BPM in the Real World
Embedding Compliance into Business Processes
By Dan Wilhelms, President and C.E.O., Symmetry Corporation
With governmental regulations for compliance becoming all the more rigorous,
C-level executives are finding themselves between a rock and a hard place regarding
controlling costs and satisfying these more rigorous compliance demands. At
the same time, external auditors are getting more sophisticated in their investigations
of compliance - delving deeper into organizations' controls.
The situation can be likened to Edgar Allan Poe's short story, "The Pit
and the Pendulum." Every year, the audits get more onerous. The "blade"
of the auditors cuts deeper.
The ongoing economic crisis presents a whole other challenge. Companies are
strapped and trying to do more with fewer resources. Increasing scrutiny, coupled
with less budget - and, in general, less liquidity for devoting dollars to compliance
- presents a dire picture.
Yet, difficult times such as these offer organizations of all sizes the opportunity
to reflect on ways for driving process improvements, innovation and ultimately
competitive advantage. What if the appropriate C-level executives and their
organizations could automate repetitive tasks and free up their people to do
more strategic activities?
It's happening now through powerful second generation Governance, Risk and
Compliance (GRC) technology. This technology brings a laser focus to compliance
automation, which reduces the cost and hassle of demonstrating compliance, and
converts active compliance and auditing into value-added initiatives for business.
Honing Compliance and Business Processes
When Sarbanes-Oxley (SOX) was first passed, the main focus was Segregation of
Duties (SOD) to a very granular level. The time, energy and resources devoted
to internal audit and supporting the external audit saw no limits.
Today, organizations are being asked to provide results they didn't have to
in the past, yet with fewer resources. Companies are thinking long and hard
about how they can provide the same level of compliance reporting within a finite
Concurrently, companies and auditors alike are realizing that well-managed
and well-controlled systems extend beyond SOD to a number of IT processes. Companies
have a genuine interest in soundly managed IT and financial systems - not only
for compliance, but also for safeguarding investors and mitigating risks, such
as fraud, theft of data, system failures due to lack of controls, and catastrophic
Therefore, a new focus is emerging - embedding compliance into business processes.
A few years ago, the phrase, "Quality is free" was the rage in the
manufacturing sector. The idea was that if an organization embedded quality
in its manufacturing processes, then it didn't have to bolt it on afterward.
The same can be said for compliance today. Compliance is not a once-a-year
root canal or a great effort trying to produce compliance reports. It is embedding
compliance into day-to-day operations and into business processes - getting
compliance for free, if you will - while accelerating the business processes
from which compliance originates.
Asserting Value, Leveraging New Technologies
While the role of compliance executives has always been challenging and daunting,
embedded compliance and automated workflows can make their lives easier, and
offer an opportunity for them to assert their value to their enterprises.
What are some of the ways to accomplish this task?
Look for tools that support business processes with automated workflows, but
also capture audit reporting information. In a SAP application, for example,
the process for configuring changes - from the request, development, testing,
approval and movement-into-production stages - is tedious and time consuming.
By utilizing a GRC tool, the automated workflows not only manage the migration
of those changes through the development cycle, but also document who made the
request, who developed it, who tested it, the test results and when it was moved
into production. Such data satisfies the auditor's need for controls and tracking
information. Automated workflows dramatically reduce the labor and the time
lag of moving changes efficiently into production.
User provisioning also is tedious. If organizations want to bring on new users
or change the roles of existing users, they have to follow a very rigorous process
for permissions and documentation, including who received which roles, why they
received them, who approved them, etc.
GRC tools significantly reduce the time it would take to prepare for an audit.
And they reduce the time spent by control owners, process owners, IT security
and administrative folks doing repetitive, tedious tasks by 75 percent, freeing
people to bring more to the business through value-added initiatives.
Such tools also can reduce the level of scrutiny by auditors. Automated processes
tend to be deemed more trustworthy than manual processes. If they know that
a company has embedded compliance and automated reporting, auditors are more
quickly satisfied. The reporting becomes a by-product of the compliance process,
too, one that satisfies the audit need - not only internally, but externally
Growing the Strategic Mindset
Freed of onerous, repetitive tasks, CAOs and their organizations can perform
strategic activities. For example, they can roll out a plant in China sooner,
address the backlog of enhancement requests more quickly, and evaluate new technologies
to benefit the enterprise. Instead of preparing for an audit, they can focus
on the questions, "How can we leverage our expertise into new markets?"
"How can we utilize our core competencies for more competitive advantage"
These types of things add value to the business and improve the income statement.
From a business perspective, it can take months to manually prepare for an
annual audit. That means that people in these organizations aren't doing their
regular jobs. They could be assigned to perform activities that the C-level
wants done to impact the top-line or bottom-line.
For some IT organizations, meanwhile, productivity is measured by the time
they spend administering systems compared to the time they spend implementing
new initiatives. Automated workflows and embedded compliance allow companies
to change the equation so that they can spend a greater amount of time improving
the business and not just operating the business. Innovation becomes a core
value across the board.
Often, business units come forward with requests for IT to implement new technologies,
new modules and new functionality. IT finds itself in the difficult predicament
of having to resist the never ending queue of requests partly because of the
fear of having new compliance concerns as well as the demands on their time
required for implementation.
This mindset becomes a speed bump to productivity. If organizations can innovate
more with IT processes, then their opportunities grow exponentially. GRC helps
removes the backlog in IT.
From an audit perspective, GRC technology gives C-level executives an opportunity
to become part of the solution. They can become real players in process innovation.
In fact, some progressive companies have kicked around the title of Chief Process
Innovation Officer. Their mission: reduce costs, increase efficiency and increase
the organization's nimbleness to rapidly respond to market opportunities - all
attainable by being able to model and fine-tune the business processes, not
just focusing on proving that they have controls for them.
These same companies are looking at what may be viewed as overhead operations
and trying to convert them into sources of competitive advantage. The opportunities
for process improvements, innovation and business growth do exist - and companies
don't have to fall into the pit, even in a down economy. The organizations that
seize those opportunities are the ones that will best be positioned now and
when the recession ends.
About the Author
Dan Wilhelms is President and C.E.O. of Symmetry Corporation (www.sym-corp.com), a SAP hosting partner that provides technical managed services, security administration and project consulting for SAP customers in the U.S. and around the world. He can be reached at email@example.com.More by Dan Wilhelms