dissertacao - daniel birchal - english entrega final€¦ · 02'(/ 2) *29(51$1&( 5,6....
TRANSCRIPT
IETEC COLLEGE
Daniel Massiére Birchal
MODEL OF GOVERNANCE, RISK AND COMPLIANCE USING
BUSINESS PROCESS MODELING
Belo Horizonte
2018
Daniel Massiére Birchal
MODEL OF GOVERNANCE, RISK AND COMPLIANCE USING BUSINESS PROCESS MODELING
Dissertation presented to the Ietec Master's Program, as a partial requirement to obtain a Master's degree in Engineering and Management of Processes and Systems. Area of concentration: Engineering and Management of Processes and Systems Research Line: Process, Systems and Project Management Supervisor: Prof. Dr. Fernando Hadad Zaidan Co-supervisor: Prof. Dr. José Luís Braga Ietec College
Belo Horizonte Ietec College
2018
Birchal, Daniel Massiére. B617m Model of governance, risk and compliance using business
process modeling / Daniel Massiére Birchal. - Belo Horizonte, 2018.
56 f., enc. Advisor: Fernando Hadad Zaidan. Coadvisor: José Luís Braga. Thesis (master) – Faculdade Ietec. Bibliography: f. 55-56 1. Business Process Model. 2. GRC. 3. Integrated GRC. 4. BPMN. I. Zaidan, Fernando Hadad. II. Faculdade Ietec. Master's Degree in Engineering and Management of Processes and Systems. III. Title.
CDU: 658.015
Daniel Massiére Birchal. Engineering and Management of Processes and Systems
MODEL OF GOVERNANCE, RISK AND COMPLIANCE USING
MODELING OF BUSINESS PROCESSES
Dissertation presented to the Ietec Master's Program, as a partial requirement to obtain a Master's degree in Engineering and Management of Processes and Systems. Area of concentration: Engineering and Management of Processes and Systems Research Line: Process, Systems and Project Management Supervisor: Prof. Dr. Fernando Hadad Zaidan Co-supervisor: Prof. Dr. José Luís Braga Ietec College
Approved by the examining board constituted by the professors:
Belo Horizonte, December 7th 2018.
Postgraduate Program in Engineering and Management of Processes and Systems
Ietec College
Dedication
I would like to dedicate this work to my wife, Adriana, my little daughter, Alice, and to
my parents, Renato e Anny. I would like to thank you for your dedication,
understanding, support and incentive.
GREETINGS
Finished this particularly important stage of my life, I have no words to express my
thankfulness for all of those who have supported me in this long journey. They have
substantially contributed to the conclusion of this work.
I would like to thank Prof. Dr. Fernando Hadad Zaidan for his supervision, teachings,
dedication, and friendship and for having identified my potential and invited me to
engage in this outstanding master program.
Prof. Dr. José Luís Braga also helped me immensily with his teachings, his
supervision, support, dedication, professionalism and objectivity.
Mr. Ronaldo Gusmão and the IETEC College deserve a special mention for their
support to the Brazilian technological development, granting scholarships, such as
the one that made this research feasible.
I would like to thank Prof. Dr. Wanyr Romero Ferreira, coordinator of the master
program, for her extraordinary lectures, support and incentive.
Sirlene Maria, librarian at the IETEC College, gave immense support in reviewing
and editing this work. Thank you very much.
I would like to thank my cousin Sérgio Birchal for his support.
Last but not least, I am grateful to all members of IETEC’s team, faculty and staff. I
am grateful to my mates in the master program for their friendship and for the
relevant discussions in and outside of the classroom.
Epigraph
“The task is not so much about see what nobody saw, but to think what nobody else
has yet thought about what everybody sees.”
Arthur Schopenhauer
ABSTRACT
Following the scandal of Enron and the global financial crisis of 2008, demands for
transparency and new regulations, such as the Sarbanes-Oxley (SOX), Basel and
anti-money laundering laws, have made Governance, Risks and Compliance (GRC)
a priority in organisations’ agenda. In this context, the objective of this dissertation is
to present an integrated GRC model, using business process modeling that eases
the planning of GRC implementation in organizations through the visualization of
their processes and interactions. The research method used was the Design Science
Research (DSR), which aims at creating knowledge from the design of artifacts. In
this work the integrated GRC model materialized in a business process model. A
bibliographic review was carried out to obtain models that used GRC, which served
as a basis for the foundation of this work, as well as the creation of business process
models for GRC and integrated GRC. The notation used for modeling was the Object
Management Group’s (OMG) and the Business Process Model and Notation
(BPMN). The models were developed separately in each one of the GRC domains
and were validated comparing it with models proposed by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) and the
International Organization for Standardization (ISO), as suggested by DSR.
Following, the models were integrated and a new validation was performed
comparing the obtained integrated model to an integrated GRC maturity model,
which was adapted for this purpose. The integrated GRC business process model
obtained in this work allows a view of the GRC process as a whole, thus contributing
to a better understanding of processes related to the integrated GRC and its inherent
interdependencies to a multidisciplinary and complex process such as the integrated
GRC.
Keywords: GRC, Integrated GRC, Business Process Model, BPMN.
LIST OF FIGURES
Figure 1 - Adapted Risk management process ......................................................... 16
Figure 2 - COSO contextual business model ............................................................ 17
Figure 3 - Integrated internal control framework COSO ............................................ 18
Figure 4 - Integrated GRC model .............................................................................. 20
Figure 5 - Wieringa regulatory cycle .......................................................................... 25
Figure 6 - Process Flow (DSR method) ..................................................................... 26
Figure 7 - An adapted governance model ................................................................. 28
Figure 8 - Governance Process ................................................................................ 30
Figure 9 - Governance policy definition process ....................................................... 31
Figure 10 - Performance evaluation process ............................................................ 32
Figure 11 - Policy management process ................................................................... 32
Figure 12 - The adapted Risk model ......................................................................... 33
Figure 13 - Risk domain processes ........................................................................... 35
Figure 14 - Risk Management Process ..................................................................... 36
Figure 15 - Risk identification process ...................................................................... 37
Figure 16 - An adapted model of compliance ............................................................ 38
Figure 17 - Process of Compliance ........................................................................... 40
Figure 18 - Manage audits process ........................................................................... 40
Figure 19 - Subprocesses inspect processes and inspect internal controls .............. 41
Figure 20 - Subprocess re-assess risks .................................................................... 41
Figure 21 - Integrated GRC process model............................................................... 42
LIST OF TABLES
Table 1 - GRC maturity model for hospitals .............................................................. 21
Table 2 - Relationship between the stages of the regulatory cycle and research
activities ...................................................................................................... 26
Table 3 - Processes and sub-processes identified in the area of governance .......... 28
Table 4 - Process versus phase in which the process occurs ................................... 29
Table 5 - Processes and subprocesses in the Risk management domain identified 34
Table 6 - Correspondence between main processes identified in the model of
Vicente & Silva (2011) and ISO 31000 ABNT ............................................ 34
Table 7 - Correspondence between sub-processes of the risk management process
identified in the model of Vicente & Silva (2011) and ISO 31000 ABNT .... 36
Table 8 - Identified processes and subprocesses of Compliance ............................. 38
Table 9 - Correspondence between compliance processes identified in the Vicente &
Silva (2011) model and the Integrated Internal Control Framework COSO 39
Table 10 - Prerequisite assessment of the Compliance model processes ................ 39
Table 11 - Evaluation of GRC maturity model for hospitals ...................................... 45
Table 12 - Correspondence between the scope of the dimensions of the GRC
maturity model for hospitals and the activities of the proposed model ....... 50
LIST OF ABBREVIATIONS AND ACRONYMS
ABNT Associação Brasileira de Normas Técnicas
ABPMP Association of Business Process Management Proffessionals
BPMI Business Process Management Initiative
BPMN Business Process Model and Notation
BPD Business Process Diagram
CCO Chief Compliance Officer
COSO Committee of Sponsoring Organizations of the Treadway Commission
CRO Chief Risk Officer
DS Design Science
DSR Design Science Research
ERP Enterprise Resource Planning
ERM Enterprise Risk Management
GRC Governance, Risk e Compliance
KPI Key Performance Indicator
KRI Key Risk Indicator
OMG Object Management Group
PDCA Plan Do Check Action
P&C Planning and Control
SUMARY
1 INTRODUCTION ........................................................................................ 11
1.1. Structure of the dissertation........................................................................ 12
2 OBJECTIVES ............................................................................................. 13
2.1 General objective ........................................................................................ 13
2.2 Specific objectives ...................................................................................... 13
3 THEORETICAL FRAMEWORK ................................................................. 14
3.1 Business Process Model and Notation (BPMN) ......................................... 14
3.2 Governance, Risk and Compliance ............................................................ 15
3.3 ABNT NBR ISO 31000 – Risk Management – Principles and guidelines ... 15
3.4 COSO Conceptual Business Model of Governance ................................... 16
3.5 COSO Internal control integrated framework.............................................. 17
3.6 Related work ............................................................................................... 19
3.6.1 Conceptual model for integrated GRC ....................................................... 19
3.6.2 GRC maturity model for hospitals ............................................................... 20
4 METHODOLOGY ....................................................................................... 24
5 THE CONSTRUCTION OF MODELS ........................................................ 27
5.1 Governance ................................................................................................ 27
5.1.1 Define governance policies process ........................................................... 30
5.1.2 Performance evaluation processes and policy management process ........ 31
5.2 Risk Management ....................................................................................... 33
5.2.1 Risk Management Process ......................................................................... 35
5.2.2 Risks Identification Subprocess .................................................................. 37
5.3 Compliance ................................................................................................ 37
5.3.1 Audit management process ........................................................................ 40
5.4 The GRC integrated model ......................................................................... 41
6 RESULTS AND DISCUSSION ................................................................... 43
6.1 Adjusting the scope of dimensions of the hospital GRC maturity model .... 43
6.2 Evaluation of the business process model ................................................. 47
7 CONCLUSIONS ......................................................................................... 52
7.1 Limitations of the research ......................................................................... 53
7.2 Suggestion to future researches ................................................................. 53
REFERENCES .......................................................................................................... 54
11
1 INTRODUCTION
Historically Risk Management, Corporate Governance and Compliance were treated
as totally independent activities and without any interaction. From the integration of
these activities comes the concept of Governance, Risk, and Compliance (GRC) that
integrates these efforts promoting efficiency gains and savings from synergy,
information sharing, and increased efficiency.
As with Enterprise Resource Planning (ERP), according to Gill and Purushottam
(2008), GRC are steadily gaining importance in corporations. This is mainly due to
globalization, increasing demands for transparency and new regulations such as the
Basel agreement, the Sarbanes-Oxley Act, money laundering laws, and, in the
Brazilian case, Law 13303/16, which sets new standards of GRC to public
companies, mixed-capital companies, and their subsidiaries.
Although they are significant, scientific research on integrated GRC initiatives is
insufficient (RACZ et al., 2010) and the existing literature on GRC implementation
indicates that there are many aspects that have not yet been investigated (SPANAKI;
PAPAZAFEIROPOULOU, 2015).
For the elaboration of the models, it will be used the Design Science Research
(DSR) method, which guides the construction of knowledge emphasizing problem-
solving (WIERINGA, 2009). The models will be developed using the Business
Process Model and Notation (BPMN), which is a notation that provides a simple and
robust symbology to model aspects of business processes.
In addition, to carry out this research, a search was made for publications related to
the topic. This research was based on the main work found, "A Conceptual Model for
Integrated Governance, Risk and Compliance", that was published by Vicente &
Silva in 2011. In addition, several related works were identified that contributed to
this research and it will be described in chapter 3.
12
1.1. Structure of the dissertation
In addition to this introduction, chapter 2 will present the objective. In chapter 3 a
bibliographic review will be carried out covering the concept of GRC, BPMN notation,
and the main models used as the basis for the elaboration and validation of the
models proposed in this work.
Chapter 4 deals with the DSR method, which was the method adopted in this
research and the methodological approach. Subsequently, in chapter 5 there is a
detailed explanation of how each of the proposed models was elaborated. Next, in
chapter 6, the integrated model is evaluated, validated and the results and
discussions about the research are presented. Chapter 7 presents the final
considerations, the limitations, and suggestions of future work followed by
bibliographical references.
13
2 OBJECTIVES
This chapter will present the general objective and specific objectives of this
research.
2.1 General objective
To present a business process model based on the conceptual model for integrated
GRC proposed by Vicente & Silva (2011) using the BPMN notation, which facilitates
the planning of GRC implementation in organizations through the visualization of
their processes, interactions and sequences.
2.2 Specific objectives
a) Analyze the models proposed by Vicente & Silva (2011) identifying its main
processes and subprocesses;
b) To propose new models of Governance, Risk, Compliance and integrated
GRC applying the DSR in its design, based on the models of Vicente & Silva
(2011), ABNT ISO 31000 (2018), the COSO’s contextual business model
(2014) and COSO's Integrated Internal Control Framework (2013);
c) Compare the integrated model developed to a GRC maturity model and
evaluate it.
14
3 THEORETICAL FRAMEWORK
In this section, it will be discussed works that will serve as the theoretical framework
to the research.
3.1 Business Process Model and Notation (BPMN)
The BPMN notation was conceived in 2004 in its first version by the Busines Process
Management Initiative (BPMI) and with the aim of standardizing the graphical
representation of business processes. Subsequently, the Object Management Group
(OMG) took over the BPMN and several revisions were published, the most recent of
which, BPMN 2.0, was published by OMG in 2011 and will be used in this research.
The main goal of BPMN, according to OMG (2011), is to provide a business process
notation that is readily understandable to everyone, including business analysts,
developers, and executives. According to OMG (2011), BPMN reduces the technical
gap between process design and implementation, as well as providing organizations
with the ability to understand their internal or external business processes, as well as
their interdependencies.
BPMN modeling is based on flowcharts and graphically represents Business Process
Models (BPM) using Business Process Diagrams (BPD).
According to OMG (2011), the elements for the preparation of BPMN 2.0 diagrams
were grouped into the following categories:
a) Flow objects: represent events, activities or decisions.
b) Data: represent data object, a data collection object, data entry or data output.
c) Connection objects: represent the connection flows, message flows, and
associations.
d) Swimlanes: which are forms of grouping graphical representation and can be
in the form of pool or lane which is a subdivision of a pool.
e) Artifacts: which provide additional information about the represented process
and can be annotations or groups of graphic elements.
15
3.2 Governance, Risk and Compliance
The term GRC, according to Steinberg (2011), originated in the management
consultancy sector and represents the combination of Governance, Risks, and
Compliance and reflects the combination of concepts, which although dispersed,
present a great possibility of synergy. According to Moeller (2011), each GRC
dimension is composed of four components: strategy, processes, technology, and
people.
Thus, Governance can be defined as the "allocation of power by the board,
management, and stakeholders” but according to Steinberg (2011), the term is also
used to encompass a set of actions taken by senior management to the
management of the company. According to Vicente (2011), governance policies play
an essential role because they represent the point of view of the board and top
management of how the company should be managed. In addition, it defines
stakeholder expectations about what should be done (MOELLER, 2011).
Similarly, the term "risk" refers to risk management, and according to Steinberg
(2011), it can take a variety of forms from a simple risk assessment to a complete
ERM (Enterprise Risk Management) process. According to Vicente (2011), it is not
possible to benefit from all the characteristic benefits of Risk management without
compliance and governance being implemented. This is because governance is
necessary for better alignment with business objectives. In addition, it can contribute
to Compliance in improving internal controls, which will help identify and prevent
risks.
Likewise, Compliance represents the company's adherence both to current local
legislation and internal policies consolidated by corporate governance.
3.3 ABNT NBR ISO 31000 – Risk Management – Principles and guidelines
NBR ISO 31000 (ABNT, 2018) divides the Risk management process into six main
processes as can be seen in Figure 1. The process begins with setting the context,
followed by the process of risk assessment, the process of risk management and the
16
registration and reporting process. The processes of communication and
consultation and monitoring and critical analysis should be carried out in parallel
throughout the risk management process. In addition, the risk assessment process
can be divided into three stages: risk identification, risk analysis and risk
assessment.
Figure 1 - Adapted Risk management process
Source: ABNT, 2018.
3.4 COSO Conceptual Business Model of Governance
COSO has developed a holistic view of governance and managerial processes
based on the PDCA, as seen in Figure 2. The process begins with strategic planning
defining the vision and mission of the organization followed by the configuration of
the strategy. The strategy environment sets the context for business planning
through a high-level plan for what the organization wants to achieve in the planning
horizon. The business planning stage formalizes the objectives or roadmaps of how
the operation management will contribute to achieving the strategic objectives, while
the execution consists of the operation management carrying out the activities
established in the business plan. The monitoring stage is basically composed of
17
activities of the management of supervision and control of the operation. The last
step is adapting that refers to the adoption of corrective actions that result in changes
in strategy, business plan, or tactical plan.
Figure 2 - COSO contextual business model
Source: DELOACH; THOMSON, 2014.
3.5 COSO Internal control integrated framework
COSO (2013) suggests that there are three categories of objectives: operational,
reporting and compliance, and defines internal control as a process designed to
provide reasonable assurance of the achievement of these objectives.
Internal control consists of five components:
a) Control environment: the control environment is a set of standards, processes
and structures that promote the basis of internal controls in the organization.
b) Risk assessment: risk assessment is an iterative process for identifying and
assessing risks to the attainment of objectives
c) Control activities: actions are established through policies and procedures that
help ensure that the risk mitigation policies for achieving the objectives are
implemented.
d) Information and communication: it is the continuous and iterative process of
providing and sharing the necessary information both internally and externally.
18
e) Monitoring activities: ongoing evaluations, separate evaluations or a
combination of the two are used to make sure that each of the five
components of internal controls is present and working. Continuous
assessments are embedded in the process and deliver information in real
time, while separate assessments are conducted periodically with scope and
frequency based on risk assessment, effectiveness of ongoing evaluations,
and other management considerations.
According to COSO (2013), there is a direct relationship between the objectives, the
internal control components, and the organizational structure. This relationship can
be represented in the form of a cube according to Figure 4. The objectives are
represented on the upper face of the cube, while the internal control components are
represented on the front face and the organizational structure on the side face.
Figure 3 - Integrated internal control framework COSO
Source: COSO, 2013.
In the following section, it will be presented the GRC maturity model for hospitals.
19
3.6 Related work
In this section will be presented scientific papers related to this research.
3.6.1 Conceptual model for integrated GRC
In this section, it will be presented the conceptual model for integrated GRC
proposed by Vicente & Silva (2011). Initially, each GRC dimension was defined as a
modeling domain, and a conceptual model was developed for each. The models
highlight the four main functionalities of the GRC, according to the authors: audit
management, policies management, issue management, and risk management.
These activities were represented by yellow rectangles in Figure 4. The concepts
represented in gray also represent important functionalities, but these are usually
automated. Concepts modeled on blue ellipses represent information that is
managed by these functions or is the responsibility of at least one of the GRC areas.
According to Vicente & Silva (2011), Governance is responsible for the supervision
of Risk Management and Compliance. Policies, as defined by Governance, are
central to GRC as they represent senior management's vision of how the
organization should be run and define how the organization should work by
describing what is acceptable and what is not.
A well-structured Risk management must be aligned and linked to Governance and
Compliance in order to gain advantageous information for its risk management
process. In addition, Risk management should not be restricted to merely identifying
and responding to risks but must act proactively in anticipating and avoiding risks
and reducing the possibility of unexpected events occurring.
Compliance must ensure that the organization is operating within the standards set
by Governance in addition to the requirements of the law. The risk prioritization
developed by Risk management helps Compliance achieve this goal since the risks
are aligned with corporate objectives.
20
Figure 4 - Integrated GRC model
Source: VICENTE; SILVA, 2011.
As can be seen in Figure 4 the internal controls play a central role, since they are key
to GRC’s activities.
3.6.2 GRC maturity model for hospitals
In this section, we will present the GRC maturity model for hospitals developed by
Batenburg, Neppelenbroek, and Shahim (2014). The objective of the model is to
evaluate and monitor GRC maturity in Dutch hospitals. For the development of the
model Batenburg, Neppelenbroek, and Shahim compared 16 existing maturity
models and elaborated a first model proposal.
The first proposal of the model contained 15 dimensions divided into three domains
of the GRC: the dimensions of the Governance domain were Governance structure,
21
whistleblower process, information sharing, patient co-determination, complaint
management, incident reporting, and patient safety incidents; those of Risk were
frequency of risk analysis, risk management awareness, scope of risk management,
structure of risk management and risk indicators; and for Conformity were Conformity
mapping, information security and Conformity controls.
They then tested the model by interviewing hospital managers who represent 12.4%
of hospital bed capacity in the Netherlands and developed a second version, which is
shown in Table 1. The model is composed of 14 dimensions and five maturity levels.
Table 1 - GRC maturity model for hospitals
Dimension
Level 1 Forming
Level 2 Developing
Level 3 Normalized
Level 4 Established
Level 5 Optimized
1 Governance authority
Ad-hoc authority, actually
professionals have the power.
Board is responsible
without any power.
Board is responsible and has the power.
Board is responsible and has the power &
prof. do not oppose.
Board & professionals share
the power in a balanced way.
2 Governance Structure
There is no P&C (planning and control) in
place.
P&C is ill structured and not
documented.
P&C is structured and
known by professoinals.
P&C is implemented,
most professionals contribute.
All professionals contribute
proactively to an integrated P & C
3 Governance accountability
Professionals are not
accountable to management.
Professionals view accountability as a
bureaucratic process.
Each professional is accountable to management.
Each professional embraces his
accountability.
Each professional is intrinsically
motivated to be accountable.
4 Governance Control of the professionals
No audits is performed on
the professionals.
An internal audit is conducted based
on quality indicators.
An external audit is
conducted based on quality indicators
An unexpected external audit is
conducted.
There is a good balance between trust and control.
5 Governance incident reporting
Incidents are reported on an ad-hoc basis.
A paper form is used to report
incidents.
There is an easy (electronic) way
to report incidents
Professionals feel safe to report
an incident.
Professionals trust the quality of
process of reporting incidents.
6 Risk management authority
There is no CRO (Chief Risk Officer)
A CRO is appointed by the
board
The CRO reports directly
to the board
The CRO has authority to enact
changes
The board & CRO communicate
ERM`s importance.
7 Risk management structure
No risk management
framework is in place.
A risk management framework is
used.
A risk management framework is fully
implemented
22
Dimension
Level 1 Forming
Level 2 Developing
Level 3 Normalized
Level 4 Established
Level 5 Optimized
8 Risk management analysis
No risk analysis is performed.
A decentralized risk analysis is
performed.
A centralized risk analysis is
performed.
Strategic risk analysis is performed.
Risk analysis is integrated in planning new developments
9 Risk management Scope
Risks are managed in a
fragmented way.
Some types of
risks are managed jointly.
Risks are managed
in an integrated way.
10 Risk management indicators
There are no risk indicators in
place.
Indicators are used for internal
regulations & policies.
Indicators are used for internal
& external regulations &
policies.
A risk management dashboard is
used to monitor risks.
There is a system that alerts
stakeholders to risks.
11 Compliance Authority
There is no CCO (Chief compliance
officer)
A CCO is appointed by the
board.
The CCO reports directly
to the board.
The CCO has authority to enact
changes.
The board & CRO & CCO work
closely together
12 Compliance structure
No attempt to standardize
similar processes.
Little attempt to standardize similar
processes.
Similar processes are standardized
across parts of the hospital.
Similar processes are evaluated
across the hospital.
Similar processes are standardized
across the hospital.
13 Compliance controls
Rely on manual compliance processes &
controls.
Manual & automated compliance processes &
control
Tactical automated compliance processes &
control
Strategic automated compliance processes &
controls.
Flexible strategic automated compliance processes &
controls.
14 Compliance Conscience
Hospital Is Indifferent to compliance
Hospital is concern about fixing
Noncompliance.
Hospital continually
monitors for compliance
Hospital plans to sustain
compliance.
Hospital incorporates
compliance controls
Source: Adapted from Batenburg; Neppelenbroek; Shahim, 2014.
To implement the model, a structured questionnaire was developed that serves as a
tool for measuring the GRC maturity level. The questionnaire was applied to four
Dutch hospitals, which represent 13% of the capacity of beds in the Netherlands and
in three of the four hospitals evaluated by Governance obtained better results than
Risks and Compliance.
Batenburg, Neppelenbroek and Shahim concluded that the proposed model can be
used to monitor the GRC maturity of hospitals and to direct the process of evolution
of their GRC maturity.
23
In the following chapter, the methodology applied in the development of the research
will be presented.
24
4 METHODOLOGY
It was decided to use the methodology Design Science (DS) and the Design Science
Research (DSR) method, based on the search for a methodology capable of linking
scientific rigor to practical issues in the corporate world. DSR generates scientific
knowledge and contributes to the solution of real problems (WIERINGA, 2009;
ZAIDAN, 2015).
The DSR approach used in this work was proposed by Roel Wieringa, who is one of
the seminal authors of this theme. According to Wieringa (2009), practical issues
change the state of the world and gain knowledge in the changing process.
Furthermore, knowledge issues modify the state of knowledge and apply it in the real
world to validate the change. In this direction, from the analysis of the studies, an
intersection of practical questions and knowledge issues was perceived, as can be
seen below.
According to Dresch, Lacerda, and Júnior (2015), DSR produces artifacts in the form
of a construct, model, method or instantiation and their usefulness, quality and
efficacy must be evidenced by means of rigorous evaluation methods. Wieringa
(2009) suggests the construction of knowledge through projected artifacts
emphasizing the connection between scientific development and the solution of
practical problems through a regulatory cycle. The regulatory cycle proposed by
Wieringa (2009), and evaluation.
As can be seen in Figure 5, the first phase of the regulatory cycle proposed by
Wieringa (2009) is the problem investigation. During the investigation stage of
problem, one must raise information about a problem by increasing the
understanding of the subject, however without trying to solve it.
The second phase is the solution design, in which a "solution" to the problem must
be proposed. However, according to Wieringa (2009), the solution found at this stage
may not be the definitive solution and may even make things worse for some
stakeholders.
25
The third phase is design validation is the phase when is asked whether the solution
proposed in the previous phase if correctly implemented, will really bring benefits to
the stakeholders.
The fourth phase is the solution implementation phase. What the term
"implementation" stands for depends on the type of solution that was proposed.
Wieringa (2009) exemplifies that in case the objective is to bring a video recorder to
the consumer market, and the process to achieve this goal has been planned,
implementation is the execution of this planning.
The fift phase is the implementation evaluation phase and it represents the beginning
of a new cycle where the solution found in previous phases is analyzed. However, as
well as in the investigation phase of the problem, without proposing solutions or
modifications to the remaining problems.
Figure 5 - Wieringa regulatory cycle
Source: adapted from Weiringa 2009.
Relating the steps proposed by the regulatory cycle to the needs of this research, we
obtained Table 2, which highlights the activities to be performed in each one of the
phases of the methodology. Initially, during the first phase, the problem investigation
has the bibliographic review, presented in the previous chapter, whose objectives are
26
to elucidate the concepts related to the theme and to promote the identification of
related works that can be used in the development of the research.
Next, a model will be proposed that, as described in the solution design phase, will
not necessarily be the definitive solution of the investigated problem. The next step
of the proposed methodology is the design validation when the proposed models will
be compared with models found in the literature in order to verify their adherence to
the concepts and their comprehensiveness to related processes.
During the next step, the solution implementation, the models will be adjusted, when
necessary, for further integration into an integrated GRC BPM model. In the last
phase, implementation evaluation, the integrated model will be compared to a
maturity model extracted from the literature for validation purposes.
Table 2 - Relationship between the stages of the regulatory cycle and research
activities
Stages of the regulatory cycle Project Activity
1-Investigation of the problem Bibliographic review
2-Project solutions Model proposition
3-Validation of the project Validation comparing the obtained model with related models
4-Implementation of the solution Realization of adjustments arising from the validation and integration process
5-Evaluation of the implementation Validation of the integrated model
Source: The author, 2018
The flow of the process of this research is illustrated in Figure 6.
Figure 6 - Process Flow (DSR method)
Source: The author, 2018.
In the next chapter, we will detail the process of modeling this research.
27
5 THE CONSTRUCTION OF MODELS
In this section, we will perform steps 2, 3 and 4 of the regulatory cycle proposed by
Wieringa (2009), which are solution design, design validation, and solution
implementation respectively. In this way, the conceptual model proposed by Vicente
& Silva (2011) will be mapped into precesses and later they will be validated
according to the Risk management processes proposed by NBR ISO 31000 (ABNT,
2018), contextual business model and the integrated control framework proposed by
COSO.
5.1 Governance
From the conceptual model of Governance proposed by Vicente & Silva (2011),
according to Figure 7, it is possible to extract the following main processes in the
domain of Governance:
a) define governance policies;
b) consolidate policies;
c) supervise Risk and Compliance;
d) support operational procedures (by policy);
e) evaluate performance;
f) manage policies.
28
Figure 7 - An adapted governance model
Source: VICENTE; SILVA, 2011.
The other processes in the governance domain will be modeled as subprocesses as
shown in Table 3.
Table 3 - Processes and sub-processes identified in the area of governance
Identified processes (Governance) Subprocesses
Define policies of governance
Define Key Objectivos Define Strategy Define Responsabilities and Roles Define Code of Conduct Define Culture Define risk appetite
Consolidate policies - Supervision Risk and Conformity - Support operational procedures -
Evaluate performance Measure KPIs and KRIs Evaluate reports Evaluate Dashboards
Manage policies
Support Policies’ Cycle of Life Manager Procedures Enhance policies Conformity- suggestion for policies enhacements Conformity – suggestion for internal control enhacements
Source: The author, 2018.
29
As the model proposed by Vicente & Silva models only relations, the contextual
business model proposed by COSO will be used to validate the sequence of
processes and the comprehensiveness of the model, according to Table 4. An
analogous approach will also be used in the construction of models in the domains of
Risk and Compliance.
Table 4 - Process versus phase in which the process occurs
Identified processes (Governance) Corresponding phase in the model proposed by COSO
Define policies of governance Strategy Configuration / Business Planning
Consolidate policies Business Planning
Supervision Risk and Compliance Execution
Support operational procedures
Evaluate performance Monitoring
Manage policies Adaptation
Source: The author, 2018.
Figure 8 illustrates the processes of the Governance domain and its main
relationships with processes in the Risk and Compliance domains, modeled using
BPMN notation. The first process is the define governance policies and then the
consolidate policies process occurs. Next, the process the Risk and Compliance
oversight occurs parallel to the support to the operational procedures. Subsequently,
it comes to the processes to evaluate performance and manage policy.
30
Figure 8 - Governance Process
Source: The author, 2018.
5.1.1 Define governance policies process
As shown in Figure 9, the define governance policies process has as subprocesses
the following: define accountability and roles, define strategy, define codes of
conduct, define culture, define key objectives and define risk appetite. This process
consists of the definitions of responsibilities and roles, strategy, code of conduct,
culture, key objectives, and risk appetite and additionally receives as input from the
Risk management domain the determination of risk appetite.
31
Figure 9 - Governance policy definition process
Source: The author, 2018.
5.1.2 Performance evaluation processes and policy management process
Due being part of this process, the activities measure key performance indicators
(KPI) and Key risk indicators (KRI), evaluate reports and evaluate dashboards where
modeled as subprocesses of the performance evaluation process, according to
Figure 10.
32
Figure 10 - Performance evaluation process
Source: The author, 2018.
Similarly, as can be seen in Figure 11, the activities manage procedures, support the
policy life-cycle, and improve policies have been modeled as subprocesses of the
policy management process. Both the process management process and the policy
improvement process receive feedback from Compliance, with suggestions for
improvements to internal controls and to policies.
Figure 11 - Policy management process
Fonte: The author, 2018.
33
5.2 Risk Management
As shown in Figure 12, it is possible to identify four main processes in the domain of
Risk management proposed by Vicente & Silva (2011):
a) Determine Risk appetite
b) Issue management
c) Risk Management
d) Consolidate Risk reports
Figure 12 - The adapted Risk model
Source: VICENTE; SILVA, 2011.
Similar to what has been done in the domain of governance, the other processes
present in the model will be modeled as subprocesses of these main processes as
shown in Table 5. The model proposed by NBR ISO 31000 (ABNT, 2018) was used
for the validation and sequencing of the model.
34
Table 5 - Processes and subprocesses in the Risk management domain identified
Main processes identified (Risk) Subprocesses Subprocesses- Level 2 Determine risk appetite Issue management
Risks management
Analyze key risk indicators
Align risk management with policies
Monitoring
Analyze Risk
Categorize risks
Develop key indicators for risk
To produce matrix of priorities
perform corrective actions
update internal controls
Identify Risks Conduct investigations / investigations in processes
Use internal controls
Consolidate Risk Reports
Source: The author, 2018.
As can be seen in Table 6, there is no process corresponding to the communication
and consultation process that is proposed by ISO 31000 ABNT. As this is a
fundamental activity of risk management practice it will be included in the proposed
BPM model.
Table 6 - Correspondence between main processes identified in the model of
Vicente & Silva (2011) and ISO 31000 ABNT
Main Processes Identified (Risk) Corresponding phase in the model proposed by ISO 31000
ABNT
Determine risk appetite Scope, context and criteria
Manage issues Identification of risks
Manage risks Risk assessment process / Risk management
Consolidate risk reports Registration and reporting
No corresponding process Communicate and consult
Source: The author, 2018.
Figure 13 illustrates the Risk domain processes modeled using BPMN notation and
properly sequenced according to ISO 31000 (ABNT, 2009), as well as its main
relations with Governance.
35
Figure 13 - Risk domain processes
Source: The author, 2018.
5.2.1 Risk Management Process
From the Risk management model proposed by Vicente & Silva (2011), the following
subprocesses belonging to the risk management process can be highlighted:
identify risks, analyze key Risk indicators, align Risk management with policies,
monitoring, analyze Risks, develop key Risk indicators, produce the priority matrix,
perform corrective actions and update internal controls.
Table 7 shows the outcome of correlating these subprocesses to the model
proposed by NBR ISO 31000 (ABNT, 2018).
36
Table 7 - Correspondence between sub-processes of the risk management process
identified in the model of Vicente & Silva (2011) and ISO 31000 ABNT
Main identified subprocesses (Manage risks) Corresponding phase in the model proposed
by ISO 31000 ABNT Identify Risks
Identification of risks Analyze key Risk indicators
Align Risk management with policies Monitoring and critical analysis
Monitoring
Analyze risks
Risk analysis Categorize risks
Develop Key Risk indicators
Produce the priority matrix Risk assessment
Perform corrective actions Treatment of risks
Update internal controls Registration and reporting
No corresponding activity Communicate and consult
Source: The author, 2018.
Again, there is no corresponding activity for the communication and consultation
proposed process by NBR ISO 31000 (ABNT, 2018). By adding this activity and
modeling according to the sequence obtained by the correlation of the two models,
the process of risk management obtained is shown in Figure 14.
Figure 14 - Risk Management Process
Source: The author, 2018.
37
5.2.2 Risks Identification Subprocess
Because the activities of conduct investigations/surveys in processes, and use
internal controls are integral parts of the process of identifying risks they were
modeled as subprocesses of that process.
Figure 15 - Risk identification process
Source: The author, 2018.
5.3 Compliance
According to the model proposed by Vicente & Silva (2011), as highlighted in Figure
16, Compliance is defined by five main processes:
a) audit management
b) manage ongoing evaluations
c) report findings
d) compile evidence and recommendations in action plans
e) follow up
38
Figure 16 - An adapted model of compliance
Fonte: VICENTE; SILVA, 2011.
The other processes will be modeled as subprocesses of these, as shown in Table 8.
Table 8 - Identified processes and subprocesses of Compliance
Main processes (compliance) Subprocesses Subprocesses - Level 2
Manage audits
Inspecting processes
Measure compliance with standards and regulations (processes) Measure compliance with policies (processes)
Inspect internal controls
Measure compliance with standards and regulations (processes)
Measure compliance with policies (internal controls)
Re-assess risks
Measure compliance with standards and regulations (Risks)
Measure compliance with policies (Risks) Re-assess risks
Manage ongoing evaluations Report findings
Compile evidence and recommendations into action plans Follow up
Source: The author, 2018.
The results of the correlation between the activities obtained with the internal control
integrated framework are shown in the Table 9. It is important to emphasize that due
39
to the fact that the framework extrapolates the domain limits of the compliance, part
of its activities must be represented by processes of Governance or Risk.
Table 9 - Correspondence between compliance processes identified in the Vicente &
Silva (2011) model and the Integrated Internal Control Framework COSO
Processes Identified in the Compliance Model Correspondence in COSO's integrated
internal control framework
Processes of the Governance domain Control environment
Subprocesses re-assess Risks and Risk management activities Risk assessment
Follow up and activities performed by Governance Control activities
Report findings Information and Communication
Manage Audits and Manage Ongoing Evaluations Monitoring activities
Source: The author, 2018.
The sequence of processes in the model was identified by evaluating the
prerequisites of each of the processes, as shown in Table 10.
Table 10 - Prerequisite assessment of the Compliance model processes
Processes Identified in the Compliance Model
Prerequisite Necessarily predecessor process
Manage audits none none
Manage ongoing evaluations none none
Report findings Conduct of audits / ongoing evaluations Manage audits / Compile ongoing
evaluation results
Compile evidence and recommendations into action
plans
Conduct of audits / ongoing evaluations Manage audits / Compile ongoing evaluation results
Follow up Suggested action plans Compile evidence and
recommendations into action plans
Source: The author, 2018.
Since it is common practice to report conclusions and validation of corrective actions
to be taken with company management, and in order to simplify the flow in this work,
the report findings process will be positioned between the manage audits and
complile evidence and recommendations into action plans processes. In this way, the
resulting process flow can be as shown in Figure 17.
40
Figure 17 - Process of Compliance
Source: The author, 2018.
5.3.1 Audit management process
The process of manage audits consists of three subprocesses, as shown in Figure
18. Each subprocess must be performed periodically and their scope and frequency
will vary depending on the effectiveness of ongoing evaluations, risk assessment,
and other management considerations.
Figure 18 - Manage audits process
Source: The author, 2018.
41
The subprocesses inspect processes and inspect internal controls are identical and
were modeled according to Figure 19.
Figure 19 - Subprocesses inspect processes and inspect internal controls
Source: The author, 2018.
Similarly, the re-assess risks subprocess is illustrated in Figure 20.
Figure 20 - Subprocess re-assess risks
Source: The author, 2018.
5.4 The GRC integrated model
In this section the integration of governance, Risk and Compliance models is
discussed. As can be seen in Figure 21, the process begins in the domain of
Governance, defining Governance policies. This activity also requires the
participation of the RIsk team to determine the company's risk appetite, which is an
42
integral part of Governance policies. After the consolidation of governance policies,
processes in the three domains of the GRC are executed in parallel. They are, in the
Governance domain, the RIsk and Compliance oversight and the support of
operational procedures processes, in the Risk domain the issues and risk
management and all processes of the Compliance domain. Subsequently, the
processes of performance evaluation and policy management complete the cycle of
the GRC process.
Figure 21 - Integrated GRC process model
Source: The author, 2018.
In the next chapter this model will be evaluated and the results will be presented.
43
6 RESULTS AND DISCUSSION
In order to validate the integrated model, the GRC maturity model for hospitals
described in section 3.6.2 and proposed by Batenburg, Neppelenbroek, and Shahim
(2014) will be used. Due to the specialized nature of the Batenburg, Neppelenbroek
and Shahim GRC maturity model, which is geared towards Dutch hospitals, there are
several definitions and requirements that are linked to the hospital sector and to the
real hospital setting such as employee attitudes assessment, reporting, level of
perception of employees, among others. Therefore, the scope of several of its
dimensions must be adjusted to the context of processes in order to make feasible
the evaluation of the business process model proposed in this research.
6.1 Adjusting the scope of dimensions of the hospital GRC maturity model
In this section, the dimensions of the hospital maturity model will be evaluated and
an adjusted scope will be defined for each of them when necessary. Each dimension
corresponds to one row in Table 11.
For dimension 1, governance authority, the maturity model evaluates the balance of
power between the board and the professionals in the ability to define the
governance guidelines. In order to adjust this scope to the context of processes, one
must withdraw the balance of power evaluation between the board and the
professionals, since this evaluation only makes sense in the case of real companies.
Thus, the scope should be adjusted to verify the existence of processes for the
definition of the Governance guidelines.
Similarly, in dimension 2, governance structure, the model evaluates the existence of
governance control planning and the iteration of professionals with it. Transposing
this scope to the context of processes, the scope to be evaluated becomes the
existence of processes of planning and governance control.
In the case of dimension 3, governance accountability, the model assesses the
attitude of professionals towards accountability processes. Transposing this scope to
44
the context of processes, we must evaluate the existence of accountability
processes.
In dimension 4, control of professionals evaluates the existence and balance
between internal and external audits. As the evaluation of this balance sheet only
makes sense in real cases the scope of this dimension will be adjusted for the
existence of internal and external audits.
Dimension 5, Governance incident reporting, assesses if there is a process of
reporting incidents, whether this report is done in physical or electronic medium and
the employee's perception of this system. As the last two analyzes also only make
sense in real cases they will not be considered in this work, so the adjusted scope for
this dimension is the existence of a reporting process.
In dimension 6, Risk management authority, the model assesses the organizational
structure, the ability to promote change and Risk management communication. As
the organizational structure does not belong to the context of processes for this
dimension it will be evaluated the ability to promote change and the existence of
communication processes.
Dimensions 7, 8, 9 remain unchanged, however, in case of dimension 8 the scope
description will be adjusted to better reflect the process context, but without any
harm to the scope of the dimension. The term "planning for new developments" will
be replaced by "strategic plan".
Dimension 10, Risk management indicators, assess if there are risk indicators, and if
so, if they are used in risk monitoring and whether or not there is a system that alerts
stakeholders to risks. As the assessment of the need for systems or dashboards only
makes sense in the real case, the scope of this dimension will be adjusted for the
existence of risk indicators and their use in monitoring risks.
The dimension 11, Compliance authority, evaluates the organizational structure, form
of reporting, authority to promote change and synergy with the board. As the
organizational structure, form of reporting and synergy with the board are not part of
45
the context of processes the scope of this dimension will be adjusted to the capacity
to promote changes and the existence of a reporting process.
Similarly, dimension 12, Compliance structure, evaluates whether or not similar
processes are standardized throughout the hospital. Since the standardization of
similar processes is not possible in all industries, this dimension will be adjusted to
support operational procedures.
In the case of dimension 13, Compliance controls, the model assesses whether or
not the compliance process is performed manually or automatically, whether or not
they are rigid or flexible and whether or not they are strategic. In this case, the
existence of the compliance process will be evaluated, since the evaluation of the
other parameters only makes sense in real situations.
Just like dimension 8, dimension 14 remains with the scope unchanged. But the
description of its scope will be adjusted to better reflect the context of processes,
without any harm to the scope of the dimension. In that case, the word "hospital"
shall be replaced by "undertaking". Table 11 compiles all adjustments made.
Table 11 - Evaluation of GRC maturity model for hospitals
Dimension Level 1
Forming Level 2
Developing Level 3
Normalized Level 4
Established Level 5
Optimized Adjusted
Scope
1 Governance authority
Ad-hoc authority, actually
professionals have the power.
Board is responsible without any
power.
Board is responsible and has the
power.
Board is responsible and has the
power & prof. do not
oppose.
Board & professionals
share the power in a
balanced way.
Existence of processes to define the
guidelines of Governance
2 Governance structure
There is no P&C
(planning and control) in
place.
P&C is ill structured and
not documented.
P&C is structured and
known by professoinals.
P&C is implemented,
most professionals contribute.
All professionals
contribute proactively to an integrated P
& C
The existence of Corporate
Governance P & C
processes
46
Dimension Level 1
Forming Level 2
Developing Level 3
Normalized Level 4
Established Level 5
Optimized Adjusted
Scope
3 Governance accountability
Professionals are not
accountable to
management.
Professionals view
accountability as a bureaucratic
process.
Each professional
is accountable to
management.
Each professional embraces his accountability
.
Each professional is
intrinsically motivated to
be accountable.
Existence of accountability
processes
4 Governance Control of the professionals
No audits is performed on
the professionals.
An internal audit is conducted
based on quality indicators.
An external audit is
conducted based on quality
indicators
An unexpected
external audit is conducted.
There is a good balance between trust and control.
Existence of internal and
external audits
5 Governance incident reporting
Incidents are reported on an ad-hoc
basis.
A paper form is used to report
incidents.
There is an easy
(electronic) way to report
incidents
Professionals feel safe to report an incident.
Professionals trust the
quality of process of reporting incidents.
Existence of reporting system
6 Risk management authority
There is no CRO (Chief Risk Officer)
A CRO is appointed by the
board
The CRO reports
directly to the board
The CRO has authority to
enact changes
The board & CRO
communicate ERM`s
importance.
The ability to promote
change and the existence
of communicatio
n processes
7 Risk management structure
No risk management framework is
in place.
A risk management framework is
used.
A risk management framework is
fully implemented
Scope unchanged
8 Risk management analysis
No risk analysis is performed.
A decentralized risk analysis is
performed.
A centralized risk analysis is performed.
Strategic risk analysis is performed.
Risk analysis is integrated in planning new developments
Risk analysis is integrated
into the strategic plan
9 Risk management scope
Risks are managed in a fragmented
way.
Some types of risks are managed jointly.
Risks are managed in an
integrated way.
Scope unchanged
10 Risk management indicators
There are no risk indicators
in place.
Indicators are used for internal
regulations & policies.
Indicators are used for
internal & external
regulations & policies.
A risk management dashboard is
used to monitor risks.
There is a system that
alerts stakeholders to
risks.
The existence of risk
indicators and its use in the monitoring of
risks
11 Compliance authority
There is no CCO (Chief compliance
officer)
A CCO is appointed by the
board.
The CCO reports
directly to the board.
The CCO has authority to
enact changes.
The board & CRO & CCO work closely
together
The ability to promote
change and the existence of a reporting
process
47
Dimension Level 1
Forming Level 2
Developing Level 3
Normalized Level 4
Established Level 5
Optimized Adjusted
Scope
12 Compliance structure
No attempt to standardize
similar processes.
Little attempt to standardize
similar processes.
Similar processes are standardized across parts
of the hospital.
Similar processes are
evaluated across the hospital.
Similar processes are standardized
across the hospital.
Support for operational procedures
13 Compliance controls
Rely on manual
compliance processes &
controls.
Manual & automated compliance processes &
control
Tactical automated compliance processes &
control
Strategic automated compliance processes &
controls.
Flexible strategic
automated compliance processes &
controls.
Existence of control and compliance processes
14 Compliance conscience
Hospital is Indifferent to compliance
Hospital is concern about
fixing noncompliance.
Hospital continually
monitors for compliance
Hospital plans to sustain
compliance.
Hospital incorporates compliance
controls
The company incorporated compliance
controls Source: The author, 2018.
6.2 Evaluation of the business process model
In this section, the business process model proposed in this research will be
evaluated according to the GRC maturity model for hospitals. For this evaluation to
be possible, the scopes adjusted as described in the previous section or the
complete scopes of the dimensions will be considered for the cases where the scope
of the dimension was unchanged. In other words, in those cases the scope to be
evaluated is the scope of level 5 for each dimension.
The scope to be assessed from dimension 1, Governance authority, was adjusted to
the existence of processes to define the governance guidelines. Looking at the
proposed model, it is possible to identify the processes to define governance
policies, consolidate policies and manage policies, so it is possible to conclude that
the scope for this dimension has been properly met. Similarly, for the case of
dimension 2, Governance Structure, the adjusted scope was defined as the
existence of processes of planning and control of governance. We can also observe
that in the proposed model exists the Governance planning processes define
Governance policies, consolidate policies and manage policies and the control
process supervises Risk and Compliance. Therefore, it is possible to conclude that
this dimension is also fully satisfied by the model proposed in this research.
48
For the case of dimension 3, governance accountability, it is possible to verify that
the adjusted scope of existence of accountability processes was fully attended by the
processes define responsibilities and roles, define a code of conduct and define
culture. Likewise, dimension 4, governance control of professionals, is covered by
processes evaluate performance, manage audits (compliance) and manage ongoing
evaluations (compliance). Similarly, the adjusted scope of dimension 5, governance
incident reporting, which it is responsible to verify the existence of a reporting
system, is supplied by the process manage issues (Risk management).
In the case of dimension 6, Risk Management authority, the adjusted scope is the
ability to promote changes and the existence of communication processes. It can be
observed that this scope is satisfied by the processes perform corrective actions and
communicate and consult.
The dimension 7, Risk management structure, assesses whether or not a risk
management framework has been fully implemented. Since processes define risk
appetite, manage issues, manage risk, consolidate risk reporting, and communicate
and consult represent all stages of risk management process proposed by ABNT
ISO 31000 (2018), it can be said that these processes cover the requirements of this
dimension with certainty.
The dimensions 8 and 9, Risk management analyzes and RIsk scope, assess
whether or not risk analysis is integrated into the company's strategic plan and
whether or not risks are managed in an integrated manner, respectively. Due to the
great interrelationships and interdependencies between these two dimensions, they
will be analyzed together. In this case, the processes determine risk appetite, which
influences governance policies, manage risks and consolidate risk reports
demonstrate the centralization of the risk management process. Furthermore, the
processes communicate and consul” and measure KPI and KRI`s (Governance)
demonstrate the integration of risk processes into the company's strategic plan,
showing that the scope of these two dimensions has been fulfilled.
49
Dimension 10, Risk management indicators, evaluates the existence of risk
indicators and their use in monitoring processes. This scope is clearly fulfilled by
processes such as analyzing key risk indicators, developing key risk indicators and
measuring KPIs and KRIs (Governance).
The adjusted scope of dimension 11, authority compliance, is the ability to promote
change and the existence of a reporting process. Evaluating the proposed model
based on this scope, it is possible to conclude that it is satisfied by the processes
reporting conclusions, compiling evidence and recommendations in action plans and
follow up. Similarly to dimension 12, compliance structure, which is the scope of
support for operational procedures, is satisfied by processes supporting operational
procedures (Governance), managing procedures (Governance) and inspecting
processes.
The dimension 13, compliance controls, evaluates the existence of compliance
control processes. The proposed model processes that meet this scope are the
processes that manage ongoing evaluations, manage audits, report findings, compile
evidence and recommendations into action plans and follow up.
Finally for dimension 14, Compliance Awareness, the scope was adjusted to see if
the company incorporated the compliance controls. As can be seen in the model, the
processes that fulfill this scope are manage ongoing evaluations, manage audits,
define Governance policies, consolidate policies (Governance), oversee Risk and
Compliance (Governance) and manage policies (Governance).
Table 12 summarizes the correspondence between the scope to be evaluated and
the processes of the integrated model proposed in this research, indicating whether
or not the scope of each of the dimensions was met.
50
Table 12 - Correspondence between the scope of the dimensions of the GRC
maturity model for hospitals and the activities of the proposed model
Dimension Scope to be evaluated Related activities
Does it meet the scope of
the dimension?
1 Governance: authority
Existence of processes to define the guidelines of
Governance
Define governance policies; Consolidate policies
Yes
2 Governance: structure
The existence of Corporate Governance P & C
processes
Define Governance policies; Consolidate policies; Oversee Risk and Compliance;
Manage policies Yes
3 Governance: accountability
Existence of accountability processes
Define Responsibilities and Roles; Define Code of Conduct; Define Culture
Yes
4 Governance: Control of professionals
Existence of internal and external audits
Evaluate performance; Manage audits (compliance); Manage ongoing evaluations
(compliance) Yes
5 Governance: report of incidents
Existence of reporting system
Manage Issues (Risk) Yes
6 Risk management: authority
The ability to promote change and the existence of communication processes
Perform corrective actions; Communicate and consult
Yes
7 Risk management: structure
A risk management framework has been fully
implemented
Determine risk appetite; Manage issues; Manage Risks; Consolidate Risk reports;
Communicate and consult Yes
8 Risk management: analysis
Risk analysis is integrated into the strategic plan
Determine risk appetite; Manage risks; Consolidate reports; Communicate and
consult; Measure KPIs and KRIs (Governance) Yes
9 Risk management: scope
Risks are managed in an integrated way
Determine risk appetite; Manage risks; Consolidate reports; Communicate and
consult; Measure KPIs and KRIs (Governance) Yes
10 Risk management: indicators
The existence of risk indicators its use in the
monitoring of risks
Analyze key risk indicators; develop key risk indicators; Measure KPIs and KRIs
(Governance) Yes
11 Compliance: autority
The ability to promote change and the existence of
a reporting process
Report findings; Compile evidence and recommendations into action plans; Do Follow
up Yes
12 Compliance: structure
Support for operational procedures
Support operational procedures (Governance); Manage Procedures (Governance); Inspect
processes Yes
13 Compliance: controls
Existence of control and compliance processes
Manage ongoing evaluations; Manage audits; Report findings; Compile evidence and
recommendations into action plans; Do Follow up
Yes
14 Conformity: Consciousness
The organization incorporated the
compliance controls
Manage ongoing assessments, Manage audits; Define Governance (Governance) policies;
Consolidate policies (Governance); Oversee Risk and Compliance (Governance); Manage
policies (Governance)
Yes
Source: The author, 2018.
51
As can be observed, performing the necessary adjustments in the scopes to make
the evaluation feasible, there are processes to fulfill the full scope of the hospital
GRC maturity model, so the GRC business process model proposed in this research
can be considered adequate.
52
7 CONCLUSIONS
This research aimed at facilitating the planning of GRC implementation in
organizations through an integrated GRC business process model based on the
conceptual model proposed by Vicente & Silva (2011). The validation of the
integrated model performed using the GRC maturity model for hospitals proposed by
Batenburg, Neppelenbroek, and Shahim (2014) shows that this main goal was
achieved.
To do so, we initially investigated the models of each of the GRC domains proposed
by Vicente & Silva (2011), identifying its main processes and subprocesses, thus
achieving the first specific objective of this research. The second specific objective
was achieved with the construction and validation of the business process models for
each of the GRC domains and the construction of the integrated GRC model.
Subsequently, the integrated GRC business process model was validated based on
the GRC maturity model for hospitals proposed by Batenburg, Neppelenbroek, and
Shahim (2014), thus reaching the third and last specific objective of this research.
Thus, it is possible to conclude that the specific objectives of this research were
achieved.
One of the great challenges found for the development of this research was the
scarce scientific literature available on integrated GRC. One of the strategies used to
overcome this problem was to validate the Governance, Risk and Compliance
models based on models developed specifically for each of these areas. In the case
of the validation of the integrated model, the solution found was to use an integrated
GRC model specialized for the hospital area, making an adaptation in order to make
this analysis feasible.
The implementation of integrated GRC can be complex because it involves
processes from different areas that, according to Gill and Purushottam (2008), are
traditionally isolated in silos. The integrated GRC business process model proposed
by this research allows a holistic view of the GRC processes and demonstrates the
complex interactions resulting from their multidisciplinary nature. By way of example,
this information can facilitate the development of the future business process model
53
for deploying GRC in a specific company, possibly reducing the risks, the time
required for deployment and, consequently, the costs.
It is concluded that this dissertation contributed to the better understanding of the
processes related to the integrated GRC and its interdependencies inherent in a
multidisciplinary process such as the GRC. In addition, it is worth mentioning the
differentiation of this research in the literature, by the comprehensiveness of the
content related to the business process models of the integrated GRC and to the
novelty of the presented model, despite the little literature available.
7.1 Limitations of the research
This work was elaborated based on several references, methods and theoretical
models and is out of the scope the evaluation of particularities and possible need of
adaptation in the processes for companies of specific segments and the evaluation
of possible impacts of implantation in a real process.
Therefore, a possible adaptation and adaptation of the model and complementary
models may be necessary when applying the GRC process in real situations.
7.2 Suggestion to future researches
As opportunities for future researches, it is suggested:
• Performance of GRC business process maturity assessment of organizations
from specific sectors;
• Deepening the proposed BPM models by adapting them to specific segments;
• Conduct a survey with questionaire to evaluate the level of adherence of
companies of a specific segment to the GRC practices modeled.
54
REFERENCES
ASSOCIAÇÃO BRASILEIRA DE NORMAS TÉCNICAS. NBR ISO 31000: gestão de riscos: princípios e diretrizes: citações em documentos: apresentação. Rio de Janeiro, 2009.
BATENBURG, R.; NEPPELENBROEK, M; SHAHIM, A. A maturity model for governance, risk management and compliance in hospitals. Journal of hospital administration, Toronto, v. 3, n. 4, p. 43-53, Fev. 2014.
CANGEMI, M. P. The controls challenge. Bank Accounting & Finance, v. 21, n. 5, p. 43-52, 2008.
COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION. Internal control: integrated framework. Durham: COSO, 2013. 348 p.
DELOACH, J.; THOMSON, J. Improving organizational performance and governance, Durham: COSO, 2014. 32 p.
DRESCH, A.; LACERDA, D.; JÚNIOR, J. Design science research: A method for science and technology advancement. London: Springer, 2015. 161 p.
GILL, S.; PURUSHOTTAM, U. Integrated GRC: Is your Organization Ready to Move? in Governance, Risk and Compliance. SETLabs Briefings, p. 37-46, 2008.
GUIA para o gerenciamento de processos de negócio corpo comum de conhecimento: (GUIA BPM CBOK). 2. ed. Chicago, IL: Association of Business Process Management Professionals, 2009. 247 p.
MOELLER, R. Coso enterprise risk management: Establishing effective governance, risk and compliance processes. 2. ed. Hoboken: John Wiley & Sons Inc, 2011.
OBJECT MANAGEMENT GROUP. Business process model and notation: (BPMN): version 2.0. Needham Heights, MA: OBM, 2011. 508 p.
RACZ, N. et al. Governance, risk & compliance (GRC) status quo and software use: results from a survey among large enterprises. In: AUSTRALASIAN CONFERENCE ON INFORMATION SYSTEMS, 21., 2010, Brisbane. Proceedings… Brisbane: ACIS 2010.
SPANAKI, K.; PAPAZAFEIROPOULOU, A. Analysing the governance, risk and compliance (GRC) implementation process: primary insights. In: EUROPEAN CONFERENCE ON INFORMATION SYSTEMS, 21., 2013, Utrecht, Netherlands. Proceedings... Utrecht: ECIS 2013 Completed Research, 2013. Paper 58.
55
STEINBERG, R. Governance, risk management and compliance: It can’t happen to us – avoiding corporate disaster while driving success. Hoboken: John Wiley & Sons Inc, 2011.
VICENTE, P. A reference architecture for integrated governance, risk and compliance, 201, 213 f. Dissertação (Mestrado) – Universidade Técnica de Lisboa, Instituto Superior Técnico, Lisboa, 2011.
VICENTE, P.; SILVA, M. M. A conceptual model for integrated governance, risk and compliance. In: INTERNATIONAL CONFERENCE ON ADVANCED INFORMATION SYSTEMS ENGINEERING, 23., 2011, London. Proceedings… London,UK: Springer-Verlag, 2011. p. 199-213.
WIERINGA, R. Design science as nested problem solving. In: INTERNATIONAL CONFERENCE ON DESIGN SCIENCE RESEARCH IN INFORMATION SYSTEMS AND TECHNOLOGY, 4., 2009, Philadelphia. Proceedings… Philadelphia, PA, USA ACM, 2009 p.8.
ZAIDAN, F. H. Aportes da arquitetura corporativa para o ambiente dos sistemas informatizados de gestão arquivística de documentos: aplicação em companhia de energia elétrica. 2015. 176 f. Tese (Doutorado) - Universidade Federal de Minas Gerais, Escola de Ciência da Informação, Belo Horizonte, 2015.