Definition of Value Chain
Value Chains originate from Business Process Modelling (BPM) and describe and end-to-end process within an organisation and where they create value for the organisation. Using a value chain enables a better understanding of who is involved when and where to deliver a product or service. The ultimate responsibility sits with the executive that heads up the area delivering the product or service but in a standard hierarchical structure they may be aware of who is involved but without adequate documentation lack the ability to better understand and analyse the value chain. Within each value chain there is a breakdown of the particular processes into smaller components/activities. This leads to a hierarchical structure which is generally documented using a BPM tool. The big difference of this hierarchical structure to the normal business and reporting structure is that is is cuts across the organisation horizontally.
The concept of value chains is not something new but has only more recently become the focus for risk management. For banking organisations these may cover products such as consumer credit cards, home mortgages, etc.
Why are Value Chains of interest for Risk Management?
Even though end-to-end processes may have been well defined from a business process modelling perspective, a risk based view of value chain may have existed in spreadsheets or in a disconnected fashion but not readily available in a GRC platform. This makes the analysis of what risks exist where within a given value chain and how are they rated more difficult. And taking the next step further, identifying which controls support a given process and how effective they are without a system can only be done through a lot of manual work and is less readily available.
It is obvious that a clear articulation will have significant benefits. A value chain that is mapped completely with all its risks and controls and can reported on at the press of a button allows for significantly better analysis and support for decision making. Not only does an end-to-end view enable the identification of areas requiring uplift of the control environment but it also the analysis may aid in the analysis where particular controls are supported by downstream controls and may no longer be needed.
Should you structure your business by value chain?
Given the benefits a value chain owner can get from the increased understanding of the end-to-end process, is there a case for restructuring your business to align with value chains?
If you are a larger organisation with multiple divisions and therefore a larger number of value chains, the answer will likely be “no”. This is due to financial reporting as well as general reporting structures which tend to be by business division (retail banking, commercial banking) and their related products and services.
Unless the entire organisation, financial accounting and reporting can be changed to a value chain model that is also understood and supported externally, the value chain concept will remain reporting construct. With a larger adoption though within the industry and more focus on it, there may well be a different view in the future.
One exception may be the disruptors to the market who focus on delivering particular products or services and therefore have optimised their structure around that process. These may have a valid reason to set themselves up in a value chain centric structure and their GRC processes might more naturally be represented that way.
Representing it in your eGRC platform
So for the larger majority, value chains will provide some challenges in terms of creating a good setup in your eGRC platform. Most organisation have structured their GRC processes around a variation of their internal reporting structure. Utilizing that structure, the risk management and compliance activities have been setup and amended to suit this model. Value Chains would not have been part of that structure and as explained may not be the primary structure. As long as that is the case, value chains should be set up as a separate hierarchy alongside the business structure. Now that separate structure still needs to be mapped to what already exists to draw any insights. This is where it can get tricky and finding a happy medium between reusing existing vs. "duplicating" data is one of the main challenges. Regardless of which approach is chosen, new process steps for the business are introduced and requires uplift of understanding and training.
In the following section, we will have a look at two variants of the mapping and their related challenges. For value chains these challenges in the first instance focus around mapping of risks and controls.
Linking Risk and Controls
You may ask, why there is a need to link risk and controls to a value chain. In a normal setup your initial setup is based on vertical organisation structure. I that structure the people responsible for performing a particular process are the ones that also own that process, meaning process, risk and controls are managed in that vertical. Value chains on the other hand cut across and as a reporting structure refer to these processes.
So depending on the level of detail being captured for the value chains, the next decision will be how to achieve the the linking of risks and controls from the business to the value chain structure. The following explores two approaches.
Business-Line driven approach
The business-line driven approach (the one largely described before) maps the data from the verticals to the value chain. To support a structured reporting, the different processes might not simply be mapped but "tagged" with an order. The key underlying data, namely risks and controls though remain in one place, i.e. the business.
This approach makes one key assumption: Everything that belongs to a particular process with a business line is also then relevant for the respective value chain. From a data maintenance perspective, this is the most efficient approach as there is only one set of risk ratings, control ratings, etc. which is maintained by the business. The trade-off in his approach is that there is no capability to perform a separate assessment for e.g. the risks at a value chain level. Another challenge given the data structures is the clear attribution of controls that are performed in a given process vs controls that are not relevant to the process.
Value Chain driven approach
Another school of thought sees risks for value chains not as something within each process but rather a particular risk eventuating in different processes. And while the risks may be more of an overarching concept to the processes, the controls are still mapped from the business. This method therefore requires a separate risk identification step and potentially mapping step to accurately reflect that. On of the benefits of the approach is a separate assessment of the risks from a value chain perspective utilising a different cut of the underlying controls than a particular business and allows for disregarding controls within a business in case they are not actually relevant to the value chain. This approach however may require linkages of controls to multiple aspects of a value chain to achieve the correct attribution.
Visualisation
Once everything has been set up in your eGRC platform, the next step is to provide a good view for management to understand this information. Ideally it should be structured in a way that it visually represents the value chain at the top level but then also enables more details for reporting will have to solve for a number of different challenges. If for example, your data provides a process and sub-process level it may be ideal to order the processes as you would have them in the end-to-end process and then order the subprocesses within these. Assuming the risks are linked to these subprocesses, a sample representation (in a simplified form) may look as follows:
So where from here. If you would like to have a move detailed discussion about value chain risk management, please reach out to us at info@kairosrisksolutions.com.
Comments