Businesses need: To store and safeguard data. Paths to Compliance

Transcription

1 Decision Framework, D. Logan, J. Sinur Research Note 27 May 2003 Process Management Technology Makes Compliance Easier Every U.S. business must comply with thousands of federal business regulations. Process management technologies and business rules engines can help companies understand new rules and enforce compliance policy. Core Topic Application Integration and Middleware: Application Integration Key Issue What will be the core technologies and critical success factors for implementing a flexible enterprise nervous system that can accommodate ongoing growth and modifications? Every company must comply with international, federal, state and local legislation. Gartner has seen a huge increase in interest in using IT to achieve compliance and corporate transparency since 2001, when several corporate scandals broke. The regulations generating the most questions have been: Auditing practices U.S. Sarbanes-Oxley Act of 2002 Electronic records and signatures U.S. Food and Drugs Administration, Part 11 of Title 21 of the Code of Federal Regulations Healthcare record keeping U.S. Health Insurance Portability and Accounting Act (HIPAA) Risk Management New Basel Capital Accord (Basel II) As usual, software vendors and consulting firms have been eager to provide solutions for these problems. "Soft solutions" using software to improve training, process or applications design and auditing can help enforce compliance, but compliance is fundamentally about management actions. IT systems aren't always directly involved. Businesses need: To comply with increasingly complex legislation Corporate transparency, to restore investor and stakeholder confidence in business To store and safeguard data The flexibility to cope with changes in legislation Paths to Compliance Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 Complying will require significant effort for all midsize and large enterprises. Most organizations take an ad hoc approach to compliance. They address requirements as they emerge, through a series of one-off, just-in-time projects. But because compliance affects a lot of ongoing business activity, this is disruptive and increases the effort required. Human judgment may be flawed and so expose the company to possible censure by regulators. Other organizations are more proactive and design a comprehensive process, but often limit the process to a department or division. Ad hoc or departmental approaches are not efficient or effective enough. Compliance should be an enterprisewide discipline and should be managed and supported by an owner, with well-designed processes and appropriate technology. Like other disciplines, it must be embedded in all processes, otherwise it becomes too tempting to bypass it. If compliance is burdensome, or the frequency and complexity of compliance requests are increasing, the company should identify a compliance officer and design a process that manages all compliance from an enterprisewide perspective (see "Compliance Is Not a Document, It's a Process"). A compliance solution must include the correct documents, but also a record of the process by which they were created a trail to show when, how, where and by whom they were produced, who last touched them, where they came from and what need they fulfill. Process documentation and control software can provide a means of assigning and documenting roles and responsibilities. Tailoring a Compliance Solution As with many software projects, companies must first decide whether to build or to buy a solution. Because most organizations have to comply with more than one piece of legislation, regulation or statute, the answer is usually "both." Software can be very specific or very general, and vendors in many categories are coming forward with compliance-related offerings. Factors in the decision include how long the company has before the compliance regulations must be met, how much money and time it has, and whether or not the company wants to make a strategic or tactical investment. Buying specialist tools may solve the problem quickly, but will add to the maintenance burden and increase the fragmentation of the IT environment. Most enterprises would be able to reuse a more flexible tool, and they should prioritize flexibility, unless there are compelling reasons otherwise. 27 May

3 For any software solution, the decision to build, buy or outsource should be based on six sets of decision factors (see "Build, Buy and Outsource Decision Factors"): Organizational maturity Stability or flexibility of the business problem Time to market demands vs. desire for competitive advantage Application domain knowledge Technical knowledge Economics In creating compliance solutions, "time to market" becomes "time to compliance deadlines." Organizations should also consider how fast other companies are moving to comply and whether or not regulators are likely to be flexible when requirements are complex and poorly understood, as long as an organization can demonstrate that it is moving as rapidly as possible toward building a compliance solution. Functionality of Compliance Software In any specific or general solution, certain categories of feature are required: Process control or business process management capability Document or record management repository Document or process template libraries A real-time compliance checker (or several) can also be helpful that is, a package that checks transactions, documents and events for compliance with the rules set by legislation, codes of practice and policies. Not all of these features need to come from the same vendor, although an integrated approach can save time and money. Challenges for Compliance Solutions Process description, automation and monitoring are the heart of any compliance solution, but complex regulatory legislation rarely offers companies a formula or list of ingredients that will ensure compliance. Consider hiring a vendor or consultant with expertise in the specific processes involved. For example, hire an auditing or accounting firm when implementing the Sarbanes-Oxley Act. Best practices are emerging for some new legislation, but much remains unclear. 27 May

4 To accommodate probable changes in best practices, solutions must be as flexible as possible. There is a strong case for using in-house process analysis and management tools initially or for buying a general-purpose business process management (BPM) tool. BPM cannot be used alone, because management policies and ethics are the best defense against legal action. But processes are probably the most difficult part of the solution to build and should, therefore, be considered first. Again, a generalpurpose, flexible BPM tool will allow companies to build their own compliance-related processes. Definition of Processes: Business Process Analysis Many companies do not fully understand their own processes, increasing their costs and exposing themselves to the risk of accidental noncompliance. Business process analysis (BPA) lets them visualize and analyze their processes: what needs to be done, by whom and when. There are several BPA tools and methods. They all create a visual picture of the links between missions, goals and processes, and document the dependencies between different events. Based on repository technologies, BPA tools can analyze the impact of a change across the entire organization and even simulate risk, cost, timing and values of specific business process flows. Documented processes can serve as training aids, quality checks and evidence that procedures are being followed, or at least that there was an intention to follow them. BPA can help enterprises work out what their own processes must be. Many of the recent laws and statutes are, as written, open to interpretation and will be implemented by companies in slightly different ways. Documented processes, even if they are static, can form the basis of a requirements specification for companies wishing to automate process management or use business rules engines (BREs). BPA vendors include Corel, IDS Scheer, Proforma, Popkin Software, Casewise, EPIance, Mega International, Microsoft and ProActivity. Enforcement of Processes: Business Process Management Some companies already have one or more content repositories that are used to store relevant compliance-related materials. For these, the appropriate BPM package will allow processes to be made explicit, and some have some useful integration capabilities. Gartner has defined a spectrum of BPM technologies: some are ad hoc, flexible technologies, for person- 27 May

5 to-person or person-to-application-to-person data processing; others are data-driven, for application-to-application use. BPM can be embedded in an application intended for document management or enterprise resource planning, it can be part of a collaboration tool, or it can be stand-alone. Stand-alone BPM applications are typically integration-focused. BPM tools can help enforce compliance policies in real time, by creating business rules that describe suspected problems. All interactions are tracked and likely problems can then be automatically escalated to higher levels of authority. BPM vendors include FileNet, Staffware, Pegasystems, Metastorm and DST Systems. BPM vendors with compliance templates include Axentis, CommerceQuest, Fuego and HandySoft. Enable Process Adjustment: Business Rules Engines Processes that involve human decision makers are subjective, and that can expose the company to risk. BREs automate common decisions, increasing efficiency and accuracy by reducing human involvement. In the regulatory, compliance and litigation risk management world, rules that can be agreed, encoded, verified and run automatically provide strong evidence that the company is doing everything it can to comply, to the best of its understanding. At their simplest, BREs externalize business rules and allow quick and easy modification. There are three types of BRE: Simple BREs, which only externalize rules for real-time or near-real-time changes Workflow BREs, which manage process flow with rules Inference-based BREs, which drive activities according to the logic contained in the rule base BRE vendors include Fair Isaac, Computer Associates, Ilog, Pegasystems, Corticon Technologies, Formula Systems/Expert Solutions International, Haley Enterprise and YASU Technologies. Defining Compliance: Formulate Processes in Writing Compliance implies defined processes and appropriate rules. Unless both are present and consistent, the audit trail is broken and the organization is exposed to risk. It's much easier for employees to say "I didn't understand" or "Our policy wasn't made clear" in the absence of processes and rules. Today, these 27 May

6 statements tend to draw the attention of regulators. A documented rule on how a particular financial metric was calculated removes the guesswork. Formulating the rules also forces enterprises to think through and standardize business logic. In the long term, this process always saves time and money. Making it up as you go along is not only risky and, in many cases, illegal it also wastes time. Proving Compliance: Record Retention Consider a simple rule-set regarding document retention. Based on a document classification for example, "federal tax record" a set of rules can be applied that: Ensures that the record is retained for the legally sanctioned period of time Saves the record to a "write once, read many" storage medium, so that its contents can be verified as uncorrupted or, at least, unchanged by humans Deletes the record or moves it when the retention period has expired Bottom Line: Process definition and monitoring are the heart of compliance. Enterprises with multiple complex compliance needs should consider using general-purpose business process management tools to build compliance solutions that are flexible and that can be used to build processes to comply with any existing or future legislation. 27 May