How to use Blueworks Live in Risk and Compliance Management

A number of my clients are using Blueworks Live to help them with Governance, Risk management and Compliance or GRC. In regulated industries Blueworks Live can provide significant benefits in this area. This post describes some of the techniques that are being used to enable GRC within Blueworks Live.

Blueworks Live is a great resource for clearly documenting Risks, the Controls that are in place and the Evidence required to demonstrate that risks are being managed. A Risks and Controls catalogue or registry can be built and managed within Blueworks Live.

Once documented, Blueworks Live provides capabilities to govern the catalogue of risks, controls and evidence. It can provide a “single source of truth” that concentrates all required documentation for regulators. It is possible to provide viewer or contributor access to allow regulators to directly see process Blueprints that have been developed with GRC in mind.

Changes can be tracked within Blueworks Live and Process Applications provide a handy way to approve documentation.

Modelling Risks and Controls

There are a number of techniques that can be used to document for GRC. These include the use of colour, custom properties and policies.

Use of Colour

One of the simplest ways to describe business risks in a Process Blueprint is to apply a colour legend. Administrators can define reusable colour legends. The Blueprint editor can apply these to their models. Using colours to describe Risk or Control Points within the process is an easy first step.

Custom Properties

Adding custom properties for Risks, Controls and Evidence allows the process Editor to provide appropriate documentation for GRC. If these properties use “enumeration” the editor can choose from drop down lists of pre-defined risks etc.

Links and attachments can be added to the values within the Blueworks Live Glossary. The Glossary also provides traceability. This means that for any chosen value a “where used” report can be generated.

An advantage of this approach is that custom properties are easy to see in Analysis and Playback modes.

Policies

Policies can be used to hold detailed information for GRC. Policies can be referenced from any process or activity. They can hold links and attachments that are easily visible to any authorised user. Policies provide traceability so that any change to a policy can easily be mapped to the processes and activities that reference it.

In most cases a combination of these three techniques can be used.

Reporting

The wide range of export and display capabilities within Blueworks Live provides plenty of options for sharing information with regulators. Microsoft Office exports can be distributed, or regulators can be given direct access as viewers or contributors.

All changes made within Blueworks Live are auditable. Detailed reports can be generated showing the activity of a user or the history of an artefact such as a process or activity. This information can be of value when demonstrating how and why changes have been made to regulators.

Tracking Risk

The “where used” functionality that is present for most artefacts in Blueworks Live allows for easy tracking of GRC. Where used reports can be generated from the Glossary for property values and from policy artefacts.  This information can also be extracted using the Blueworks Live Application Programming Interface (API).

Use snapshots of process Blueprints to provide a clear view of change over time. This will make it easy to describe changes that have been made.

Approvals and Reviews

Process Applications can be created within Blueworks Live to drive governance lifecycles for processes. Typical uses are:

• A Pre-publication checklist to ensure that the Blueprint is complete.
• A publication workflow to document business approvals prior to making a Blueprint generally available.
• Regular review workflows; perhaps annually. These can be initiated from an external diary system via the API. A custom property can be used to store a review period or date.

In Summary

Governance, Risk Management and Compliance (GRC) is critical in regulated industries. By implementing some of the simple strategies listed here, Blueworks can provide a significant contribution to GRC.