Report of our PROMplease read last weeks post first.
Before i jump into details as to what PROM can do for BWise or the other way around and arguing how this is all relevant in the GRC space i have to warn you. PROM in general as well as the integration with BWise is all in its infant phase. More so, this article describes a vision, not current capabilities. For all our future roadmap discussions and new functionality choices, vision is what drives us and as such, some day, PROM might become part of BWise software. For now, it isn't, but there are ways of integration. For more details, please contact us.
By now you've had the opportunity to read the additional information that we've pointed to last week and if you're a BWise user, you might have created your own vision on what it can do together with BWise. Here are my personal toughts.
1. plug and play PROM is no plug and play solution. You need to know your processes, your relevant transactions and the corresponding data in your information system. Existing documentation of those processes including relevant risks and control measures will help you to identify process steps in the information system, relevant data and forks (since most control measures are decision points in a process). In short, it gives you a good starting point.
2. not the entire process is automated While it is very neat that a PROM model can generate a process model for you, we shouldn't forget that the resulting process model is always limited to those steps that are recorded in any information system. To actually get a holistic view of your process it is not sufficient to focus on that model, since you would have to take into account all manual steps in between as well. Especially in those cases where manual steps actually determine the way a transaction is processed in an automated enviromment. So a PROM model will never replace a process model made by man.
3. we find exceptions, now what. As explained in the PROM example illustrated last week, PROM generated models give direct insight into exceptions in transaction processing. There will always be exceptions, and the question one should ask is what is the risk? Is it mitigated? And if so, did the control that we use to mitigate the risk perform effectively? All very relevant for any resulting opinion on the effectiveness of a certain process.
4. transaction details AND flow are relevant (for the advanced ;))
Instead of just looking at the flow, one should look at all parameters that determine the processing of a transactions. By using continuous continuous controls monitoring or any other means of data mining, you could bind process flow exceptions from PROM to exceptions found in control performance of process inefficiencies identified. (e.g. Some invoices are paid without any checks (exception to PROM generated model) but all of these are below 1k euro, and processed the same day as posted, through electronic wiring (probably rush payments)).
5. make the visible more visible
By plotting the PROM generated model on the human crafted process model, you can directly see what part of the process is automated and what not. Next to that, the flow of transactions can be viewed holistically, with all relevant information of control effectiveness, KRI's, KPI's and control monitoring results in one place. This can be very beneficial for identifying process improvement opportunities, performing audits, assessing impact and likelihood of certain risks during risk assessments for ORM, ERM or other corporate initiatives, as well as managing your process operationally on a day to day basis.
I do realize that the above might seem complicated and that you need more information to fully grasp what is stated above. Feel free to call ;) But if you're a BWise user, you will see that all of the above stated items are capabilities in BWise and that integrating PROM binds all of these together to provide a holistic view of your processes. PROM in itself is considered powerful but looking at the whole picture provides even an better insight and actionable output.
The message here is that from our standpoint and vision, the future is bold - considering this is just one of the 100 areas that will evolve over the coming 10 years and further. In some way, our goal is 'to boldly go where no one as gone before'.
(You can see i'm a trekkie right there)! ;)