Category Archives: compliance

TIBCO Nimbus for regulatory compliance at Bank of Montreal

It’s the first afternoon of breakout sessions at TIBCO NOW 2016, and Alex Kurm from Bank of Montreal is presenting how the bank has used Nimbus for process documentation, to serve the goals of regulatory compliance and process transformation. They are one of the largest Nimbus users, and Kurm leads a team of process experts deploying Nimbus across the enterprise as part of their in-house process excellence strategy.

He provided a good overview of regulatory and compliance requirements: to quote his slide, you need to have “evidence of robust, documented standard processes to ensure compliance to risk and regulatory requirements” as a minimum. Overlaid on that, there’s an evolving set of consumer demands, moving from traditional in-person, telephone and ATM banking to web and mobile platforms. As a Canadian resident, I can attest that our banks haven’t been as responsive as desired to customer needs in the past; their focus is on operational risk and security.

wp-1463521439971.jpgBMO’s process centre of excellence maintains a knowledge hub of process best practices (including how to use Nimbus in their environment), leads and supports process-related projects, and heads up governance of all process efforts. They have about 16 people in the CoE, then process specialists out in business areas; they even have internalized the Nimbus training. Although there are a variety of tools being used for process models in the bank, they selected Nimbus because of its business-understandable notation, the ability to put all process content in one place, the built-in governance and control over the content (key for auditors to be able to review), and the direct link between process architecture and process maps.

They started on Nimbus 3 years ago with about 20 process authors working on a couple of opportunistic projects; this quickly ramped up to 300 authors by the next year, and they now have more than 500 authors (including business analysts and project managers as well as process specialists), although there are only about 160 active any given month since this work is often project-based. There are 1800 end users looking at Nimbus maps each month, with the largest number in capital markets, although the highest number of distinct initiatives is in the highly regulated area of capital markets. They organize their 20,000 Nimbus maps by core business capability, such as onboarding, then drill down into the business area; they’re looking at ways of improving that to allow for finding content by any search path. They’re also adding Spotfire to be able to interrogate the content to find non-compliant and high-risk maps for review by the CoE.

Their key use cases are:

  • Process documentation for use as a high-level procedural guide
  • A guide for compliance auditors to verify that specific checks and balances are being done
  • Requirements gathering prior to automation (they are also an ActiveMatrix BPM customer), and as ongoing documentation of the automated process

Nimbus is now a core part of their process transformation and risk mitigation strategies; interestingly, the only resistance came from other “process gurus” in the bank who had their own favorite modeling tools.

Good case study of the benefit of process documentation – even in the absence of process automation — in highly-regulated industries.

BPM Milan: Setting Temporal Constraints in Scientific Workflows

Xiao Liu from Swinburne University of Technology presented his paper on A Probabilistic Strategy for Setting Temporal Constraints in Scientific Workflows, co-authored by Jinjun Chen and Yun Yang. This is motivated by the problem of using only a few overall user-specified temporal constraints on a process without considering system performance and issues of local fine-grained control: this can result in frequent temporal variations and huge exception-handling costs.

They established two basic requirements temporal constraints must allow for both coarse-grained and fine-grained control, and they must consider both user requirements and system performance. They used some probabilistic assumptions, such as normal distributions of activity durations. They determined the weighted joint normal distribution that estimated the overall completion time of the entire workflow based on the time required for each activity, the probability of iterations and the probability of different choice paths: assuming the normal distributes of events as earlier stated, this allows for the calculation of maximum and minimum duration from the mean by assuming that almost all process instance durations will be bounded by +/- 3 sigma (sorry, can’t find the sigma symbol right now). After aggregating to set the coarse-grained temporal constraints, they can propagate to set the fine-grained temporal constraints on each activity. There are modifications to the models if, for example, it’s known that there is not a normal distribution of activity durations.

This becomes relevant in practice when you consider setting service level agreements (SLAs) for processes: if you don’t have a good idea of how long a process is going to take and the variability from the mean, then you can’t set a reasonable SLA for that process. In cases where a violation of an SLA impacts a company financially, either immediately through compliance penalties or in the longer term through loss of revenue, this is particularly important.

BRF Day 2: Using Business Rules to Enable a Closed Loop of Compliance

I’m eager to learn more about the relationship between policies, procedures and rules, and how they relate to compliance, so I sat in on a presentation by Peter Still of RuleBurst. There’s a pretty high percentage of vendors on the speaker roster, but so far the quality has been good so no complaints.

The theme of Still’s talk is that the business rules approach will only gain critical mass if it stops being a technical implementation tool and starts being a business problem-solving tool. The current pitch from the business rules vendors is that this is a way to implement systems faster and cheaper, while allowing the business to access some tuning parameters, but this is really focussed on the technological capabilities and not the business value of business rules. This is such a perfect mirror of the BPM field, where BPM has just barely moved from a purely technical sell to something that’s now being sold more and more to the business side of an organization, so I can completely understand where the business rules market is and the challenges that lie ahead in shifting the focus of their marketing message. Worldwide market for business rules product revenue is $250M — not a lot when you consider the size of related markets — and it could be a lot larger if there was greater recognition of the business benefits of business rules.

A perfect business case for re-targeting the business rules message is compliance: it’s an enterprise-wide initiative with executive support where business rules can be included in the decisioning at key points of the process. Although business rules aren’t the complete answer to compliance since compliance is a very process-focussed initiative, rules can be a significant contributor to compliance efforts. One of the difficulties with compliance is that many regulations, such as Sarbannes Oxley, are pretty vague since they have to deal with such a broad range of companies, and it’s difficult to determine precise business rules to implement them. Compliance at a transactional level is a mostly automated application of BPM and business rules, but as you move up to risk management and higher-level compliance factors, there’s less automation although still opportunities for business rules to be wrapped in a compliance framework, such as using business rules to classify a risk although the management of that risk may be done manually. Still maintains that there’s a link between transactional and operational compliance, and believes that business rules can help with that link although that’s not recognized by most business rules vendors.

As with most other complex applications of technology, you can solve this with an integrated compliance and rules solution from a single vendor, or go for a best-of-breed approach. Still recommends the former approach, and invited us to drop by his booth to check out what RuleBurst has to offer in this area.

Fun with compliance

I spent some time this morning with the guys from BWise, which turned into a very informative session. Although FileNet has partnered with them primarily for their compliance solution, they do so much more in the entire area of internal controls. The compliance frameworks certainly are impressive, though. I’ll definitely be taking a closer look at this.

I’m currently sitting beside the pool at Caesar’s Palace, and although I don’t think that it’s warm enough to be dressed the way that some people are (or aren’t, to be more accurate), it’s a nice respite from the conference crowds for a few minutes before I head back to the sessions. This morning’s BPF hands-on session was so full that I didn’t get near a computer – better to let the customers at them first — and I’m surprised the FileNet didn’t anticipate this level of interest in the labs.

I’ve talked to a lot of UserNet first-timers, and they’re all a bit overwhelmed by the amount of information but seem to be getting a lot out of it in general.

Off to an afternoon of BPM and BAM sessions.

WCM resurgence

This article in Intelligent Enterprise last week questions why ECM vendors — including Hummingbird, FileNet and Open Text — have been highlighting their WCM products lately, but they miss the mark on the answer:

Is it the fact that online advertising and e-commerce initiatives are back? Is it the prospect of capturing fast growth in the mid-market–the rationale Hummingbird cited for its Red Dot deal? Is it a defensive move in response to Microsoft’s recent signal that it will consolidate the SharePoint Portal and Microsoft Content Manger products? I suspect it’s all of the above, plus a healthy slice of pressure from Wall Street to fuel growth through new license revenue as well as services income.

A big part of the answer should be “compliance”, that is, for companies where their compliance requirements include control of the creation and delivery of content via the web, such as securities. WCM as a part of ECM is key for web compliance requirements, because it allows tight control over the processes of how something is published, and also provides a record of what content was available on what dates.

Why is it that everything that I see these days becomes compliance? 🙂

Compliance fever

Okay, that was a bit longer than two weeks. As well as taking some time off to entertain a friend visiting from Australia, I’ve been immersed in some client work and the development of a BPM course that I can offer on a wider basis, both of which have me looking at BPM, corporate performance management, compliance, enterprise architecture, process modeling, and a host of other things.

Compliance has been of particular interest lately, because every client that I deal with now is focussed on it. There’s a good deal of compliance mania going on, very reminiscent of Y2K mania, where vendors start every presentation with a picture of a CxO doing the perp walk and proceed to scare the bejeezus out of their customers until a blank cheque falls onto the table. I’m not saying that compliance isn’t a serious issue, and that there aren’t cases of non-compliant companies suffering under fines (and worse), but can we ease off a bit here? There’s a lot of other compliance selling points that don’t look like some corporate version of Fear Factor.

I think the worst part is that the vendors selling compliance solutions are not, to use the industry vernacular, eating their own dogfood. Friday’s business news recommended selling Open Text short, in part because of their lack-lustre performance lately, but mostly because they’re seeking an extension on meeting their SOX compliance requirements. As the analyst in the article points out, that’s not a good thing for a company that builds compliance software. Try to imagine, if you will, the hapless Open Text sales force the next time that they try to sell compliance to their customers: “do what we say, not what we do” isn’t a particularly credible marketing slogan.

Open Text is a public example of this, but if you dig into any of the compliance vendor organizations, you will almost certainly find non-compliance: irregularities in contract negotiation and management, failure to implement proper records management (especially email) policies, and countless other infractions. In other words, few (or none) of them are in any position to be taking the high ground when they’re talking about compliance.

Processes “R” Us

I had several appointments and errands today, and I listened to podcasts as I walked around downtown Toronto. One of them was the Sound of Vision podcast from back in May wherein Ethan Johnson interviews me about BPM (starting at 21:00 in the ‘cast), and there’s one point where I get really passionate about the fact that everything is a process: my true evangelist colours shining through. I do have a very process-centric view of business, to the point where some work that I’ve been doing recently on compliance started out being about content and records management, and has shifted to have a very strong focus on process.

I also saw an article this afternoon by Terry Schurter of BPMG, and he states that BPM and a process-centric view are so popular because such a high percentage of BPMS implementations (compared to other enterprise software) deliver on their promise of ROI. His view is that taking a process-centric view — “the idea that businesses can be viewed as a series of processes, and that those processes can be identified and managed to improve quality, efficiency, and cost-effectiveness” — resonates with end-user organizations, vendors and analysts, and that BPM aligns with the natural business structure.

It seems that you can’t pick up a business or technology article these days without it containing some reference to process, which means that Terry and I are not alone in our views.

BPM templates

I tuned in to a Global 360 webinar today for long enough to hear Nathanial Palmer from Delphi speak about process templates and their importance in BPM (you should be able to find a replay of the webinar here in a few days). He revealed some very telling numbers, soon to be officially released, from a recent survey of over 100 active BPM project participants:

  • 98% agreed that pre-defined templates accelerate BPM deployments. 73% answered definitely “yes”, while the other 25% said “maybe”, and only for simple or standardized processes. I’m curious to know what the 2% “no” contingent was thinking, since it’s hard to imagine anyone not seeming some potential value in a pre-defined solution template.
  • Although few people expect templates to be an application rather than a project jump-start, 70% expect them to be a fairly complete framework with screens, rules, integration adapters and the like. In other words, the respondants definitely expect the templates to be customizable, but they want to have a pretty high starting point.
  • 70% stated that they would be more likely to buy a software solution that had process templates specific to their industry, which seems obvious but is something that many vendors haven’t figured out yet.
  • 76% agreed that the templates should be documented in “business” language rather than being a tool for IT, and one of the key values stated for process templates was to align busines value with IT.

Not surprisingly, SOX compliance was at the top of the list of which processes should be templated, although the votes were pretty evenly spread over all of the business processes surveyed.

Global 360 Active Compliance Framework

I watched a webinar earlier this week about BPM and compliance, a topic that I’ve been working on for a while, in which Global 360 announced their Active Compliance Framework (today’s Computer Business Review also reviewed their announcement). The speakers were from Doculabs and BWise, the latter of which has just partnered with Global 360 (and a bunch of other ECM/BPM vendors) for a compliance offering. Global 360 states the advantages of their compliance framework as follows:

Improved Compliance & Risk Management (i.e., do a better job of being compliant)

  • Standardized, structured approach
  • Focused on highest risk controls & processes
  • Centralized visibility and control

Reduced Compliance Costs (i.e., be compliant in a more cost-effective way)

  • Reduced project costs via control reduction based on risk
  • Reduced testing costs for remaining controls via automation
  • Eliminated testing costs for continuously compliant processes

Process Optimization & Control (i.e., provide an opportunity to optimize your business processes)

  • Optimize process performance while increasing control
  • Proactive compliance issue visibility, notification
  • Evolution from obligation to optimization

I liked the focus on the last of these sections, or what they called “from obligation to optimization”: changing the organization’s attitude from compliance being a chore that they’re forced to implement, to compliance being an opportunity to improve business processes through standardization and measurement.

If, like 1/3 of Doculabs’ current customers, compliance is one of your highest priorities for 2005, it’s worth your time to check out compliance solutions like this from ECM/BPM vendors. The whole compliance field is still chaotic; a Gartner report on compliance management software lists 26 vendors and clearly states that the compliance market is not mature:

A key finding of our research is that there is no comprehensive compliance management application. Whether buying from one or many vendors to get a solution, you will need significant services for implementation and integration.

Partnerships like the one between Global 360 and BWise start to address this problem, but there’s still a long way to go before we can even agree on what “compliance management software” is.

BPM and compliance

I happened across this article on how Sarbanes-Oxley is a “business blessing in disguise” since it can show you where your organization’s weak points lie, so that presumably you can fix them. Although it’s primarily discussing ERP systems, this same concept (business improvement/competitive advantage through compliance) is an area that I’m addressing for a client right now by looking at how BPM fits into the compliance big picture. That has me thinking about all sorts of things: BPM, business intelligence, business rules, performance management, compliance, and how they all fit together. You can be sure that there will be more on this in the future.