Risk management system implementation requires a deep and documented process analysis, concerning the whole organization: it must increasingly involve all activities while distinguishing among the core and cross-cutting ones, down to detailed operational activities. Process mapping should allow an organization to carry out ‘risk identification’ (see Ch. 3), describing objectives, staff, activities, responsibilities, organizational units, outputs, deadlines, sequencing and linkages/interactions among the sub-processes and related documented procedures.

Consequently, ‘risk analysis’ (see Ch. 3), is effective when including identification of all key processes containing potential exposure to some consequence. It should involve process analysis, directing special attention to key cross-organizational dependencies and significant control nodes, for example: where data originate, where they are stored, how they are converted to useful information and who uses such information.

The process mapping activity entails a number of steps:

• Identifying all routine activities within the scope of the specific process analysed;
• Grouping the activities into key sub-processes;
• Determining the sequence of events, and links between the sub-processes.

To ensure process maps accurately reflect what actually happens, organizations may combine different methods (see appendix), so an organization should choose the kind of ‘Process Modelling and Mapping’ suitable for its specific goals. The map can be a simple macro-flowchart, showing only enough information to understand the general process flow, or it might be detailed enough to show every single action and decision point.

What follows is a description of different mappings.

• Macro-level process map. This is a very deep level as well as rather rare mapping that outlines the operational routes of an organization.
• Top-down or high-level process map. It shows end-to-end processes across the above operational areas. It is quick and easy to draw, but may not provide the necessary details to build understanding or realize improvements. It is good to show the major clusters of activity in a process.
• Cross-functional process map. It shows roles, inputs, outputs and steps required to complete a specific process within an operational area. Cross-functional process mapping provides enough information for improvement efforts, and uses flowcharts to show the relationship between a business process and the functional units (such as departments) responsible for such a process. These charts emphasize where people or groups fit into the process sequence, and how they relate to one another throughout the process. Cross-functional charts are excellent tools to show how a process flows across organizational boundaries.
• Detailed Process Flowchart. It details systems, instructions and procedures required to complete steps in processes at level three (Cross-functional process map), and shows inputs, outputs, related steps and decision points. Because of the level of detail, such a mapping can be resource-intensive to create, but can offer the greatest improvement potential since it shows decisions and subsequent actions, so providing excellent training and reference materials. Flowcharts may be maps or graphical representations.

The process owner should be in charge of process mapping, while process analysis should be made by other roles (either within or without the organization), in order not to be influenced by one’s own working method.

Lastly, references to the maps, procedural information, and the maps themselves need to be stored in a consistent structure called a process library. Responsibility for the process library needs to be clear, just like any process itself needs an owner.