One of the main challenges of today’s businesses, be it in finance or another industry, is to cope with continuous risk and security control. A way to improve this and reduce process complexity is Value Stream Mapping, a Six Sigma technique to visualize all process elements in order to apply lean principles to your process and reduce waste in specific areas. It’s very common in supply chain and logistics, and the technique is now gaining popularity in finance too.
A product approval and review process for instance – as part of risk and security in any given financial organisation – often requires a hundred and more different steps. Many of these are document driven and could thus easily be automated. For a project in a Belgian bank, we brought a risk and control process back to 30-odd intermediate steps, by mapping the value streams and subsequently automating document flows and risk checks.
As a result, the process is now more manageable and risk is reduced. Without this lean approach, it’d be more difficult to control the bank’s risks and its security levels. Not in the least on the administrative and governance side of it: admin procedures are often pushed to the employees to fill it in and comply, that just doesn’t work. On the other hand, you cannot ask the DevOps team to fill in security documents either. As a result, organisations are becoming rather lax, which is a risk all on its own.
That’s when Six Sigma comes into play. Because you cannot let go either, there’s no such thing as risk free. The example above shows that Six Sigma and VSM help to optimize risk control, and to cope with the increasingly comprehensive and complex regulation.
Another reason to automate and simplify this process is that first and second line cyber experts are so hard to find. And deployment times for new applications are much shorter than before, multiplying risk. So, define risk indicators - with different layers per application - and alerts, and let security software work for you. You’d keep security monitoring in check and the risks as well. An operational control dashboard helps to keep an overview.
More and more finance organizations are now looking at leaning out their IT processes, but it isn’t common yet. Risk Management is often stuck between a rock and a hard place. Compliance managers and legal experts want as much documentation as they can, chief security officers don’t want to save on tooling as you cannot cut corners in this domain.
But simplifying doesn’t mean you are compromising on control. In addition, you win time and remain compliant - if you review your lean processes continuously.