Compliance: Headache or Windfall?

Forming a Process Centric Model

Regulatory bodies and compliance rules are as old as civilization.  Early Egyptians, Greeks, Romans and Indians created standards and rules for business.  These rules were centered on weights and measures as well as currency, but today regulations come from many sources.

When we look at a regulatory construct, we are effectively looking at rules, laws, guidelines and best practices that are dictated by a governing body.  I say dictated, but these rules are generally a set of statements that have been developed, reviewed and ultimately enacted through a governing board within a corporation.  Regulations may also be established as governing boards that are industry related and many regulations are based on governmental laws (federal, state and local agencies).  The volume of these regulatory books and the volume of statements contained in each can be enormous depending on the industry and corporate size.  Public companies have the Securities and Exchange Commission to deal with.  Companies with global operations have to comply with varying laws that are relevant in each operating country; adhere to health and safety standards, hiring and firing requirements, social responsibility requirements, etc.  If you’re a financial services firm, a plethora of regulations guide how you account, record, trade and settle.  If you’re a pharmaceutical company, strict standards dictate how you run your clinical trials, record your findings, label your products, etc.  Now, add in all of the internal standards that govern your best practices related to your unique products, partnerships, and contract types.  As we can easily surmise, the complications that result are immense.

The SOX Phenomena

In 2003, after starting my own software services firm, I sat with the head of compliance for a Fortune 100 construction company to review their requirements for Sarbanes-Oxley.  Within a day of information gathering it became clear that their main objective was to look at how to manage a set of “controls” by recording who was responsible for each and whether it was working or not.  Now, to be clear, a “Control” is simply a process step that has an owner and it’s in place to mitigate a risk to the organization.  So, what this company was doing was to create a “matrix” of relationships between identified risks, controls (mitigation steps), owners, and the process area they relate to.  As I discovered in the weeks following these meetings, almost every company that was scrambling to comply with SOX was doing this exact thing and they were almost all risk/control matrices in spreadsheets.  The problems with that approach was universal and having a collaborative, relational data storage solution was an obvious need. 

Process is the common denominator

While I grew my business by developing software to address this requirement, other interesting similarities emerged from my client base.  Companies were not only interested in passing an audit or dealing with the SOX regulations.  They had a dozen or more other pressing regulations that required the same type of solutions.  In each case, whether it was FDA regulatory 21CFR part 11 or ISO9000 or Basel II, or the variety of internal standards that was being addressed, the same basic needs existed.  Companies needed to understand the regulations, identify the risks, controls, gaps, remediation steps, owners, process areas and manage all of that information somewhere.  Most commonly, that meant in an independent spreadsheet.  And what was the one thread that formed the backbone of all compliance management?  Process.

Another Fire Drill?

What I found was that each process area (ie: HR, Finance, Manufacturing Ops, etc.) was being hounded by internal audit teams, compliance directors, external auditors and quality managers to document their processes; document their controls; document their risks; document their issues; document remediation tasks, and on and on.  It’s amazing that anyone was ever actually doing their day job.  During the nearly ten years that I’ve worked with organizations on regulatory requirements, very little has changed in this regard.  I have yet to encounter a company that manages all of their compliance and regulatory requirements from a single platform.  Some organizations have made strides with managing process details in a more coordinated fashion, but most still deal with each compliance requirement as a separate challenge involving separate projects.

The issues with this condition are perhaps obvious;  each time one of the regulatory initiatives is executed, operational leaders are reliving the exact nightmare!  It’s Groundhogs Day!  I’ve had leaders within Pharmaceutical clients tell me that rarely does a year pass before they have to execute another fire drill of process capture, internal review, internal audit, and external audit.  Invariably, it’s a short sighted exercise to check a bunch of boxes and get a rubber stamp, so we can get back to normal operations.

The Single Platform Vision

Now for the good news, things are changing.  During my four year tenure at Nimbus I’ve seen an awakening within highly regulated industries to stop the nonsense.  It all begins with proper process management wherein organizations do the following:

1. Define end-to-end processes using a simple notation for business end users.
2. Govern process definitions and all related reference materials in support of process execution.
3. Manage regulatory and internal standards within structured, governed statement(s).

Process management should not become the result of fire drill exercises to satisfy auditors, rather BPM should be an integral part of knowledge capture, process improvement, compliance management and business agility.  As one executive summarized when heading into a board meeting after meeting with me, “We can’t improve what we can’t understand.”  As I’ll discuss in later postings, there is both a mechanical nature to BPM and a cultural one.  Very few cultures are used to maintaining a high level of accountability and continuous management of process content.  Just putting systems in place is not a cure-all and as we’ll explore, organizational culture plays a huge role.

Active Governance

What is true oversight?  How much oversight is prudent?

Governance, much like Business Process Management is a term that is thrown around in a variety of contexts, but rarely is understood.  The term often refers to a structure that enforces rules.    The most even handed definition I could find states that governance is: the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled.  I like this definition for the fact that it tries to encompass “processes, customs, policies, laws and institutions”, but the most telling word is perhaps “affecting”.  Governance may provide some sense of structure, but only so far as it attempts to “affect” behavior of the organization.  Also, what is key to understanding what I will call “active governance”, is not just putting a structure in place, but actually putting an enforcement structure in place.  Governance cannot have much effectiveness to “affect” behavior without a complete cycle of structure and enforcement.  Further, governance is not an end-state condition.  For any company to state that they are well governed is simply a relative judgment that is meaningless when proclaimed from someone within that organization.   Organizations can establish thorough and sophisticated methods for sustaining specific levels of governance, but the degree that such governance is adequate for employees, management and investors is variable. 

It’s similar to stating a risk management position.  Organizations, as well as individuals, may assess risk and make decisions to take specific risks based on value judgments.  It’s not the fact that organizations take risks that is an issue.  The challenge for risk management is how much effort goes into understanding and mitigating known risks and how much investment in mitigation is needed.  Further, an organization’s ability to address the unknown unknowns and to plan for unknown events is an important part of what active governance is. 

In 2003, the vast majority of US public companies moved with furious pace to try to “comply” with regulations that were enacted to ensure executives were accountable for the financial disclosures of their respective companies.  With sections 403 and 204 of the Financial Reform Act of 2002, also known as Sarbanes-Oxley (from the sponsoring senators) or SOX, companies throughout the US and most global organizations with significant operations in the US suddenly found they did not have an adequate governance structure and could not reliably show compliance with SOX.  Part of the challenge that companies were facing had to do with the vagueness of the law itself, but regardless of those issues, companies throughout the US did not have adequate governance to reliably and confidently verify the numbers and statements on operational controls in their organizations.  As I began work in this area, each week I was ushered into large organizations, most with global operations that were treating SOX as a major headache that was being imposed upon them that they needed to “get through”.  In most cases, the task of dealing with SOX was managed under the chief financial officer’s role and a “director of compliance” was either tasked or newly established to address SOX compliance.  In every case I worked; cases that spanned industries from construction, financial services, consumer products, energy, and healthcare, organizations universally saw compliance as a problem imposed upon them by government.  It was a box to be checked, a hurdle to be cleared.  It was not seen as something that should be necessary within the organization, in fact, it was most widely reviled and criticized as a huge waste of time, resources and money.  Millions were being spent within each organization to accomplish SOX compliance and to most every executive it was viewed as a major waste and a major imposition.

Now, there are quite a few papers and books published detailing the variety of frauds and scandals that led to the enactment of SOX, so I won’t attempt to rehash the events within Enron, Arthur Andersen, WorldCom, Tyco and others.  These events also contributed to a view that slack governance undermines investment confidence.  And if investors cannot be sure that management disclosure of financials and reports can be trusted, then investors will turn away from holding equity or debt stakes in public companies.  This is logical and reasonable.  So, why should corporate executives take such issue with improving their governance models?  A key point I will draw out in a following post discusses how important process governance is and how it serves as a foundation of the organization.  In other words, the formula for success – I call this the “secret sauce”. 

Meanwhile, with little appreciation for the value of governance, the need to rush into place a formal structure for reporting was not trivial.  Not a single organization I encountered had a governance structure that allowed process owners to confidently attest to the performance of their financial controls.  Beyond risk-control structures, organizations also could not reliably attest to the financial reporting within every operating unit.  Given the nature of my work and the confidentiality of my relationships, I am not disclosing the names of the organizations I’ve worked for, but the issues were universal.   With such a condition of governance immaturity, the level of investment required to approach the requirements of SOX reporting was massive.  The investment would need to be made for advice from consultants, software systems that could aid attestation, reporting and internal resources to spend time dealing with such requirements, and ironically, external auditors to provide additional advice and services.  But rather than look at this challenge that was originating from regulations as an opportunity to improve risk management, operational effectiveness and investor confidence, executives became mostly defensive.

Now, that was 2003 and this is now 2011.  A lot of maturity has occurred during this stretch of time and I’m encouraged by the understanding that now exists about corporate governance.  There is still, however, a failure of public companies to fully appreciate the value of governance toward the leveraging of process information.  The ability for executives to fully appreciate the value of harvesting process information and controlling those assets is at the core of establishing a successful BPM strategy.  BPM is about harvesting process assets and fully leveraging them as key organizational assets.