Do All Compliance Roads Lead To BPM?

The most confusing, frustrating and mind-numbing aspect of any compliance automation project is discovering that there are now a host of hardware and software tools for any compliance activity you can think of, and many you didn't think of. There are compliance tools that cost a couple hundred bucks and some that can set you back a couple hundred thousand just to initiate preliminary designs. If your company is like the majority who got past the initial regulatory audits the manual way, fixing problems with chewing gum and duct tape, you've probably been charged with making sure that experience isn't repeated.

But after a quick look at the compliance tools landscape, you're at a loss. The financial folks want a budget for making the pain go away. But the further you explore, the more frustrating the situation becomes. It's a bit like the poor sap who decides to refinish his kitchen cabinets and by the time he's done he's taking out a second mortgage to pay for new counters, plumbing, fixtures, flooring, wallpaper and appliances.On your list is a reliable message archiving system, but messages often contain attachments, which are files that live outside the e-mail, instant messaging and groupware environments. The most troublesome of those files are spreadsheets because changes are made to the files as they get passed around in the messaging environment, and unauthorized changes get made to the original file living on a networked server. So now you need a document management system, which sounds like a fine idea until the financial department says, in no uncertain terms, that it will not consider altering its consolidation system or open it to integration.

So you go back and contemplate. If you can't manage the files and unstructured data without investing in point solutions that have to be managed separately, what else can be managed to automate the compliance processes? That's it—processes; you can manage processes, right? But now you're in for some major sticker shock. In addition to the six- or seven-figure dent an enterprise BPM system is likely to put in your IT budget, an effective BPM deployment requires a top-to-bottom re-haul of you business processes. So you decide there is pain, and then there is PAIN. Even if the big pain is, long term, the right way to go, you know it won't fly as a solution to your compliance problem.

So you backtrack. Which processes are key for managing compliance? Most compliance activities center on controls, whether it's security, privacy, business performance, or risk management. So maybe you look at your policies and the processes that ensure policies are followed. But in most organizations today, the scope of business processes governed by policies is so vast that you're back in BPM land if you ever hope to automate those processes.

And what about compliance activities that aren't controls-based, per se? What about all the additional storage requirements and the discovery requirements? Go through a non-automated legal or regulatory discovery process and suddenly the pain and cost associated with BPM doesn't seem so shocking.

If you've found individual tools that work for managing specific compliance activities, that's great. I predict, however, that your business managers will tire quickly of the half dozen new dashboards on their desktops, and the endless alerts and workflows that result. Right now, BPM seems like the only logical way to consolidate all the compliance processes in to something manageable. It's not a silver bullet, in fact, the only bullet you'll see is the one you'll be biting.

For more on that and some advice on biting the bullet without receiving lead poisoning in the process, see 101 Advice for Process Management Neophytes. And while you're at it, check out FileNet's new business activity montoring (BAM) enhancement to its BPM environment.

Quick Rant Have you happened to notice that all compliance automation products are called "solutions," even though many can't promise to fix a particular problem? In fact, some of these "solutions" are designed to help identify the problem. Ultimately, it's up to the organization to come up with the solution.

I prefer the word "tools" instead of "solutions" because that's what they are. If a piece of technology helps you solve a problem, that's great, but I don't see how any product can claim to be a solution while its still in the box.