GRC dimension was defined as a

modeling domain, and a conceptual model was developed for each. The models

highlight the four main functionalities of the GRC, according to the authors: audit

management, policies management, issue management, and risk management.

These activities were represented by yellow rectangles in Figure 4. The concepts

represented in gray also represent important functionalities, but these are usually

automated. Concepts modeled on blue ellipses represent information that is

managed by these functions or is the responsibility of at least one of the GRC areas.

According to Vicente & Silva (2011), Governance is responsible for the supervision

of Risk Management and Compliance. Policies, as defined by Governance, are

central to GRC as they represent senior management's vision of how the

organization should be run and define how the organization should work by

describing what is acceptable and what is not.

A well-structured Risk management must be aligned and linked to Governance and

Compliance in order to gain advantageous information for its risk management

process. In addition, Risk management should not be restricted to merely identifying

and responding to risks but must act proactively in anticipating and avoiding risks

and reducing the possibility of unexpected events occurring.

Compliance must ensure that the organization is operating within the standards set

by Governance in addition to the requirements of the law. The risk prioritization

developed by Risk management helps Compliance achieve this goal since the risks

are aligned with corporate objectives.

20

Figure 4 - Integrated GRC model

Source: VICENTE; SILVA, 2011.

As can be seen in Figure 4 the internal controls play a central role, since they are key

to GRC’s activities.

3.6.2 GRC maturity model for hospitals

In this section, we will present the GRC maturity model for hospitals developed by

Batenburg, Neppelenbroek, and Shahim (2014). The objective of the model is to

evaluate and monitor GRC maturity in Dutch hospitals. For the development of the

model Batenburg, Neppelenbroek, and Shahim compared 16 existing maturity

models and elaborated a first model proposal.

The first proposal of the model contained 15 dimensions divided into three domains

of the GRC: the dimensions of the Governance domain were Governance structure,

21

whistleblower process, information sharing, patient co-determination, complaint

management, incident reporting, and patient safety incidents; those of Risk were

frequency of risk analysis, risk management awareness, scope of risk management,

structure of risk management and risk indicators; and for Conformity were Conformity

mapping, information security and Conformity controls.

They then tested the model by interviewing hospital managers who represent 12.4%

of hospital bed capacity in the Netherlands and developed a second version, which is

shown in Table 1. The model is composed of 14 dimensions and five maturity levels.

Table 1 - GRC maturity model for hospitals

Dimension

Level 1 Forming

Level 2 Developing

Level 3 Normalized

Level 4 Established

Level 5 Optimized

1 Governance authority

Ad-hoc authority, actually

professionals have the power.

Board is responsible

without any power.

Board is responsible and has the power.

Board is responsible and has the power &

prof. do not oppose.

Board & professionals share

the power in a balanced way.

2 Governance Structure

There is no P&C (planning and control) in

place.

P&C is ill structured and not

documented.

P&C is structured and

known by professoinals.

P&C is implemented,

most professionals contribute.

All professionals contribute

proactively to an integrated P & C

3 Governance accountability

Professionals are not

accountable to management.

Professionals view accountability as a

bureaucratic process.

Each professional is accountable to management.

Each professional embraces his

accountability.

Each professional is intrinsically

motivated to be accountable.

4 Governance Control of the professionals

No audits is performed on

the professionals.

An internal audit is conducted based

on quality indicators.

An external audit is

conducted based on quality indicators

An unexpected external audit is

conducted.

There is a good balance between trust and control.

5 Governance incident reporting

Incidents are reported on an ad-hoc basis.

A paper form is used to report

incidents.

There is an easy (electronic) way

to report incidents

Professionals feel safe to report

an incident.

Professionals trust the quality of

process of reporting incidents.

6 Risk management authority

There is no CRO (Chief Risk Officer)

A CRO is appointed by the

board

The CRO reports directly

to the board

The CRO has authority to enact

changes

The board & CRO communicate

ERM`s importance.

7 Risk management structure

No risk management

framework is in place.

A risk management framework is

used.

A risk management framework is fully

implemented

22

Dimension

Level 1 Forming

Level 2 Developing

Level 3 Normalized

Level 4 Established

Level 5 Optimized

8 Risk management analysis

No risk analysis is performed.

A decentralized risk analysis is

performed.

A centralized risk analysis is

performed.

Strategic risk analysis is performed.

Risk analysis is integrated in planning new developments

9 Risk management Scope

Risks are managed in a

fragmented way.

Some types of

risks are managed jointly.

Risks are managed

in an integrated way.

10 Risk management indicators

There are no risk indicators in

place.

Indicators are used for internal

regulations & policies.

Indicators are used for internal

& external regulations &

policies.

A risk management dashboard is

used to monitor risks.

There is a system that alerts

stakeholders to risks.

11 Compliance Authority

There is no CCO (Chief compliance

officer)

A CCO is appointed by the

board.

The CCO reports directly

to the board.

The CCO has authority to enact

changes.

The board & CRO & CCO work

closely together

12 Compliance structure

No attempt to standardize

similar processes.

Little attempt to standardize similar

processes.

Similar processes are standardized

across parts of the hospital.

Similar processes are evaluated

across the hospital.

Similar processes are standardized

across the hospital.

13 Compliance controls

Rely on manual compliance processes &

controls.

Manual & automated compliance processes &

control

Tactical automated compliance processes &

control

Strategic automated compliance processes &

controls.

Flexible strategic automated compliance processes &

controls.

14 Compliance Conscience

Hospital Is Indifferent to compliance

Hospital is concern about fixing

Noncompliance.

Hospital continually

monitors for compliance

Hospital plans to sustain

compliance.

Hospital incorporates

compliance controls

Source: Adapted from Batenburg; Neppelenbroek; Shahim, 2014.

To implement the model, a structured questionnaire was developed that serves as a

tool for measuring the GRC maturity level. The questionnaire was applied to four

Dutch hospitals, which represent 13% of the capacity of beds in the Netherlands and

in three of the four hospitals evaluated by Governance obtained better results than

Risks and Compliance.

Batenburg, Neppelenbroek and Shahim concluded that the proposed model can be

used to monitor the GRC maturity of hospitals and to direct the process of evolution

of their GRC maturity.

23

In the following chapter, the methodology applied in the development of the research

will be presented.

24

4 METHODOLOGY

It was decided to use the methodology Design Science (DS) and the Design Science

Research (DSR) method, based on the search for a methodology capable of linking

scientific rigor to practical issues in the corporate world. DSR generates scientific

knowledge and contributes to the solution of real problems (WIERINGA, 2009;

ZAIDAN, 2015).

The DSR approach used in this work was proposed by Roel Wieringa, who is one of

the seminal authors of this theme. According to Wieringa (2009), practical issues

change the state of the world and gain knowledge in the changing process.

Furthermore, knowledge issues modify the state of knowledge and apply it in the real

world to validate the change. In this direction, from the analysis of the studies, an

intersection of practical questions and knowledge issues was perceived, as can be

seen below.

According to Dresch, Lacerda, and Júnior (2015), DSR produces artifacts in the form

of a construct, model, method or instantiation and their usefulness, quality and

efficacy must be evidenced by means of rigorous evaluation methods. Wieringa

(2009) suggests the construction of knowledge through projected artifacts

emphasizing the connection between scientific development and the solution of

practical problems through a regulatory cycle. The regulatory cycle proposed by

Wieringa (2009), and evaluation.

As can be seen in Figure 5, the first phase of the regulatory cycle proposed by

Wieringa (2009) is the problem investigation. During the investigation stage of

problem, one must raise information about a problem by increasing the

understanding of the subject, however without trying to solve it.

The second phase is the solution design, in which a "solution" to the problem must

be proposed. However, according to Wieringa (2009), the solution found at this stage

may not be the definitive solution and may even make things worse for some

stakeholders.

25

The third phase is design validation is the phase when is asked whether the solution

proposed in the previous phase if correctly implemented, will really bring benefits to

the stakeholders.

The fourth phase is the solution implementation phase. What the term

"implementation" stands for depends on the type of solution that was proposed.

Wieringa (2009) exemplifies that in case the objective is to bring a video recorder to

the consumer market, and the process to achieve this goal has been planned,

implementation is the execution of this planning.

The fift phase is the implementation evaluation phase and it represents the beginning

of a new cycle where the solution found in previous phases is analyzed. However, as

well as in the investigation phase of the problem, without proposing solutions or

modifications to the remaining problems.

Figure 5 - Wieringa regulatory cycle

Source: adapted from Weiringa 2009.

Relating the steps proposed by the regulatory cycle to the needs of this research, we

obtained Table 2, which highlights the activities to be performed in each one of the

phases of the methodology. Initially, during the first phase, the problem investigation

has the bibliographic review, presented in the previous chapter, whose objectives are

26

to elucidate the concepts related to the theme and to promote the identification of

related works that can be used in the development of the research.

Next, a model will be proposed that, as described in the solution design phase, will

not necessarily be the definitive solution of the investigated problem. The next step

of the proposed methodology is the design validation when the proposed models will

be compared with models found in the literature in order to verify their adherence to

the concepts and their comprehensiveness to related processes.

During the next step, the solution implementation, the models will be adjusted, when

necessary, for further integration into an integrated GRC BPM model. In the last

phase, implementation evaluation, the integrated model will be compared to a

maturity model extracted from the literature for validation purposes.

Table 2 - Relationship between the stages of the regulatory cycle and research

activities

Stages of the regulatory cycle Project Activity

1-Investigation of the problem Bibliographic review

2-Project solutions Model proposition

3-Validation of the project Validation comparing the obtained model with related models

4-Implementation of the solution Realization of adjustments arising from the validation and integration process

5-Evaluation of the implementation Validation of the integrated model

Source: The author, 2018

The flow of the process of this research is illustrated in Figure 6.

Figure 6 - Process Flow (DSR method)

Source: The author, 2018.

In the next chapter, we will detail the process of modeling this research.

27

5 THE CONSTRUCTION OF MODELS

In this section, we will perform steps 2, 3 and 4 of the regulatory cycle proposed by

Wieringa (2009), which are solution design, design validation, and solution

implementation respectively. In this way, the conceptual model proposed by Vicente

& Silva (2011) will be mapped into precesses and later they will be validated

according to the Risk management processes proposed by NBR ISO 31000 (ABNT,

2018), contextual business model and the integrated control framework proposed by

COSO.

5.1 Governance

From the conceptual model of Governance proposed by Vicente & Silva (2011),

according to Figure 7, it is possible to extract the following main processes in the

domain of Governance:

a) define governance policies;

b) consolidate policies;

c) supervise Risk and Compliance;

d) support operational procedures (by policy);

e) evaluate performance;

f) manage policies.

28

Figure 7 - An adapted governance model

Source: VICENTE; SILVA, 2011.

The other processes in the governance domain will be modeled as subprocesses as

shown in Table 3.

Table 3 - Processes and sub-processes identified in the area of governance

Identified processes (Governance) Subprocesses

Define policies of governance

Define Key Objectivos Define Strategy Define Responsabilities and Roles Define Code of Conduct Define Culture Define risk appetite

Consolidate policies - Supervision Risk and Conformity - Support operational procedures -

Evaluate performance Measure KPIs and KRIs Evaluate reports Evaluate Dashboards

Manage policies

Support Policies’ Cycle of Life Manager Procedures Enhance policies Conformity- suggestion for policies enhacements Conformity – suggestion for internal control enhacements

Source: The author, 2018.

29

As the model proposed by Vicente & Silva models only relations, the contextual

business model proposed by COSO will be used to validate the sequence of

processes and the comprehensiveness of the model, according to Table 4. An

analogous approach will also be used in the construction of models in the domains of

Risk and Compliance.

Table 4 - Process versus phase in which the process occurs

Identified processes (Governance) Corresponding phase in the model proposed by COSO

Define policies of governance Strategy Configuration / Business Planning

Consolidate policies Business Planning

Supervision Risk and Compliance Execution

Support operational procedures

Evaluate performance Monitoring

Manage policies Adaptation

Source: The author, 2018.

Figure 8 illustrates the processes of the Governance domain and its main

relationships with processes in the Risk and Compliance domains, modeled using

BPMN notation. The first process is the define governance policies and then the

consolidate policies process occurs. Next, the process the Risk and Compliance

oversight occurs parallel to the support to the operational procedures. Subsequently,

it comes to the processes to evaluate performance and manage policy.

30

Figure 8 - Governance Process

Source: The author, 2018.

5.1.1 Define governance policies process

As shown in Figure 9, the define governance policies process has as subprocesses

the following: define accountability and roles, define strategy, define codes of

conduct, define culture, define key objectives and define risk appetite. This process

consists of the definitions of responsibilities and roles, strategy, code of conduct,

culture, key objectives, and risk appetite and additionally receives as input from the

Risk management domain the determination of risk appetite.

31

Figure 9 - Governance policy definition process

Source: The author, 2018.

5.1.2 Performance evaluation processes and policy management process

Due being part of this process, the activities measure key performance indicators

(KPI) and Key risk indicators (KRI), evaluate reports and evaluate dashboards where

modeled as subprocesses of the performance evaluation process, according to

Figure 10.

32

Figure 10 - Performance evaluation process

Source: The author, 2018.

Similarly, as can be seen in Figure 11, the activities manage procedures, support the

policy life-cycle, and improve policies have been modeled as subprocesses of the

policy management process. Both the process management process and the policy

improvement process receive feedback from Compliance, with suggestions for

improvements to internal controls and to policies.

Figure 11 - Policy management process

Fonte: The author, 2018.

33

5.2 Risk Management

As shown in Figure 12, it is possible to identify four main processes in the domain of

Risk management proposed by Vicente & Silva (2011):

a) Determine Risk appetite

b) Issue management

c) Risk Management

d) Consolidate Risk reports

Figure 12 - The adapted Risk model

Source: VICENTE; SILVA, 2011.

Similar to what has been done in the domain of governance, the other processes

present in the model will be modeled as subprocesses of these main processes as

shown in Table 5. The model proposed by NBR ISO 31000 (ABNT, 2018) was used

for the validation and sequencing of the model.

34

Table 5 - Processes and subprocesses in the Risk management domain identified

Main processes identified (Risk) Subprocesses Subprocesses- Level 2 Determine risk appetite Issue management

Risks management

Analyze key risk indicators

Align risk management with policies

Monitoring

Analyze Risk

Categorize risks

Develop key indicators for risk

To produce matrix of priorities

perform corrective actions

update internal controls

Identify Risks Conduct investigations / investigations in processes

Use internal controls

Consolidate Risk Reports

Source: The author, 2018.

As can be seen in Table 6, there is no process corresponding to the communication

and consultation process that is proposed by ISO 31000 ABNT. As this is a

fundamental activity of risk management practice it will be included in the proposed

BPM model.

Table 6 - Correspondence between main processes identified in the model of

Vicente & Silva (2011) and ISO 31000 ABNT

Main Processes Identified (Risk) Corresponding phase in the model proposed by ISO 31000

ABNT

Determine risk appetite Scope, context and criteria

Manage issues Identification of risks

Manage risks Risk assessment process / Risk management

Consolidate risk reports Registration and reporting

No corresponding process Communicate and consult

Source: The author, 2018.

Figure 13 illustrates the Risk domain processes modeled using BPMN notation and

properly sequenced according to ISO 31000 (ABNT, 2009), as well as its main

relations with Governance.

35

Figure 13 - Risk domain processes

Source: The author, 2018.

5.2.1 Risk Management Process

From the Risk management model proposed by Vicente & Silva (2011), the following

subprocesses belonging to the risk management process can be highlighted:

identify risks, analyze key Risk indicators, align Risk management with policies,

monitoring, analyze Risks, develop key Risk indicators, produce the priority matrix,

perform corrective actions and update internal controls.

Table 7 shows the outcome of correlating these subprocesses to the model

proposed by NBR ISO 31000 (ABNT, 2018).

36

Table 7 - Correspondence between sub-processes of the risk management process

identified in the model of Vicente & Silva (2011) and ISO 31000 ABNT

Main identified subprocesses (Manage risks) Corresponding phase in the model proposed

by ISO 31000 ABNT Identify Risks

Identification of risks Analyze key Risk indicators

Align Risk management with policies Monitoring and critical analysis

Monitoring

Analyze risks

Risk analysis Categorize risks

Develop Key Risk indicators

Produce the priority matrix Risk assessment

Perform corrective actions Treatment of risks

Update internal controls Registration and reporting

No corresponding activity Communicate and consult

Source: The author, 2018.

Again, there is no corresponding activity for the communication and consultation

proposed process by NBR ISO 31000 (ABNT, 2018). By adding this activity and

modeling according to the sequence obtained by the correlation of the two models,

the process of risk management obtained is shown in Figure 14.

Figure 14 - Risk Management Process

Source: The author, 2018.

37

5.2.2 Risks Identification Subprocess

Because the activities of conduct investigations/surveys in processes, and use

internal controls are integral parts of the process of identifying risks they were

modeled as subprocesses of that process.

Figure 15 - Risk identification process

Source: The author, 2018.

5.3 Compliance

According to the model proposed by Vicente & Silva (2011), as highlighted in Figure

16, Compliance is defined by five main processes:

a) audit management

b) manage ongoing evaluations

c) report findings

d) compile evidence and recommendations in action plans

e) follow up

38

Figure 16 - An adapted model of compliance

Fonte: VICENTE; SILVA, 2011.

The other processes will be modeled as subprocesses of these, as shown in Table 8.

Table 8 - Identified processes and subprocesses of Compliance

Main processes (compliance) Subprocesses Subprocesses - Level 2

Manage audits

Inspecting processes

Measure compliance with standards and regulations (processes) Measure compliance with policies (processes)

Inspect internal controls

Measure compliance with standards and regulations (processes)

Measure compliance with policies (internal controls)

Re-assess risks

Measure compliance with standards and regulations (Risks)

Measure compliance with policies (Risks) Re-assess risks

Manage ongoing evaluations Report findings

Compile evidence and recommendations into action plans Follow up

Source: The author, 2018.

The results of the correlation between the activities obtained with the internal control

integrated framework are shown in the Table 9. It is important to emphasize that due

39

to the fact that the framework extrapolates the domain limits of the compliance, part

of its activities must be represented by processes of Governance or Risk.

Table 9 - Correspondence between compliance processes identified in the Vicente &

Silva (2011) model and the Integrated Internal Control Framework COSO

Processes Identified in the Compliance Model Correspondence in COSO's integrated

internal control framework

Processes of the Governance domain Control environment

Subprocesses re-assess Risks and Risk management activities Risk assessment

Follow up and activities performed by Governance Control activities

Report findings Information and Communication

Manage Audits and Manage Ongoing Evaluations Monitoring activities

Source: The author, 2018.

The sequence of processes in the model was identified by evaluating the

prerequisites of each of the processes, as shown in Table 10.

Table 10 - Prerequisite assessment of the Compliance model processes

Processes Identified in the Compliance Model

Prerequisite Necessarily predecessor process

Manage audits none none

Manage ongoing evaluations none none

Report findings Conduct of audits / ongoing evaluations Manage audits / Compile ongoing

evaluation results

Compile evidence and recommendations into action

plans

Conduct of audits / ongoing evaluations Manage audits / Compile ongoing evaluation results

Follow up Suggested action plans Compile evidence and

recommendations into action plans

Source: The author, 2018.

Since it is common practice to report conclusions and validation of corrective actions

to be taken with company management, and in order to simplify the flow in this work,

the report findings process will be positioned between the manage audits and

complile evidence and recommendations into action plans processes. In this way, the

resulting process flow can be as shown in Figure 17.

40

Figure 17 - Process of Compliance

Source: The author, 2018.

5.3.1 Audit management process

The process of manage audits consists of three subprocesses, as shown in Figure

18. Each subprocess must be performed periodically and their scope and frequency

will vary depending on the effectiveness of ongoing evaluations, risk assessment,

and other management considerations.

Figure 18 - Manage audits process

Source: The author, 2018.

41

The subprocesses inspect processes and inspect internal controls are identical and

were modeled according to Figure 19.

Figure 19 - Subprocesses inspect processes and inspect internal controls

Source: The author, 2018.

Similarly, the re-assess risks subprocess is illustrated in Figure 20.

Figure 20 - Subprocess re-assess risks

Source: The author, 2018.

5.4 The GRC integrated model

In this section the integration of governance, Risk and Compliance models is

discussed. As can be seen in Figure 21, the process begins in the domain of

Governance, defining Governance policies. This activity also requires the

participation of the RIsk team to determine the company's risk appetite, which is an

42

integral part of Governance policies. After the consolidation of governance policies,

processes in the three domains of the GRC are executed in parallel. They are, in the

Governance domain, the RIsk and Compliance oversight and the support of

operational procedures processes, in the Risk domain the issues and risk

management and all processes of the Compliance domain. Subsequently, the

processes of performance evaluation and policy management complete the cycle of

the GRC process.

Figure 21 - Integrated GRC process model

Source: The author, 2018.

In the next chapter this model will be evaluated and the results will be presented.

43

6 RESULTS AND DISCUSSION

In order to validate the integrated model, the GRC maturity model for hospitals

described in section 3.6.2 and proposed by Batenburg, Neppelenbroek, and Shahim

(2014) will be used. Due to the specialized nature of the Batenburg, Neppelenbroek

and Shahim GRC maturity model, which is geared towards Dutch hospitals, there are

several definitions and requirements that are linked to the hospital sector and to the

real hospital setting such as employee attitudes assessment, reporting, level of

perception of employees, among others. Therefore, the scope of several of its

dimensions must be adjusted to the context of processes in order to make feasible

the evaluation of the business process model proposed in this research.

6.1 Adjusting the scope of dimensions of the hospital GRC maturity model

In this section, the dimensions of the hospital maturity model will be evaluated and

an adjusted scope will be defined for each of them when necessary. Each dimension

corresponds to one row in Table 11.

For dimension 1, governance authority, the maturity model evaluates the balance of

power between the board and the professionals in the ability to define the

governance guidelines. In order to adjust this scope to the context of processes, one

must withdraw the balance of power evaluation between the board and the

professionals, since this evaluation only makes sense in the case of real companies.

Thus, the scope should be adjusted to verify the existence of processes for the

definition of the Governance guidelines.

Similarly, in dimension 2, governance structure, the model evaluates the existence of

governance control planning and the iteration of professionals with it. Transposing

this scope to the context of processes, the scope to be evaluated becomes the

existence of processes of planning and governance control.

In the case of dimension 3, governance accountability, the model assesses the

attitude of professionals towards accountability processes. Transposing this scope to

44

the context of processes, we must evaluate the existence of accountability

processes.

In dimension 4, control of professionals evaluates the existence and balance

between internal and external audits. As the evaluation of this balance sheet only

makes sense in real cases the scope of this dimension will be adjusted for the

existence of internal and external audits.

Dimension 5, Governance incident reporting, assesses if there is a process of

reporting incidents, whether this report is done in physical or electronic medium and

the employee's perception of this system. As the last two analyzes also only make

sense in real cases they will not be considered in this work, so the adjusted scope for

this dimension is the existence of a reporting process.

In dimension 6, Risk management authority, the model assesses the organizational

structure, the ability to promote change and Risk management communication. As

the organizational structure does not belong to the context of processes for this

dimension it will be evaluated the ability to promote change and the existence of

communication processes.

Dimensions 7, 8, 9 remain unchanged, however, in case of dimension 8 the scope

description will be adjusted to better reflect the process context, but without any

harm to the scope of the dimension. The term "planning for new developments" will

be replaced by "strategic plan".

Dimension 10, Risk management indicators, assess if there are risk indicators, and if

so, if they are used in risk monitoring and whether or not there is a system that alerts

stakeholders to risks. As the assessment of the need for systems or dashboards only

makes sense in the real case, the scope of this dimension will be adjusted for the

existence of risk indicators and their use in monitoring risks.

The dimension 11, Compliance authority, evaluates the organizational structure, form

of reporting, authority to promote change and synergy with the board. As the

organizational structure, form of reporting and synergy with the board are not part of

45

the context of processes the scope of this dimension will be adjusted to the capacity

to promote changes and the existence of a reporting process.

Similarly, dimension 12, Compliance structure, evaluates whether or not similar

processes are standardized throughout the hospital. Since the standardization of

similar processes is not possible in all industries, this dimension will be adjusted to

support operational procedures.

In the case of dimension 13, Compliance controls, the model assesses whether or

not the compliance process is performed manually or automatically, whether or not

they are rigid or flexible and whether or not they are strategic. In this case, the

existence of the compliance process will be evaluated, since the evaluation of the

other parameters only makes sense in real situations.

Just like dimension 8, dimension 14 remains with the scope unchanged. But the

description of its scope will be adjusted to better reflect the context of processes,

without any harm to the scope of the dimension. In that case, the word "hospital"

shall be replaced by "undertaking". Table 11 compiles all adjustments made.

Table 11 - Evaluation of GRC maturity model for hospitals

Dimension Level 1

Forming Level 2

Developing Level 3

Normalized Level 4

Established Level 5

Optimized Adjusted

Scope

1 Governance authority

Ad-hoc authority, actually

professionals have the power.

Board is responsible without any

power.

Board is responsible and has the

power.

Board is responsible and has the

power & prof. do not

oppose.

Board & professionals

share the power in a

balanced way.

Existence of processes to define the

guidelines of Governance

2 Governance structure

There is no P&C

(planning and control) in

place.

P&C is ill structured and

not documented.

P&C is structured and

known by professoinals.

P&C is implemented,

most professionals contribute.

All professionals

contribute proactively to an integrated P

& C

The existence of Corporate

Governance P & C

processes

46

Dimension Level 1

Forming Level 2

Developing Level 3

Normalized Level 4

Established Level 5

Optimized Adjusted

Scope

3 Governance accountability

Professionals are not

accountable to

management.

Professionals view

accountability as a bureaucratic

process.

Each professional

is accountable to

management.

Each professional embraces his accountability

.

Each professional is

intrinsically motivated to

be accountable.

Existence of accountability

processes

4 Governance Control of the professionals

No audits is performed on

the professionals.

An internal audit is conducted

based on quality indicators.

An external audit is

conducted based on quality

indicators

An unexpected

external audit is conducted.

There is a good balance between trust and control.

Existence of internal and

external audits

5 Governance incident reporting

Incidents are reported on an ad-hoc

basis.

A paper form is used to report

incidents.

There is an easy

(electronic) way to report

incidents

Professionals feel safe to report an incident.

Professionals trust the

quality of process of reporting incidents.

Existence of reporting system

6 Risk management authority

There is no CRO (Chief Risk Officer)

A CRO is appointed by the

board

The CRO reports

directly to the board

The CRO has authority to

enact changes

The board & CRO

communicate ERM`s

importance.

The ability to promote

change and the existence

of communicatio

n processes

7 Risk management structure

No risk management framework is

in place.

A risk management framework is

used.

A risk management framework is

fully implemented

Scope unchanged

8 Risk management analysis

No risk analysis is performed.

A decentralized risk analysis is

performed.

A centralized risk analysis is performed.

Strategic risk analysis is performed.

Risk analysis is integrated in planning new developments

Risk analysis is integrated

into the strategic plan

9 Risk management scope

Risks are managed in a fragmented

way.

Some types of risks are managed jointly.

Risks are managed in an

integrated way.

Scope unchanged

10 Risk management indicators

There are no risk indicators

in place.

Indicators are used for internal

regulations & policies.

Indicators are used for

internal & external

regulations & policies.

A risk management dashboard is

used to monitor risks.

There is a system that

alerts stakeholders to

risks.

The existence of risk

indicators and its use in the monitoring of

risks

11 Compliance authority

There is no CCO (Chief compliance

officer)

A CCO is appointed by the

board.

The CCO reports

directly to the board.

The CCO has authority to

enact changes.

The board & CRO & CCO work closely

together

The ability to promote

change and the existence of a reporting

process

47

Dimension Level 1

Forming Level 2

Developing Level 3

Normalized Level 4

Established Level 5

Optimized Adjusted

Scope

12 Compliance structure

No attempt to standardize

similar processes.

Little attempt to standardize

similar processes.

Similar processes are standardized across parts

of the hospital.

Similar processes are

evaluated across the hospital.

Similar processes are standardized

across the hospital.

Support for operational procedures

13 Compliance controls

Rely on manual

compliance processes &

controls.

Manual & automated compliance processes &

control

Tactical automated compliance processes &

control

Strategic automated compliance processes &

controls.

Flexible strategic

automated compliance processes &

controls.

Existence of control and compliance processes

14 Compliance conscience

Hospital is Indifferent to compliance

Hospital is concern about

fixing noncompliance.

Hospital continually

monitors for compliance

Hospital plans to sustain

compliance.

Hospital incorporates compliance

controls

The company incorporated compliance

controls Source: The author, 2018.

6.2 Evaluation of the business process model

In this section, the business process model proposed in this research will be

evaluated according to the GRC maturity model for hospitals. For this evaluation to

be possible, the scopes adjusted as described in the previous section or the

complete scopes of the dimensions will be considered for the cases where the scope

of the dimension was unchanged. In other words, in those cases the scope to be

evaluated is the scope of level 5 for each dimension.

The scope to be assessed from dimension 1, Governance authority, was adjusted to

the existence of processes to define the governance guidelines. Looking at the

proposed model, it is possible to identify the processes to define governance

policies, consolidate policies and manage policies, so it is possible to conclude that

the scope for this dimension has been properly met. Similarly, for the case of

dimension 2, Governance Structure, the adjusted scope was defined as the

existence of processes of planning and control of governance. We can also observe

that in the proposed model exists the Governance planning processes define

Governance policies, consolidate policies and manage policies and the control

process supervises Risk and Compliance. Therefore, it is possible to conclude that

this dimension is also fully satisfied by the model proposed in this research.

48

For the case of dimension 3, governance accountability, it is possible to verify that

the adjusted scope of existence of accountability processes was fully attended by the

processes define responsibilities and roles, define a code of conduct and define

culture. Likewise, dimension 4, governance control of professionals, is covered by

processes evaluate performance, manage audits (compliance) and manage ongoing

evaluations (compliance). Similarly, the adjusted scope of dimension 5, governance

incident reporting, which it is responsible to verify the existence of a reporting

system, is supplied by the process manage issues (Risk management).

In the case of dimension 6, Risk Management authority, the adjusted scope is the

ability to promote changes and the existence of communication processes. It can be

observed that this scope is satisfied by the processes perform corrective actions and

communicate and consult.

The dimension 7, Risk management structure, assesses whether or not a risk

management framework has been fully implemented. Since processes define risk

appetite, manage issues, manage risk, consolidate risk reporting, and communicate

and consult represent all stages of risk management process proposed by ABNT

ISO 31000 (2018), it can be said that these processes cover the requirements of this

dimension with certainty.

The dimensions 8 and 9, Risk management analyzes and RIsk scope, assess

whether or not risk analysis is integrated into the company's strategic plan and

whether or not risks are managed in an integrated manner, respectively. Due to the

great interrelationships and interdependencies between these two dimensions, they

will be analyzed together. In this case, the processes determine risk appetite, which

influences governance policies, manage risks and consolidate risk reports

demonstrate the centralization of the risk management process. Furthermore, the

processes communicate and consul” and measure KPI and KRI`s (Governance)

demonstrate the integration of risk processes into the company's strategic plan,

showing that the scope of these two dimensions has been fulfilled.

49

Dimension 10, Risk management indicators, evaluates the existence of risk

indicators and their use in monitoring processes. This scope is clearly fulfilled by

processes such as analyzing key risk indicators, developing key risk indicators and

measuring KPIs and KRIs (Governance).

The adjusted scope of dimension 11, authority compliance, is the ability to promote

change and the existence of a reporting process. Evaluating the proposed model

based on this scope, it is possible to conclude that it is satisfied by the processes

reporting conclusions, compiling evidence and recommendations in action plans and

follow up. Similarly to dimension 12, compliance structure, which is the scope of

support for operational procedures, is satisfied by processes supporting operational

procedures (Governance), managing procedures (Governance) and inspecting

processes.

The dimension 13, compliance controls, evaluates the existence of compliance

control processes. The proposed model processes that meet this scope are the

processes that manage ongoing evaluations, manage audits, report findings, compile

evidence and recommendations into action plans and follow up.

Finally for dimension 14, Compliance Awareness, the scope was adjusted to see if

the company incorporated the compliance controls. As can be seen in the model, the

processes that fulfill this scope are manage ongoing evaluations, manage audits,

define Governance policies, consolidate policies (Governance), oversee Risk and

Compliance (Governance) and manage policies (Governance).

Table 12 summarizes the correspondence between the scope to be evaluated and

the processes of the integrated model proposed in this research, indicating whether

or not the scope of each of the dimensions was met.

50

Table 12 - Correspondence between the scope of the dimensions of the GRC

maturity model for hospitals and the activities of the proposed model

Dimension Scope to be evaluated Related activities

Does it meet the scope of

the dimension?

1 Governance: authority

Existence of processes to define the guidelines of

Governance

Define governance policies; Consolidate policies

Yes

2 Governance: structure

The existence of Corporate Governance P & C

processes

Define Governance policies; Consolidate policies; Oversee Risk and Compliance;

Manage policies Yes

3 Governance: accountability

Existence of accountability processes

Define Responsibilities and Roles; Define Code of Conduct; Define Culture

Yes

4 Governance: Control of professionals

Existence of internal and external audits

Evaluate performance; Manage audits (compliance); Manage ongoing evaluations

(compliance) Yes

5 Governance: report of incidents

Existence of reporting system

Manage Issues (Risk) Yes

6 Risk management: authority

The ability to promote change and the existence of communication processes

Perform corrective actions; Communicate and consult

Yes

7 Risk management: structure

A risk management framework has been fully

implemented

Determine risk appetite; Manage issues; Manage Risks; Consolidate Risk reports;

Communicate and consult Yes

8 Risk management: analysis

Risk analysis is integrated into the strategic plan

Determine risk appetite; Manage risks; Consolidate reports; Communicate and

consult; Measure KPIs and KRIs (Governance) Yes

9 Risk management: scope

Risks are managed in an integrated way

Determine risk appetite; Manage risks; Consolidate reports; Communicate and

consult; Measure KPIs and KRIs (Governance) Yes

10 Risk management: indicators

The existence of risk indicators its use in the

monitoring of risks

Analyze key risk indicators; develop key risk indicators; Measure KPIs and KRIs

(Governance) Yes

11 Compliance: autority

The ability to promote change and the existence of

a reporting process

Report findings; Compile evidence and recommendations into action plans; Do Follow

up Yes

12 Compliance: structure

Support for operational procedures

Support operational procedures (Governance); Manage Procedures (Governance); Inspect

processes Yes

13 Compliance: controls

Existence of control and compliance processes

Manage ongoing evaluations; Manage audits; Report findings; Compile evidence and

recommendations into action plans; Do Follow up

Yes

14 Conformity: Consciousness

The organization incorporated the

compliance controls

Manage ongoing assessments, Manage audits; Define Governance (Governance) policies;

Consolidate policies (Governance); Oversee Risk and Compliance (Governance); Manage

policies (Governance)

Yes

Source: The author, 2018.

51

As can be observed, performing the necessary adjustments in the scopes to make

the evaluation feasible, there are processes to fulfill the full scope of the hospital

GRC maturity model, so the GRC business process model proposed in this research

can be considered adequate.

52

7 CONCLUSIONS

This research aimed at facilitating the planning of GRC implementation in

organizations through an integrated GRC business process model based on the

conceptual model proposed by Vicente & Silva (2011). The validation of the

integrated model performed using the GRC maturity model for hospitals proposed by

Batenburg, Neppelenbroek, and Shahim (2014) shows that this main goal was

achieved.

To do so, we initially investigated the models of each of the GRC domains proposed

by Vicente & Silva (2011), identifying its main processes and subprocesses, thus

achieving the first specific objective of this research. The second specific objective

was achieved with the construction and validation of the business process models for

each of the GRC domains and the construction of the integrated GRC model.

Subsequently, the integrated GRC business process model was validated based on

the GRC maturity model for hospitals proposed by Batenburg, Neppelenbroek, and

Shahim (2014), thus reaching the third and last specific objective of this research.

Thus, it is possible to conclude that the specific objectives of this research were

achieved.

One of the great challenges found for the development of this research was the

scarce scientific literature available on integrated GRC. One of the strategies used to

overcome this problem was to validate the Governance, Risk and Compliance

models based on models developed specifically for each of these areas. In the case

of the validation of the integrated model, the solution found was to use an integrated

GRC model specialized for the hospital area, making an adaptation in order to make

this analysis feasible.

The implementation of integrated GRC can be complex because it involves

processes from different areas that, according to Gill and Purushottam (2008), are

traditionally isolated in silos. The integrated GRC business process model proposed

by this research allows a holistic view of the GRC processes and demonstrates the

complex interactions resulting from their multidisciplinary nature. By way of example,

this information can facilitate the development of the future business process model

53

for deploying GRC in a specific company, possibly reducing the risks, the time

required for deployment and, consequently, the costs.

It is concluded that this dissertation contributed to the better understanding of the

processes related to the integrated GRC and its interdependencies inherent in a

multidisciplinary process such as the GRC. In addition, it is worth mentioning the

differentiation of this research in the literature, by the comprehensiveness of the

content related to the business process models of the integrated GRC and to the

novelty of the presented model, despite the little literature available.

7.1 Limitations of the research

This work was elaborated based on several references, methods and theoretical

models and is out of the scope the evaluation of particularities and possible need of

adaptation in the processes for companies of specific segments and the evaluation

of possible impacts of implantation in a real process.

Therefore, a possible adaptation and adaptation of the model and complementary

models may be necessary when applying the GRC process in real situations.

7.2 Suggestion to future researches

As opportunities for future researches, it is suggested:

• Performance of GRC business process maturity assessment of organizations

from specific sectors;

• Deepening the proposed BPM models by adapting them to specific segments;

• Conduct a survey with questionaire to evaluate the level of adherence of

companies of a specific segment to the GRC practices modeled.

54

REFERENCES

ASSOCIAÇÃO BRASILEIRA DE NORMAS TÉCNICAS. NBR ISO 31000: gestão de riscos: princípios e diretrizes: citações em documentos: apresentação. Rio de Janeiro, 2009.

BATENBURG, R.; NEPPELENBROEK, M; SHAHIM, A. A maturity model for governance, risk management and compliance in hospitals. Journal of hospital administration, Toronto, v. 3, n. 4, p. 43-53, Fev. 2014.

CANGEMI, M. P. The controls challenge. Bank Accounting & Finance, v. 21, n. 5, p. 43-52, 2008.

COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION. Internal control: integrated framework. Durham: COSO, 2013. 348 p.

DELOACH, J.; THOMSON, J. Improving organizational performance and governance, Durham: COSO, 2014. 32 p.

DRESCH, A.; LACERDA, D.; JÚNIOR, J. Design science research: A method for science and technology advancement. London: Springer, 2015. 161 p.

GILL, S.; PURUSHOTTAM, U. Integrated GRC: Is your Organization Ready to Move? in Governance, Risk and Compliance. SETLabs Briefings, p. 37-46, 2008.

GUIA para o gerenciamento de processos de negócio corpo comum de conhecimento: (GUIA BPM CBOK). 2. ed. Chicago, IL: Association of Business Process Management Professionals, 2009. 247 p.

MOELLER, R. Coso enterprise risk management: Establishing effective governance, risk and compliance processes. 2. ed. Hoboken: John Wiley & Sons Inc, 2011.

OBJECT MANAGEMENT GROUP. Business process model and notation: (BPMN): version 2.0. Needham Heights, MA: OBM, 2011. 508 p.

RACZ, N. et al. Governance, risk & compliance (GRC) status quo and software use: results from a survey among large enterprises. In: AUSTRALASIAN CONFERENCE ON INFORMATION SYSTEMS, 21., 2010, Brisbane. Proceedings… Brisbane: ACIS 2010.

SPANAKI, K.; PAPAZAFEIROPOULOU, A. Analysing the governance, risk and compliance (GRC) implementation process: primary insights. In: EUROPEAN CONFERENCE ON INFORMATION SYSTEMS, 21., 2013, Utrecht, Netherlands. Proceedings... Utrecht: ECIS 2013 Completed Research, 2013. Paper 58.

55

STEINBERG, R. Governance, risk management and compliance: It can’t happen to us – avoiding corporate disaster while driving success. Hoboken: John Wiley & Sons Inc, 2011.

VICENTE, P. A reference architecture for integrated governance, risk and compliance, 201, 213 f. Dissertação (Mestrado) – Universidade Técnica de Lisboa, Instituto Superior Técnico, Lisboa, 2011.

VICENTE, P.; SILVA, M. M. A conceptual model for integrated governance, risk and compliance. In: INTERNATIONAL CONFERENCE ON ADVANCED INFORMATION SYSTEMS ENGINEERING, 23., 2011, London. Proceedings… London,UK: Springer-Verlag, 2011. p. 199-213.

WIERINGA, R. Design science as nested problem solving. In: INTERNATIONAL CONFERENCE ON DESIGN SCIENCE RESEARCH IN INFORMATION SYSTEMS AND TECHNOLOGY, 4., 2009, Philadelphia. Proceedings… Philadelphia, PA, USA ACM, 2009 p.8.

ZAIDAN, F. H. Aportes da arquitetura corporativa para o ambiente dos sistemas informatizados de gestão arquivística de documentos: aplicação em companhia de energia elétrica. 2015. 176 f. Tese (Doutorado) - Universidade Federal de Minas Gerais, Escola de Ciência da Informação, Belo Horizonte, 2015.