If you want to meet the challenge of global terrorism, you can't respond at the speed of bureaucracy. That's why business process management (BPM) technology is being tapped for the fight against terror. Built on Web protocols and services-based architecture, BPM is designed to keep processes running smoothly while also letting business users make changes without requiring costly and time-consuming software development.

As part of the sweeping Homeland Security Act of 2002, Congress enacted The Safety Act to promote development and deployment of technologies that might detect, deter or otherwise thwart terrorist activities. To get on the Act's "Approved Product List for Homeland Security," the department has set up a formal designation and certification process with initial screenings handled by the Institute for Defense Analyses (IDA), a government-funded corporation that provides independent research on defense-related technologies.

IDA's biggest hurdle was meeting a 150-day timeline stipulated by the Security Act and the Department of Homeland Security. In a first attempt, the company chose a document-oriented process automation product in 2003 and started mapping the review process.

"There was a heavy emphasis on the software logic around the evaluation templates, but we learned that the less constrained they were the better," says Indy Crowley, IDA's vice president of IT. "The technologies under review are incredibly varied and complex, and we found that we needed less control over the templates and more flexibility in the process itself."

IDA initiated a second software requirements and vendor selection process in January 2005. After considering three types of process management systems from five separate vendors, the company in late April selected Appian Corp.'s Enterprise BPM Suite.

"We felt the product would be the easiest to use for our process coordinators," Crowley says. "If we need to rewrite the rules so a document would go from manager one to manager three instead of manager one to manager two, we wanted to be able to do that without assistance from IT. With the first system we tried, that change would have taken six weeks."

In reviewing everything from search engines to detection equipment for biological and chemical agents to airport screening equipment, IDA follows a four-step process. It starts with an evaluation of the application itself, assessing completeness and conformance with the Safety Act. Next, three or more independent experts review the underlying technologies using the templated evaluation forms to guide the collection of information and supplemental requests for information. Finally, all documentation and vendor responses are consolidated, and the entire submission is sent to the Department of Homeland Security for a final decision. (The IDA doesn't make recommendations; its job is to compile background research and prepare complete submissions.)

IDA deployed Appian Enterprise in mid May, and the entire process, including more than 300 discreet tasks, was rolled out in little more than a month, Crowley says. The system touches 18 users internally, and individual tasks can be securely exposed via the Web to any of more than 400 external researchers IDA calls on for specialized expertise. Built-in reporting features have helped track backlogs, the types of technologies under review and the requests for more information, Crowley says. Most importantly, business users have been able to implement process changes without much assistance from IT.

"This week, we're going to change rules, roles and tasks that touch about 45 percent of the main process, yet it should take us no more than three days," Crowley says. "All the work associated will be carried out by six people, including just one person from the IT staff."

IDA currently has 40 Safety Act applications in flight, but Crowley says the big payoff in BPM will emerge as the number of submissions grows. "We expect much higher volumes, and it would be difficult if not impossible to manage the process and properly evaluate these technologies without adding staff," he says. "We want to invest our time in better evaluation, not administration and process coordination."