My very first BPMS Watch column, over three years ago, was titled “Without a BPMS, It’s Not Really BPM.” And to a large degree I still believe that, although today I would probably tone it down to...

Business Rules, Business Process, and Compliance

One of the key uses of business rule management systems (BRMS) and business process management systems (BPMS), is to help with issues of compliance. The growth of regulations such as Sarbanes-Oxley and HIPAA, as well as long standing regulation in areas such as Insurance and banking means that more companies have to deal with compliance than ever before. Many companies are turning to technology to address the issues this growth of regulation brings.

There are many challenges that come with compliance, but three are particularly relevant when considering how technology might help. These are how to demonstrate compliance, not just be compliant; how to respond to new and changing requirements; and how to retain a level of business agility when one is regulated.

One of the changes between "traditional" regulation and more recent legislation is the change in the burden of proof – companies are now faced with demonstrating compliance, not just being compliant. This means that policy/procedure manuals, audits and training are no longer enough. Now companies must be able to show how they took a decision or carried out a procedure and that the approach they took was compliant. This is something that is clearly much easier to do if processes and rules are automated however not if they are automated using impenetrable code.

New and changing requirements for compliance seem to crop up every day. With more activist legislatures and regular court rulings, companies must deal with moving targets when it comes to compliance. With tolerance for corporate malfeasance at a historic low there is little room for maneuver – no-one is going to be believed if they say “well we would have implemented this but it was too hard to change our systems”, especially if it is to their financial advantage not to change. This leads to the last problem, that of retaining business agility in the face of compliance. If you must demonstrate compliance with complex regulations and so must codify your processes and rules, how can you retain any kind of business agility?

Fortunately, a combination of BRMS and BPMS can help you address all these issues. They can help you make your processes and rules explicit, help you manage them and enable you to show that you followed the rules. They can do all this without locking you in to a single approach and so let you retain some business agility.

So why do you need both technologies – surely one or the other would be enough? The fact is that some compliance is about processes – do you follow certain steps, keep certain data – and some is about rules – did you enforce certain rules, take only allowed actions. Often both are required – in a healthcare claims process you might have to show how the claim was reviewed, referred for a second opinion etc and show when you saved information and what information you saved. You might also have to show that the rules you followed for deciding to decline a claim were legitimate and appropriate. You cannot get compliance correct without the right mix of flexible process automation and effective decision automation.

Approaching the automation of processes and rules to assist in compliance involves a number of steps. First, you need to identify the decisions and processes that will be checked – those that are regulated. For process-centric regulations – show that you always did this before doing that etc – identify the impacted processes and think about how to automate them using a BPMS. Depending on the details of the process, different products may be more or less suitable. For more decision-centric regulations – show that you followed this approach to approving/denying someone or to calculating a price etc. – identify the processes in which such a decision is required, externalize that decision in a BRMS and hook it up to the relevant processes. Often these processes will overlap with those that must be compliant processes in their own right. Using good source rule management to track which regulations impact which process/rule definitions is key to ongoing management as you will need to change the process and rule definitions as the regulations adapt or are impacted by court rulings.

Additionally, more and more regulators are starting to consider the impact of behavior in an analytic sense. Not only for regulations like BASEL II, which explicitly requires analytic modeling to be part of showing you are compliant, but more generally as courts rule that the statistically likely impact of something must be considered. You cannot write rules or automate processes in a way statistically likely to cause discrimination, for example. Moving beyond rules and process management to decision management by bringing analytic models to bear will become increasingly important.

James Taylor - Vice President, Enterprise Decision Management Technologies, Fair Isaac
As vice president, Enterprise Decision Management Technologies, for Fair Isaacs Enterprise Decision Management software technologies group, James Taylor is responsible for working with clients to identify and bring to market advanced decision management solutions that will better solve their business needs. In addition to his role as a liaison with Fair Isaac's engineering and product management groups, Taylor oversees sales training, marketing communications and public relations. He is widely considered as one of the leading experts and visionaries in enterprise decision management and authors a popular blog on the subject at edmblog.com.

Back to Articles, including BPM, SOA, BDM, BA & OP