Transforming compliance at Farmers Insurance with @rafael_moscatel

In the last Thursday breakout of AIIM 2018, I attended a session on initiatives within the compliance department at Farmers Insurance to modernize their records management, presented by Rafael Moscatel. Their technology includes IGS’ Virgo to manage retention schedules, Legal Hold Pro for legal holds and custodian compliance, and Box for content governance. They started in 2015 with an assessment and plan, then built a new team with the appropriate expertise going forward, then updated their policy and governance, and finally brought in the three new key technology components in 2017. For an insurance company, that’s pretty fast.

Their retention policy is based on 12 big buckets, which are primarily aligned with business functions, making it easy for employees to understand what they are from a real-world standpoint. Legal Hold Pro replaced an old customized SharePoint system, and works together with Box Governance for e-discovery. He went through a lot of the details of how the technologies work together and what they’re doing with them, but the key takeaway for me is that an insurance company — what I know through a lot of experience to be an extremely conservative industry that’s struggling to transform themselves — is realizing that they need to shake things up in terms of how compliance of digital records are managed in order to move forward into the future. He ended up with some great comments on how to work with the business people, especially the executives, to bring programs like this to fruition.

Great talk by a knowledgeable and well-spoken presenter; my end-of-the-day writing doesn’t do it justice.

The Evolution of Privacy Regulations – an @AIIM1Canadian seminar

SeshatAIIM Toronto runs some great morning seminars every month or so, and today the guest is Else Khoury of Seshat Information Consulting to talk about privacy regulations. In the face of recent privacy gaffes from the Facebook fiasco (the breach that wasn’t a breach) to Alphabet Labs not thinking about where public data that they collect in Toronto will be stored (hello, data sovereignty), and with the upcoming GDPR regulations, privacy is hot right now. Khoury, who brightened our day by telling us that her company is named after the Egyptian goddess of recordkeeping, covered both Canadian and EU privacy frameworks.

In Canada, we’ve had the Privacy Act since 1983, which governs federal government offices and how they handle data about employees and citizens, including Freedom of Information. PIPEDA (Personal Information Protection and Electronic Documents Act) came in 2000, setting rules for how private organizations handle personal information. As technology evolved, the Digital Privacy Act of 2015 made major amendments to PIPEDA regarding mandatory breach reporting and recordkeeping. Khoury briefly covered FIPPA (Freedom of Information and Protection of Privacy Act) and MFIPPA, which apply the same sort of regulations as the Privacy Act but for provincial and municipal governments. PHIPA (Personal Health Information Protection Act) protects our health-related information across all types of health care providers, and was updated quite recently to state that “use” includes viewing information after a few cases of nosy health care workers who looked up records on people who they shouldn’t have. There is (or soon will be) mandatory reporting of PHIPA breaches in most provinces, including reporting to the regulatory colleges for different types of health care workers. There is also a privacy framework for electronic health records (EHR) under new revisions to PHIPA.

There are analogous privacy regulations in many other countries; for example, the US HIPAA serves the same purpose as our PHIPA, while GDPR is a broader regulation that will cover data across all organizations rather than our division by private and public sector.

There was a good discussion on security versus privacy: security is often focused on keeping external parties out, whereas privacy has to do with how people handle data inside an organization, although these are often intertwined issues. Of course, it’s possible to have a privacy breach (e.g., inappropriate internal access) without a security breach and vice versa. Khoury pointed out that a lot of privacy regulations have to do with processes; in my experience, compliance regulations in general are very process-driven, and the best way to both avoid privacy breaches as well as prove that you have safeguards in place is to implement and audit processes around how data is handled.

She moved on to GDPR, which comes into effect in the EU in May of this year; GDPR covers all personal data of EU residents, since often the combination of data from multiple sources can be used to identify individuals even when a specific identifier (such as name) is not present. As with the 10 privacy principles in Canadian privacy regulations, GDPR has a set of key principles, and uses the concept of Privacy by Design that was co-developed by Ontario’s privacy commissioner. GDPR has specific rules around data retention, specifically not keeping data longer than is required, then securely destroying it. This led to a really interesting discussion of how companies that provide recommendations handle retention of historical data about your interactions with them, such as Netflix or Amazon: will we need to explicitly give them permission to keep information about our past purchases/consumption in order for them to give us better recommendations? GDPR will forever shift data permissions from opt-out to opt-in for Europeans, although that has been creeping up on us for a while.

One of the most talked-about GDPR principles is the right to be forgotten — Google has already received millions of take-down requests under that part of the regulation — although it doesn’t apply to most health care data since that is required to provide proper medical care to an individual. They also have breach reporting regulations similar to Canada’s PIPEDA requirements, and pretty significant penalties if a breach occurs or an organizations can be proven to be non-compliant.

She finished up with a discussion of how privacy regulation changes are likely to impact organizations, and how to operationalize privacy regulations, which depends on the type of data you handled (PI versus PHI), how you interact with it (processing versus controlling), and if you have a privacy management program in place. You’ll need to assess your holdings — what data you collect, how it’s used, who has access, how long it is retained, how it to secured and destroyed — and develop a privacy management team that includes involvement of senior management and every department, not just a data privacy officer (DPO). You’ll need to develop a privacy management program that includes a breach response process, ensure that everyone is trained in privacy management, then audit and adapt it over time. If you’re subject to the GDPR, then you’ll also need processes for expunging data from your systems due to “right to be forgotten” requests in a timely fashion.

You’ll also need to develop a framework for data protection impact assessments (DPIA, aka privacy impact assessments or PIA) which is a proactive risk assessment for new programs or systems that use personal data: interestingly, the first part of this is often mapping the information flow processes that cover collection, storage and access. Performing DPIA/PIA is part of what Khoury’s company does for organizations, and she had a good checklist of the steps involved, as well as pointing out that they should be a regular part of your privacy management program, not something that’s just done at the end as an audit step.

As always, great content at the AIIM Toronto morning seminars, and I look forward to the next one.

TIBCO Nimbus for regulatory compliance at Bank of Montreal

It’s the first afternoon of breakout sessions at TIBCO NOW 2016, and Alex Kurm from Bank of Montreal is presenting how the bank has used Nimbus for process documentation, to serve the goals of regulatory compliance and process transformation. They are one of the largest Nimbus users, and Kurm leads a team of process experts deploying Nimbus across the enterprise as part of their in-house process excellence strategy.

He provided a good overview of regulatory and compliance requirements: to quote his slide, you need to have “evidence of robust, documented standard processes to ensure compliance to risk and regulatory requirements” as a minimum. Overlaid on that, there’s an evolving set of consumer demands, moving from traditional in-person, telephone and ATM banking to web and mobile platforms. As a Canadian resident, I can attest that our banks haven’t been as responsive as desired to customer needs in the past; their focus is on operational risk and security.

wp-1463521439971.jpgBMO’s process centre of excellence maintains a knowledge hub of process best practices (including how to use Nimbus in their environment), leads and supports process-related projects, and heads up governance of all process efforts. They have about 16 people in the CoE, then process specialists out in business areas; they even have internalized the Nimbus training. Although there are a variety of tools being used for process models in the bank, they selected Nimbus because of its business-understandable notation, the ability to put all process content in one place, the built-in governance and control over the content (key for auditors to be able to review), and the direct link between process architecture and process maps.

They started on Nimbus 3 years ago with about 20 process authors working on a couple of opportunistic projects; this quickly ramped up to 300 authors by the next year, and they now have more than 500 authors (including business analysts and project managers as well as process specialists), although there are only about 160 active any given month since this work is often project-based. There are 1800 end users looking at Nimbus maps each month, with the largest number in capital markets, although the highest number of distinct initiatives is in the highly regulated area of capital markets. They organize their 20,000 Nimbus maps by core business capability, such as onboarding, then drill down into the business area; they’re looking at ways of improving that to allow for finding content by any search path. They’re also adding Spotfire to be able to interrogate the content to find non-compliant and high-risk maps for review by the CoE.

Their key use cases are:

  • Process documentation for use as a high-level procedural guide
  • A guide for compliance auditors to verify that specific checks and balances are being done
  • Requirements gathering prior to automation (they are also an ActiveMatrix BPM customer), and as ongoing documentation of the automated process

Nimbus is now a core part of their process transformation and risk mitigation strategies; interestingly, the only resistance came from other “process gurus” in the bank who had their own favorite modeling tools.

Good case study of the benefit of process documentation – even in the absence of process automation — in highly-regulated industries.

BPM Milan: Setting Temporal Constraints in Scientific Workflows

Xiao Liu from Swinburne University of Technology presented his paper on A Probabilistic Strategy for Setting Temporal Constraints in Scientific Workflows, co-authored by Jinjun Chen and Yun Yang. This is motivated by the problem of using only a few overall user-specified temporal constraints on a process without considering system performance and issues of local fine-grained control: this can result in frequent temporal variations and huge exception-handling costs.

They established two basic requirements temporal constraints must allow for both coarse-grained and fine-grained control, and they must consider both user requirements and system performance. They used some probabilistic assumptions, such as normal distributions of activity durations. They determined the weighted joint normal distribution that estimated the overall completion time of the entire workflow based on the time required for each activity, the probability of iterations and the probability of different choice paths: assuming the normal distributes of events as earlier stated, this allows for the calculation of maximum and minimum duration from the mean by assuming that almost all process instance durations will be bounded by +/- 3 sigma (sorry, can’t find the sigma symbol right now). After aggregating to set the coarse-grained temporal constraints, they can propagate to set the fine-grained temporal constraints on each activity. There are modifications to the models if, for example, it’s known that there is not a normal distribution of activity durations.

This becomes relevant in practice when you consider setting service level agreements (SLAs) for processes: if you don’t have a good idea of how long a process is going to take and the variability from the mean, then you can’t set a reasonable SLA for that process. In cases where a violation of an SLA impacts a company financially, either immediately through compliance penalties or in the longer term through loss of revenue, this is particularly important.

BRF Day 2: Using Business Rules to Enable a Closed Loop of Compliance

I’m eager to learn more about the relationship between policies, procedures and rules, and how they relate to compliance, so I sat in on a presentation by Peter Still of RuleBurst. There’s a pretty high percentage of vendors on the speaker roster, but so far the quality has been good so no complaints.

The theme of Still’s talk is that the business rules approach will only gain critical mass if it stops being a technical implementation tool and starts being a business problem-solving tool. The current pitch from the business rules vendors is that this is a way to implement systems faster and cheaper, while allowing the business to access some tuning parameters, but this is really focussed on the technological capabilities and not the business value of business rules. This is such a perfect mirror of the BPM field, where BPM has just barely moved from a purely technical sell to something that’s now being sold more and more to the business side of an organization, so I can completely understand where the business rules market is and the challenges that lie ahead in shifting the focus of their marketing message. Worldwide market for business rules product revenue is $250M — not a lot when you consider the size of related markets — and it could be a lot larger if there was greater recognition of the business benefits of business rules.

A perfect business case for re-targeting the business rules message is compliance: it’s an enterprise-wide initiative with executive support where business rules can be included in the decisioning at key points of the process. Although business rules aren’t the complete answer to compliance since compliance is a very process-focussed initiative, rules can be a significant contributor to compliance efforts. One of the difficulties with compliance is that many regulations, such as Sarbannes Oxley, are pretty vague since they have to deal with such a broad range of companies, and it’s difficult to determine precise business rules to implement them. Compliance at a transactional level is a mostly automated application of BPM and business rules, but as you move up to risk management and higher-level compliance factors, there’s less automation although still opportunities for business rules to be wrapped in a compliance framework, such as using business rules to classify a risk although the management of that risk may be done manually. Still maintains that there’s a link between transactional and operational compliance, and believes that business rules can help with that link although that’s not recognized by most business rules vendors.

As with most other complex applications of technology, you can solve this with an integrated compliance and rules solution from a single vendor, or go for a best-of-breed approach. Still recommends the former approach, and invited us to drop by his booth to check out what RuleBurst has to offer in this area.

Fun with compliance

I spent some time this morning with the guys from BWise, which turned into a very informative session. Although FileNet has partnered with them primarily for their compliance solution, they do so much more in the entire area of internal controls. The compliance frameworks certainly are impressive, though. I’ll definitely be taking a closer look at this.

I’m currently sitting beside the pool at Caesar’s Palace, and although I don’t think that it’s warm enough to be dressed the way that some people are (or aren’t, to be more accurate), it’s a nice respite from the conference crowds for a few minutes before I head back to the sessions. This morning’s BPF hands-on session was so full that I didn’t get near a computer – better to let the customers at them first — and I’m surprised the FileNet didn’t anticipate this level of interest in the labs.

I’ve talked to a lot of UserNet first-timers, and they’re all a bit overwhelmed by the amount of information but seem to be getting a lot out of it in general.

Off to an afternoon of BPM and BAM sessions.

WCM resurgence

This article in Intelligent Enterprise last week questions why ECM vendors — including Hummingbird, FileNet and Open Text — have been highlighting their WCM products lately, but they miss the mark on the answer:

Is it the fact that online advertising and e-commerce initiatives are back? Is it the prospect of capturing fast growth in the mid-market–the rationale Hummingbird cited for its Red Dot deal? Is it a defensive move in response to Microsoft’s recent signal that it will consolidate the SharePoint Portal and Microsoft Content Manger products? I suspect it’s all of the above, plus a healthy slice of pressure from Wall Street to fuel growth through new license revenue as well as services income.

A big part of the answer should be “compliance”, that is, for companies where their compliance requirements include control of the creation and delivery of content via the web, such as securities. WCM as a part of ECM is key for web compliance requirements, because it allows tight control over the processes of how something is published, and also provides a record of what content was available on what dates.

Why is it that everything that I see these days becomes compliance? 🙂

Compliance fever

Okay, that was a bit longer than two weeks. As well as taking some time off to entertain a friend visiting from Australia, I’ve been immersed in some client work and the development of a BPM course that I can offer on a wider basis, both of which have me looking at BPM, corporate performance management, compliance, enterprise architecture, process modeling, and a host of other things.

Compliance has been of particular interest lately, because every client that I deal with now is focussed on it. There’s a good deal of compliance mania going on, very reminiscent of Y2K mania, where vendors start every presentation with a picture of a CxO doing the perp walk and proceed to scare the bejeezus out of their customers until a blank cheque falls onto the table. I’m not saying that compliance isn’t a serious issue, and that there aren’t cases of non-compliant companies suffering under fines (and worse), but can we ease off a bit here? There’s a lot of other compliance selling points that don’t look like some corporate version of Fear Factor.

I think the worst part is that the vendors selling compliance solutions are not, to use the industry vernacular, eating their own dogfood. Friday’s business news recommended selling Open Text short, in part because of their lack-lustre performance lately, but mostly because they’re seeking an extension on meeting their SOX compliance requirements. As the analyst in the article points out, that’s not a good thing for a company that builds compliance software. Try to imagine, if you will, the hapless Open Text sales force the next time that they try to sell compliance to their customers: “do what we say, not what we do” isn’t a particularly credible marketing slogan.

Open Text is a public example of this, but if you dig into any of the compliance vendor organizations, you will almost certainly find non-compliance: irregularities in contract negotiation and management, failure to implement proper records management (especially email) policies, and countless other infractions. In other words, few (or none) of them are in any position to be taking the high ground when they’re talking about compliance.

Processes “R” Us

I had several appointments and errands today, and I listened to podcasts as I walked around downtown Toronto. One of them was the Sound of Vision podcast from back in May wherein Ethan Johnson interviews me about BPM (starting at 21:00 in the ‘cast), and there’s one point where I get really passionate about the fact that everything is a process: my true evangelist colours shining through. I do have a very process-centric view of business, to the point where some work that I’ve been doing recently on compliance started out being about content and records management, and has shifted to have a very strong focus on process.

I also saw an article this afternoon by Terry Schurter of BPMG, and he states that BPM and a process-centric view are so popular because such a high percentage of BPMS implementations (compared to other enterprise software) deliver on their promise of ROI. His view is that taking a process-centric view — “the idea that businesses can be viewed as a series of processes, and that those processes can be identified and managed to improve quality, efficiency, and cost-effectiveness” — resonates with end-user organizations, vendors and analysts, and that BPM aligns with the natural business structure.

It seems that you can’t pick up a business or technology article these days without it containing some reference to process, which means that Terry and I are not alone in our views.

BPM templates

I tuned in to a Global 360 webinar today for long enough to hear Nathanial Palmer from Delphi speak about process templates and their importance in BPM (you should be able to find a replay of the webinar here in a few days). He revealed some very telling numbers, soon to be officially released, from a recent survey of over 100 active BPM project participants:

  • 98% agreed that pre-defined templates accelerate BPM deployments. 73% answered definitely “yes”, while the other 25% said “maybe”, and only for simple or standardized processes. I’m curious to know what the 2% “no” contingent was thinking, since it’s hard to imagine anyone not seeming some potential value in a pre-defined solution template.
  • Although few people expect templates to be an application rather than a project jump-start, 70% expect them to be a fairly complete framework with screens, rules, integration adapters and the like. In other words, the respondants definitely expect the templates to be customizable, but they want to have a pretty high starting point.
  • 70% stated that they would be more likely to buy a software solution that had process templates specific to their industry, which seems obvious but is something that many vendors haven’t figured out yet.
  • 76% agreed that the templates should be documented in “business” language rather than being a tool for IT, and one of the key values stated for process templates was to align busines value with IT.

Not surprisingly, SOX compliance was at the top of the list of which processes should be templated, although the votes were pretty evenly spread over all of the business processes surveyed.