We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.
Start a Discussion

How useful is BPM in addressing compliance issues?

Vote 0 Votes
As Scott Menter pointed out to me, some would say we are at the dawn of the age of compliance.   How useful is BPM in regards to addressing issues related to compliance?

15 Replies

| Add a Reply
  • A process and his result might have many stakeholders. Hopefully the customer is the most important, but there are also the organization itself, government or some 'compliance-one'

    During setting up my 'process characteristics map' I also scan the requirements for compliance. Most of the time their are some requirements you have to meet.

    Most of the time they do not add any value to the process result, but what has to be done, must be done.

    That's why I am no fan of compliance. I am a fan of process. And compliance is not seldom frustrating for customer oriented process management.

    But as you know: what's the difference between an auditor and the audience of David Copperfield? The audience of David Copperfield know they are fooled ;-)

    Happy compliancing!

  • And forgot one:

    It's no coincidence only one letter has been flipped in Compliant and Complaint....

  • I happen to have just been involved in a BPM (and BPMS) compliance solution. Compliance truly needs an end-to-end, cross-functional perspective, and BPM is an ideal approach. It's important to understand current processes and integrate compliance with them, not just dump new compliance policy and procedure requirements onto existing operations. A solid BPM approach can help meet compliance needs company-wide while also maximizing efficiency and adoption.

  • I will be compliant if I can show how I plan to be compliant and then prove that my company actually works that way. BPM is a good way to accomplish that.

  • Different kinds of BPM have differing effects on compliance in different ways.

    Process Driver Server Integration - this is fully programmed and enforces compliance to the degree that I supports all cases. If some exceptional cases come along that don't fit into this straight through processing does not handle all cases, then people will have to work outside of the system, and then compliance can not be ensured at all.

    Human Process Management - this has a formal description of the work to be done, and that formal description can expose exactly what should be done. It can enforce compliance, but again some exceptions have to be handled outside the system.

    Production Case Management - like HPM has a formal model of what needs to be done, but people decide what to do at a given step. It does not enforce compliance up front, but since there is a record of what has been done, it is possibly more accurate in telling you how many cases were in or out of compliance. Someone interested in compliance has an accurate means to check and then respond.

    Adaptive Case Management - does not have a complex formal model necessarily enforcing compliance, but like PCM since people don't have to work around the system to get exceptions handled, it is likely that the history will be more accurate than in the HPM and PDSI cases.

    Business Process Analysis is helpful in creating and communicating formal models of behavior that is in compliance. It is helpful in the way that all education is helpful. But BPA does not enforce anything at run time.

    All of these different forms of BPM are USEFUL in differing ways, so I think we can say that there is no situation where BPM detracts from compliance efforts.

    See more at: http://wp.me/pNFv-vF

  • Given that people create all source information and BPM is a mindset about people and their processes it follows that BPM should aid compliance. The real trick is having software that supports people in their job and where required can track and report on activity. Such software needs to be flexible as people work is rarely static as operational efficiency is under constant review. This sounds like another “command and control” system but I would argue that “empowerment and measurement” will deliver better results yet still ensure compliance in any critical processes and allowing people to use initiative to achieve better outcomes. Good software will support the formal and informal processes as designed by good BPM practitioners looking to achieve the optimal process working with users. Let’s remember it was people that created the financial meltdown and we were all let down by inadequate software to understand was really happening where compliance clearly failed.

  • Compliance is the No.1 driver for getting BPM implemented.

    Why? Because the regulators have teeth. The FDA fines are scary - GSK $3.2bn beating the previous record of Pfizer which was over $2bn. They even fined the American Red Cross $16.2m

    That is fam more compelling than 'improved customer sat' or '2% increase in costs'.

    But is it making a company more operatinally excellent. Done well - yes.

    In my blog called "Compliance is Competitive Advantage" I spell it out in more detail. http://iangotts.wordpress.com/2011/06/30/process-governance-is-competitive-advantage-bpm-governance-compliance/

    But the bottom line is "You can combine collaborative change with effective governance, if process is at its heart."

    • After my 'process tour' through the USA, I am so tired of compliance, the only thing I wanted to do is pull out those teeth instead of not get bitten.

      But maybe that's because I am a softy and believe in management by trust instead of fear.

      But after all those untrustworthy people being too greedy and irresponsible, we will probably never get rid of compliance anymore.

      So adapt to this reality or leave the business?....I am not sure yet.

      'Process-society you're a crazy breed, hope you're not lonely without me'

      (Society, Eddie Vedder)

  • A well planned, effectively deployed and clearly communicated procedure or process embeds compliance. Working with contract lifecycle processes as an example, the platform we designed enables business rules determined by cross-functional teams, to drive workflow and provide visibility throughout. Workflow reinforces natural work processes, while visibility supports monitoring. Having defined process, clear workflow and business rules in place is also evidence of an organization's best efforts to ensure compliance, which is valuable in the event of breach (by an employee, or rogue functional group - think traders, for example) or for normal audit reasons.

  • Gosh, I have a customer story directly relating to this that I've been meaning to write about for a few days now, but haven't had time.

    Disclaimer: I haven't read any of the other responses above.

    Let me give you a brief summary of the customer case.

    The customer is a water company that does business in 14 regulated environments. The person using the business process technology (Software AG's ARIS) is a lawyer. I'm relating his experience/presentation.

    The investment in tool was minimal. He partnered with a company called VEA to deliver, they understood the tool very well and were able to implement quickly without much time investment either.

    ARIS is a tool that's technically in the area of BPA - business process analysis and is not a run-time business process engine. ARIS allows you to document your business process, with the elements of the process stored in a repository so that as things change, all changes flow through the business model.

    The target customer was the legal department. The challenge: they dealt with many different regulated environments (each region has different statutes/regulations that impact their process). When legal would get a question from "the business" it could take 3-5 days to respond. And, they had no business context for the response. They'd also know which regulations where being changed based on work on the statutes (which takes years) but had no idea how to manage the regulatory process (including lobbying) based on their business needs.

    By documenting their processes, and then linking in roles and regulations to the process, they were able to do full-text searches on the regulations in the context of their process (so much more powerful than all the legal databases, which just gave full text search but no context). They were also able to easily see a report that showed the following columns:

    1. Regulation
    2. Process impacted
    3. Step(s) of the process impacted
    4. Role impacted
    (there was a 5th column, but I can't remember what it was. I don't think it was region, that is, the region in which the regulations applied).

    They improved their response time to the business from 3-5 days to 3-5 hours (this came from the customer, not the vendor or the implementation partner, and I heard him say it myself).

    They also now have a way to understand how changing statutes will impact their business (regulations derive from statutes), and how to best prioritize efforts to impact the statutes and what to impact (based on how it will affect their business... Answering the question that maybe there's a way to achieve the same regulatory objective, but do so at a lower cost to process change within the water company).

    I hope this is a sufficient summary. To me, it was a very powerful use case and I hope that came across here.


  • As "the other Scott" suggests above, and as anybody who's been through a SOX audit is painfully aware, compliance basically consists of:

    1. Demonstrating that you have documented your process.
    2. Demonstrating that you have followed that process.
    3. Demonstrating that you can spot cases in which it was not followed.

    BPM delivers on each point. Although we, like all other BPM vendors, do spend a lot of time talking about compliance, I'm actually surprised it's not more of a focus than it has been. Maybe that's because traditionally, BPM belonged to the process folks and not the compliance folks.

    Today, however, everybody is on the compliance team. As Ian points out: regulators have teeth. So soft-peddling BPM's compliance benefits is like telling people that their scuba gear will keep them nice and warm underwater but forgetting to mention it will also enable them to breathe.

    PS Thanks, Peter, for the hat-tip in the intro.

  • Yes, BPM can be used to streamline and enforce compliance processes (e.g., SOX, NERC, VPP, JCAHO). I can share a dozen examples, but will leave that to another day.

    Many compliance regulations require organizations to only document their processes. This information includes:

    o What is the workflow (activities, steps)?
    o Who are involved (roles, responsibilities)?
    o What needs to be done (policies, procedures, reviews, approvals)?
    o What is involved (documents, interactions, notifications, discussions)?

    Creating this documentation meets the minimum requirements of the law, but it doesn’t lead toward real operational improvements. BPM can help! With documentation in place, organizations capture controls, the first of three pillars of BPM. Knowing how the controls are followed requires visibility, the second pillar of BPM. Having visibility requires a mechanism to track status and run reports, or in other words a process-driven application. With an application in place, organizations create audit trails, the third pillar of BPM. Control, visibility and audit trails lead to compliance. And now with data in place from form submissions and user interactions, organizations can run analytics to improve and optimize operations.

    Ultimately BPM enables organizations to meet compliance requirements by building apps that answer:

    o Who did what, when?
    o Was it done on time?
    o Was it done correctly? If not, why?
    o How well was it done? (efficiencies, effectiveness)
    o What can we improve? (change the workflow, change how people participate in the workflow through better training)?
    o What related workflows can we improve?
    • Hiring (finding and hiring the right people)
    • Training (making sure our people know what to do and do it correctly)
    • Engineering Changes (ensuring that processes are changed according to proper rules)
    • Environment, Safety, Health Management (changing processes to improve people, assets, environment)

  • Yes, BPM assists, and under the right approach could be the foundation for, compliance efforts. However, there is compliance, and then there is "compliance" used to drive an agenda. The early days of SOX audits were rife with that behavior in numerous public companies.

    I have found that a solid approach for driving a BPM initiative in an organization involves a balance among three constituencies (or requirements) -- control (or compliance if you prefer) for regulatory concerns, management of customers' experience, and operational efficiency.

  • If you think BPM and Compliance are two different things you've been doing it wrong.

    • That's true (it doesn't make compliance a fun thing to be busy with), but many organizations still see a lot of 'process things' as separate initiatives.

      Some guys are busy with compliance. Others are making quality manuals. An improvement team is wearing black belts. IT is implementing a workflow system. And most important, employees are executing the process.

      In the end all these initiatives join (you know how to model that in BPMN?) in processes.

      So I think it is (as we discussed earlier) important to create more process awareness in an organization and combine all the efforts.

      Allthough I am still not a fan of compliance (actually I don't understand why it is needed..), but maybe when we talk process more, compliance gets a little bit more fun ;-((

Add a Reply

Recently Commented On

Monthly Archives