Embedding Compliance into Business Processes

With governmental regulations for compliance becoming all the more rigorous, C-level executives are finding themselves between a rock and a hard place regarding controlling costs and satisfying these more rigorous compliance demands. At the same time, external auditors are getting more sophisticated in their investigations of compliance - delving deeper into organizations' controls.



The situation can be likened to Edgar Allan Poe's short story, "The Pit and the Pendulum." Every year, the audits get more onerous. The "blade" of the auditors cuts deeper.

The ongoing economic crisis presents a whole other challenge. Companies are strapped and trying to do more with fewer resources. Increasing scrutiny, coupled with less budget - and, in general, less liquidity for devoting dollars to compliance - presents a dire picture.

Yet, difficult times such as these offer organizations of all sizes the opportunity to reflect on ways for driving process improvements, innovation and ultimately competitive advantage. What if the appropriate C-level executives and their organizations could automate repetitive tasks and free up their people to do more strategic activities?

It's happening now through powerful second generation Governance, Risk and Compliance (GRC) technology. This technology brings a laser focus to compliance automation, which reduces the cost and hassle of demonstrating compliance, and converts active compliance and auditing into value-added initiatives for business.

Honing Compliance and Business Processes

When Sarbanes-Oxley (SOX) was first passed, the main focus was Segregation of Duties (SOD) to a very granular level. The time, energy and resources devoted to internal audit and supporting the external audit saw no limits.

Today, organizations are being asked to provide results they didn't have to in the past, yet with fewer resources. Companies are thinking long and hard about how they can provide the same level of compliance reporting within a finite budget.

Concurrently, companies and auditors alike are realizing that well-managed and well-controlled systems extend beyond SOD to a number of IT processes. Companies have a genuine interest in soundly managed IT and financial systems - not only for compliance, but also for safeguarding investors and mitigating risks, such as fraud, theft of data, system failures due to lack of controls, and catastrophic outages.

Therefore, a new focus is emerging - embedding compliance into business processes. A few years ago, the phrase, "Quality is free" was the rage in the manufacturing sector. The idea was that if an organization embedded quality in its manufacturing processes, then it didn't have to bolt it on afterward.

The same can be said for compliance today. Compliance is not a once-a-year root canal or a great effort trying to produce compliance reports. It is embedding compliance into day-to-day operations and into business processes - getting compliance for free, if you will - while accelerating the business processes from which compliance originates.

Asserting Value, Leveraging New Technologies

While the role of compliance executives has always been challenging and daunting, embedded compliance and automated workflows can make their lives easier, and offer an opportunity for them to assert their value to their enterprises.

What are some of the ways to accomplish this task?

Look for tools that support business processes with automated workflows, but also capture audit reporting information. In a SAP application, for example, the process for configuring changes - from the request, development, testing, approval and movement-into-production stages - is tedious and time consuming.

By utilizing a GRC tool, the automated workflows not only manage the migration of those changes through the development cycle, but also document who made the request, who developed it, who tested it, the test results and when it was moved into production. Such data satisfies the auditor's need for controls and tracking information. Automated workflows dramatically reduce the labor and the time lag of moving changes efficiently into production.

User provisioning also is tedious. If organizations want to bring on new users or change the roles of existing users, they have to follow a very rigorous process for permissions and documentation, including who received which roles, why they received them, who approved them, etc.

GRC tools significantly reduce the time it would take to prepare for an audit. And they reduce the time spent by control owners, process owners, IT security and administrative folks doing repetitive, tedious tasks by 75 percent, freeing people to bring more to the business through value-added initiatives.

Such tools also can reduce the level of scrutiny by auditors. Automated processes tend to be deemed more trustworthy than manual processes. If they know that a company has embedded compliance and automated reporting, auditors are more quickly satisfied. The reporting becomes a by-product of the compliance process, too, one that satisfies the audit need - not only internally, but externally as well.

Growing the Strategic Mindset

Freed of onerous, repetitive tasks, CAOs and their organizations can perform strategic activities. For example, they can roll out a plant in China sooner, address the backlog of enhancement requests more quickly, and evaluate new technologies to benefit the enterprise. Instead of preparing for an audit, they can focus on the questions, "How can we leverage our expertise into new markets?" "How can we utilize our core competencies for more competitive advantage" These types of things add value to the business and improve the income statement.

From a business perspective, it can take months to manually prepare for an annual audit. That means that people in these organizations aren't doing their regular jobs. They could be assigned to perform activities that the C-level wants done to impact the top-line or bottom-line.

For some IT organizations, meanwhile, productivity is measured by the time they spend administering systems compared to the time they spend implementing new initiatives. Automated workflows and embedded compliance allow companies to change the equation so that they can spend a greater amount of time improving the business and not just operating the business. Innovation becomes a core value across the board.

Often, business units come forward with requests for IT to implement new technologies, new modules and new functionality. IT finds itself in the difficult predicament of having to resist the never ending queue of requests partly because of the fear of having new compliance concerns as well as the demands on their time required for implementation.

This mindset becomes a speed bump to productivity. If organizations can innovate more with IT processes, then their opportunities grow exponentially. GRC helps removes the backlog in IT.

From an audit perspective, GRC technology gives C-level executives an opportunity to become part of the solution. They can become real players in process innovation. In fact, some progressive companies have kicked around the title of Chief Process Innovation Officer. Their mission: reduce costs, increase efficiency and increase the organization's nimbleness to rapidly respond to market opportunities - all attainable by being able to model and fine-tune the business processes, not just focusing on proving that they have controls for them.

These same companies are looking at what may be viewed as overhead operations and trying to convert them into sources of competitive advantage. The opportunities for process improvements, innovation and business growth do exist - and companies don't have to fall into the pit, even in a down economy. The organizations that seize those opportunities are the ones that will best be positioned now and when the recession ends.

About the Author

Dan Wilhelms is President and C.E.O. of Symmetry Corporation (www.sym-corp.com), a SAP hosting partner that provides technical managed services, security administration and project consulting for SAP customers in the U.S. and around the world. He can be reached at dwilhelms@sym-corp.com.

More by Dan Wilhelms