Business Process Management (BPM) and Compliance
How BPM can sustain compliance
Subscribe to our tutorials Subscribe
1. Introduction [Edit]
BPM has been one of those technology concepts that has not always justified the exciteable claims made about its potential return on investment in relation to its supposed operational and performance benefits.

However, BPM has always been seen as a solution for rationalising the spiralling costs of regulatory compliance and this rationale can be found in the marketing literature of the very many BPM providers who have a specialist product offering headlined with the phrase 'GRC' or 'Governance, Risk and Compliance'.

However, implementation difficulties centred around the accurate identification of processes and therefore owners of the neccessary risk controls have meant limited case studies.

Recently, Business Intelligence software and providers have made a convincing case to be seen as the compliance automation solution - Compliance projects are predicated on a Plan, Do, Check, Act process improvement and once established require monitoring to give evidence of the compliance framework working within tolerance - so BI can control this and non compliant items are 'red flagged' early.

Compliance by BI works best with vanilla processes that do not change that often so that queries can be developed to work consistently. It is still to BPM's advantage that it can work with complex, changeable processes that are multifaceted and dynamic - centred on people and the way they interact with others, especially in recent process models that use service orientated architecture and the cloud. When BI and process performance metrics are built into BPM solutions for these processes, and also integrated with data analysis solutions, BPM provides information about unique business processes that can form a basis for the much desired automated management and control.

BPM is therefore still seen as the best long term bet for a compliance solution in the new era of shared services and cloud.
2. Compliance [Edit]
Compliance is alignment with a set of general policies, where the type of compliance required depends upon the region and currently ruling government, industry and business types, and supporting legislation.

There are three types of compliance:

1. Legislative. Compliance with legislation is in accordance to the region where the legislation can be enforced. The strength and commitment to the legislation comes from previously successful legal arguments and appropriately set and just enforcement measures. Failure to comply with legislation may lead to criminal charges. Examples are Sarbanes-Oxley, HIPAA, and the various Data Protection and Privacy legislation.

2. Contractual. Compliance to contractual requirements are in accordance to the industry or within the group that requires the contract and may take action to enforce compliance. Failure to comply with contractual requirements often leads to dismissal from the group, a loss of privileges, loss of reputation, civil charges, and in some cases where legislation exists to support the regulatory body, criminal charges. An example is the payment card industry data security standard (PCI DSS) promoted and required by VISA and MasterCard.

3. Standards based. Compliance to standards is in accordance with the business or organization where the compliance to standards is enforced as policy. Failure to comply with standards often leads to dismissal from the organization, a loss of privileges, a loss of reputation or brand trust, civil charges, and in some cases where legislation exists to support the policy makers, criminal charges. Examples are the ISO 27001/5, and ITIL.

Compliance is compulsory; however, as with any other threat, a risk assessment must be made whether or not to invest in any type of compliance.

However, meeting regulatory and code of practise requirements is a fundamental part of global business especially in the US and UK. For example:

In the United Kingdom
  • UK Data Protection Act 1998.
  • Freedom of Information Act 2000
  • Human Rights Act 2000
  • Regulation of Investigatory Powers Act 2000
  • Access to Health Records Act 1990
  • Proceeds of Crime Act 2002
  • Money Laundering Regulations 2003
  • Electronics Communications Act 2000
  • Electronics Signature Regulations 2002
  • Privacy and Electronic Communications (EC Directive) Regulations 2003
  • Electronic Commerce (EC Directive) Regulations 2003
  • Basel II (International)
  • Companies (Audit, Investigations and Community Enterprise) bill
  • Corporate Governance requirements.
  • IT Information Library available at http://www.ogc.gov.uk/index.asp?id=2261 issued by the British Office
  • for Government Commerce (OGC).
  • BSI ISO 17799-2000 (BS 7799) - this manual fully complies with all of the remote auditing and testing
  • requirements of BS7799 (and its International equivalent ISO 17799) for information security
  • auditing.
  • UK CESG CHECK - specifically the CESG IT Health CHECK service
There are many more in the US.
3. Conclusion [Edit]
BPM gives the business a framework for managing complex processes, ensuring that changes can be made in line with regulations. Without some form of process control, the costs and risks associated with compliance can become umanageable and the risk of being in a state of non-compliance grows with the reluctance to spend more and more money on what is only short term compliance.

Regulation differs in structure and impact but mostly mandates that businesses understand, control and manage business processes within strict tolerances. BPM offers the prospect of rationalised costs, automation and medium to long term management of the compliance burden especially in the era of service orientated architecture and cloud computing.
Contributing Authors
Jeremy
Tools
Bookmark
Add to Blinkbits Add to Blinklist Add to Delicious Add to Digg Add to Furl Add to Google Add to Magnolia Add to Newszine Add to Reddit Add to StumbleUpon Add to Tailrank Add to Technorati