Business process management (BPM) is often referred to as process mapping. But it is and can be so much more than connecting boxes of steps in a process. With a few additions, process mapping can provide the foundation for change management as it builds a bridge from an ever-changing list of regulatory requirements to a company’s governance, risk, and compliance (GRC) tool.

It starts with the regulatory inventory. Which regulations are applicable? What are the key obligations of the regulations? Once these key obligations are identified, it is important to determine the operational processes involved with the regulation and the obligation. For example, Regulation CC, Availability of Funds and Collection of Checks, requires that funds be available within certain time periods depending on the type and method of deposit by the consumer. Obviously, this requirement involves a bank’s deposit operations.

Continuing with the Reg CC example, the next step is to understand the deposit operations processes associated with making funds available—and, as importantly, the controls within the processes that ensure compliance with regulatory obligations. The easiest and quickest way to understand and document the processes is through process mapping.

Why a Process Map?

Most people find it easier to understand visual representations than written words. Drawing a process map quickly captures the steps a subject matter expert takes when they perform their job. As the map is drawn, others can easily add missing steps and identify opportunities where there may be duplicative processing or gaps.

There are a variety of tools and techniques for process mapping. Also known as flow charting, the original system was invented by Frank Gilbreth in 1921.1 Regardless of the tool or technique used, business process mapping is a graphical representation of a process beginning with a trigger event to start the process and leading to an endpoint for completion of the process. Where the process diverges, decision points are captured and multiple paths to completion are captured. While business process mapping has been utilized for over a century to document and improve processes, it is invaluable for documenting risks and controls within processes.

A Word About Six Sigma and Lean

Developed by Motorola in the early to mid-1980s, Six Sigma is a methodology for measuring defects per million and identifying opportunities for improvement.2 The process map is the foundation for documenting the current state of a process and identifying points in the process where gaps or opportunities exist. Whether eliminating waste in a process through Lean Six Sigma or transforming a process through value stream mapping, Six Sigma methodologies can play an important part in streamlining processes while ensuring compliance.

As a process is documented, identify whether risk is involved in the process step and, where risk is found, what steps exist to control and mitigate the risk. In the Reg CC example, are there system controls that happen within the process or in systems supporting the process to ensure that funds are available within the required period of time? Are control reports used to review exceptions?

It is important to number processes, process steps, risks and controls. With numbered processes, process steps, risks, and controls, a control library can be built. Risks and controls should be associated in documents with regulatory citations, if applicable.

In addition to steps, risks, and controls, subject matter experts explaining the process may also be able to provide valuable information about pain points and weaknesses in the process. Process mapping can serve dual purposes in building a company’s risk and control self-assessment (RCSA) framework and identifying opportunities for improving processes and controls.

Conducting Risk and Control Self-Assessments (RCSAs)

With the regulations identified, processes aligned to the regulations, and the risks and controls documented in the processes, the framework has been built to conduct an RCSA. With the key process owners, risk and control attributes can be identified and documented to determine how much risk remains in a process with the controls that are currently in place.

To do so, a team starts by determining the inherent risk in the process. The inherent risk is the level of risk in the process that exists without considering any controls. Attributes such as the impact of the risk and the likelihood of the risk are used to determine the inherent risk.

Next the team assesses the controls and how well these controls mitigate the risk. Factors such as whether controls are automated or manual, maturity levels, frequency, and monitoring are documented. Once the controls have been assessed, mitigation factors can be used to arrive at the residual risk in the process. Because not all risks can be mitigated, most processes have some level of residual risk. This is especially true if there are a lot of manual tasks or if the inherent risk is very high. A company’s risk appetite will determine whether additional controls are required to further reduce the risk.

RCSAs should be done at least annually and whenever processes or controls are designed, changed, or retired. RCSAs are useful tools to inform testing and, in turn, testing can inform RCSAs.

Governance, Risk and Compliance (GRC)

With the completion of the RCSA, risks and controls can be mapped to the company’s GRC tool. It is a best practice to cycle through a few iterations of an RCSA before mapping it into a GRC, since it sometimes can be very difficult to make changes within the GRC.

Change Management and a Regulatory Example

Useful examples of BPM trigger events are found in the current wave of regulatory and legal challenges to a variety of consumer fees charged by financial institutions. Recently, for instance, the Federal Deposit Insurance Corporation issued new guidance regarding multiple re-presentment nonsufficient funds (NSF) fees, suggesting that banks eliminate the fees altogether.3 This came after a year of scrutiny of bank fees and their impact on consumers by federal and state regulators and in private class actions. Many banks have reacted to this increased regulatory activity by reducing or eliminating nonsufficient funds fees, overdraft fees, and overdraft transfer fees.

These changes require rigorous change management. New processes must be designed to ensure that new policies are implemented and that fee assessment is well controlled.

Business process management supports change management, in ensuring that changes do not negatively impact the company by increasing the risks documented in their RCSAs.


Process and control mapping should be an integral part of a company’s risk and compliance framework. Working sessions on business process mapping, to acquire risk and control information and identify opportunities for improvement, can ensure a holistic and integrated approach to business process management that benefits both the first and second lines of defense.

3 Federal Deposit Insurance Corporation, Fil-40-2022, Supervisory Guidance on Multiple Re-Presentment
NSF Fees (Aug. 2022),