Wednesday, November 12, 2008

Leveraging BPM, SOA, Identity Management and Enterprise 2.0 for Governance, Risk and Compliance

Running an IT organization for government or business in this day and age has brought about new challenges which place a focus on capabilities and tremendous strain on resources that ideally would have occurred only per the natural requirements of the business or mission. This somewhat artificial digression from the politics or competitive landscape that has historically shaped how most IT systems were built, delivered and managed is a new layer of complexity that has appeared on the horizon and which can easily engulf scarce IT resources if not handled strategically.
In this white paper we will attempt to address Governance, Risk and Compliance while prescribing the new technology paradigms of BPM, SOA, Identity Management and Enterprise 2.0 as a unified set of patterns and tools that can be brought to bear on these new initiatives. This should be the driving force behind how you modernize your IT environment to service these needs while also providing the value of agility to your enterprise. At the conclusion of this read we hope to have presented a compelling story around how and why this set of technological offerings will be all you need to implement in the foreseeable future for solving these problems while continuing to improve the overall quality of your IT mission.


In thinking about this new wave of Governance, Risk and Compliance let’s start in reverse and look at the end result, Compliance. For the scope of this white paper ‘Compliance’ could be anything from Sarbanes-Oxley Section 404, HIPAA, CMMI Level 3-5, ISO 9001, Basel II, even anything that is internal to your organization such as capitalization or Service Level Agreements (SLAs), and the list goes on….
No matter what you are faced with in the ways of Compliance, the end result is likely some kind of an audit or periodic report to someone or something responsible for verifying that you are in Compliance. Such requirements as that are usually tied to some sort of Business Intelligence system that will tend to aggregate data from all kinds of places and systems to produce reports that verify levels of Compliance. The difficult part of such period based reporting systems, in addition to the mad scramble to actually make them produce positive results, is showing your work, e.g. decomposing the aggregate numbers for proof of Compliance. While Business Intelligence, such as that of the aforementioned variety, isn’t mentioned in the title of this white paper it has become very much a part of BPM at large and will be discussed under that topic later in this white paper.
In the end the old adage about those things measured and reported on are those things which are acted upon is the real rule of thumb here. No matter what you are expected to fall into Compliance with you will first need to figure out how it will be measured. We will take a more in depth look at how to define these metrics in the next section, Risk.


As previously discussed Compliance is something that may come from a myriad of places. It may come in the form of an audit to uphold some certification or perhaps simply adherence to some plan of capital outlays for value in your IT portfolio. Whatever these items are they should measured in terms of the level of Risk you acquire by somehow falling out of Compliance. There are many types of Risk, Operational Risk, Financial Risk, etc. and in some cases the Risk you are trying to measure has prescribed methods for doing so. The Basel II Accord for Banking where your Risk is measured in a monetary fashion is one such standard. Where there are government institutions enforcing Basel II on the largest (about 100 of them in the US called Tier 1) banks there is additional Risk of finding that you haven’t complied in addition to fines and publicity that may come in tow. The Basel II calculation of Potential Default (PD) or Exposure at Default (EAD) is likely something that should have been measured a little bit more closely by all institutions with regard to the recent housing market lending issues that materialized in poor ratings for those aggregate Collateralized Debt Obligations (CDOs) rife with subprime mortgage write offs.

Prior to thinking about Compliance or Governance you must plot those Risks that are important to your organization. One approach is to scatter plot such items as in the chart below. We’ve stated that Risk could be measured in negative value but let Value to your organization be the X axis and assign some other weighting say 1-10 for the items that have the greatest Risk for your organization. Again those things may be moved by their negative value but they may also realistically fall into the category of Risks you are willing to take. You can size the point on the chart for the levity of the Risk. Obviously you cannot hope to attack all points equally but it is necessary to make this a living exercise to constantly re-evaluate where you stand in the vast world of Risks that affect your operation. If you are at Risk of losing market share for instance then you will certainly become out of Compliance with shareholder expectations!
There in lies the point of having a sound strategy for Governance, Risk and Compliance so that you’ve controlled your Risk internally before having to worry about it externally. After all, exposing your customers to that risk can cost the most important capital an organization possesses, credibility. We all experience Risk in everyday life for instance when we approach an intersection with a yellow light we make a calculated decision based on the Risk that we may be caught breaking a law if we proceed. If you were to get into an accident or get a ticket in doing so it would pose great risk to you in the form of bodily harm or financial responsibility. Externally, however, insurance companies would have new ideas about the risk you present for them in continuing to insure your operation of a motor vehicle in the future. Some Risk happens that quickly but identifying all of those things ahead of time that are possible and preparing to handle them proactively is what Governance is all about.


While Compliance is usually done to appease some authority that has the ultimate say as to whether have effectively mitigated or managed our Risk, Governance is the practice of managing the Risk of not being in Compliance. We’ve stated earlier that this Compliance may come down to something at the very core of your business such as whether or not you are generating enough revenue for the marketing campaign that was just funded. Perhaps this Compliance is more of an absolute such as that of Sarbanes-Oxley Section 404. No matter what the total sum of these Compliance items that assure that you’ve managed the Risk specific to you, there is also likely a number of Governance frameworks established to deal with those same issues. In the case of Sarbanes-Oxley (SOX) there is the CobIT framework which is meant to put in place the Controls necessary to be able to attest to Compliance with SOX. There are many complimentary frameworks that every publicly traded company should implement or at least investigate for portions applicable to enhance CobIT such as ITIL and ISO 17799 (now ISO 27002). Many of these involve internal processes that must be implemented, verified and measured as an ongoing, ‘in-situ’ audit rather than the mad dash of period based reporting most experience these days.
Governance then is the sum of these policies and procedures that you put in place, some of which are based on industry standard frameworks, in order to effectively manage your total Risk. Don’t let all of the alphabet soup of all of the frameworks, regulations and standards scare you. Once you’ve gained an understanding of your Risks you will be able to map the appropriate frameworks to them for building your own Governance ‘mashup’ (see Enterprise 2.0 at the end of this paper for a definition of ‘mashup’). The point of this white paper is to explain how a modern approach in implementing these controls with state of the art technology patterns can actually provide a vehicle to sustain any combination of these needs while also modernizing your IT infrastructure to be defined and driven by all business goals. Rather than consider any of the items addressed in this article as a ‘siloed’ cost center investment one should look at the overall agility these patterns can provide to an ever changing marketplace that demands more visibility into how you are protecting the interests of your customers, citizens or investors.


In addition to this plethora of frameworks (see Glossary at the end of this paper) aimed at supporting Governance there are a number of methodologies that support Quality and other initiatives in general such as ISO 9001:2000, CMMI and ISO/IEC 15504 which attempts to harmonize many frameworks starting with the two previously mentioned. There are also any number of derivatives of kaizen or Continuous Process Improvement methodologies such as Lean (from the Toyota manufacturing process), Six Sigma and even Lean Six Sigma. These all exist to minimize the number of defects per opportunity thereby increasing quality while allocating resources to the process steps in a ‘just in time’ fashion. The Continuous part involves understanding, measuring, simulating and re-engineering processes for gained effectiveness and efficiencies. The round trip for this Continuous Improvement Process is all about the reporting of the Risk measurements determined by what are seen as Key Performance Indicators or KPI’s. This data about performance is ideally fed back into a business process analysis tool that can use it as a simulation baseline.
Because these Risks have Governance frameworks associated with them it also ideal to weave these activities inside of the normal everyday duties that your lines of business perform. As mentioned in the Governance section of this white paper it becomes increasingly difficult not only to generate Compliance reporting around your business processes, but more importantly how you can decompose those reports to provide on the spot actual data. By fusing the techniques provided in this white paper your organization can provide a line of sight from any vantage point of your operation to any other(s). Although not a substitute for period based business intelligence aggregated for the purpose of performance management this brings the necessary aspect of decision support into your operational systems. Also because data from these more robust periodic systems can and should be embedded into your business process management applications you get an accurate picture of ‘who knew what and when did they know it’ that seems to be at the crux of most critical forensic audits occurring today.
The other part of BPM that is critical, especially since BPM is at least somewhat overlapping if not a superset of BPR (Business Process Re-Engineering), is the ability to understand how your human resources interact within business processes. Even more importantly, strategic human resource management involves understanding how your people can best perform and in what quantity especially if your workforce has a highly repeatable set of tasks. Understanding the activities of each individual in a discreet manner but always in relationship to the macro set of processes they participate in is where BPM intersects with Identity Management and is sometimes called ‘Role Mining’. This study has far reaching impact not only in BPM but also Human Capital Management where you literally are able to grasp the impact of enabling Human Resources with certain capabilities before investing in those initiatives. After all it is really the adoption of any initiative by a larger business community that enables success of any of the things such as those discussed in this white paper. Giving your organization protection from harm and increased value to the people it serves will win over many line of business owners and users who too many times have seen change come for the sake of change.


Service Oriented Architecture (SOA) isn’t an entirely new concept. It is however a new acronym with a lot of hype. In fact it has its own ‘hype cycle’ and now potentially an extended ‘trough of disillusionment’. This last part occurs when most realize that even though this new paradigm or technology is quite attractive, the reality of getting it implemented to derive its promised value seems distant if not impossible. SOA is one of these that experienced a steep slope that exists on the upside of that trough known as the ‘slope of enlightenment’. During this enabling phase many have realized that it takes more buy-in from various factions in an organization than what they may have assumed initially. An interesting statistic put forth by Gartner (whom by the way founded the ‘hype cycle’, ‘trough of disillusionment’ and ‘slope of enlightenment’ being discussed here) recently states that only about one quarter of larger companies will have the organizational or technical skills to realize an SOA by the year 2010.
SOA is largely an IT exercise and because IT has been somewhat separated from business in that its cyclical nature of responding to change in business models it is not seen as adequate in many business owners’ opinions. While services are typically portrayed as those interactions between systems in an SOA the other perhaps more key tenet of an SOA is how those systems are presented to and allowed to interact with the users involved in the business processes they support. An SOA is the fundamental center of the holistic concept presented in this white paper as it embodies all of the enterprise wide integration aspects that have heretofore been known as EAI, EII, ETL, MDM, B2B and the list goes on. An SOA requires its own set of rigors for Governance because of its own inherent Risks whereby measuring it for Compliance against its stated goals are the beginning of a truly shared model where business and IT are joined at the hip.
A perfect example of software vendors addressing this challenge has been the phenomenon of ERP and other COTS business applications that attempted to insulate business owners from dealing with IT in terms of actually creating systems to run parts of their business. The process of configuring these systems is what BPM looked like for many years until people realized how changes made to those systems affected upgrade paths not to mention stability of the applications themselves. The nice thing about this new philosophy of SOA and BPM is that those investments as well as investments in other legacy systems are preserved. Using BPM as your genesis for an SOA gives you an opportunity to attack this problem from a known set of requirements which are those of the business owners in the organization. They will give the commitment you need to get started not only because they are actually driving SOA requirements at the appropriate layer but also because you give them the ability to modernize their legacy or ERP systems without actually touching them. This is something that will save them huge budget and also allow those systems to continue providing the functionality they provide today including remaining the system of record for mission critical data.

Identity Management

As described in the previous two sections, the most important parts of your business are those resources that are not automated but human. They pose most of the Risk once you are into even the most basic maturity stage of an SOA and are responsible for carrying out operations using the Governance model that you’ve put in place in order to stay in Compliance. It is now apparent that Identity Management is the sharp end of the spear known as Human Capital Management as it was discussed earlier. It is literally where the rubber meets the road in that it is how your people gain access to the systems they interoperate with everyday to conduct your business. In addition most organizations have realized that the same digital identity should be used for gaining access to locations in which physical systems and other resources reside. The cost of managing on-boarding, off-boarding and otherwise managing credentials for these varying communities of individuals as they relate to your business has historically been a tough cost center to deal with. With a sound Identity Management Strategy much of this process can be centralized and provided in a self service fashion.
Outside of the HR or BPM side of knowing who your folks are and what they do, Identity Management provides one of the most critical items for Compliance and that is Attestation. Simply stated, Attestation is what an organization’s executives must sign off on periodically that says you’ve taken appropriate measures (implemented appropriate Governance) to mitigate any Risks. These include any or all of the Risks mentioned in this document plus untold others unique to certain industries or even those yet to be enacted or enforced. The one Risk that cuts across all others is that of the insider empowered to conduct your business that does so with a malicious intent, the so-called ‘insider threat’. This is the one thing that weighs the most on a company executive’s mind as it, aside from reports he’s looking at, is ensconced completely within a black box until discovered and by then it is often too late. Identity Management along with other appropriate Governance measures implemented in BPM and SOA helps to ensure that your employees act ethically and with your mission as their driving priority.

Enterprise 2.0

Let’s start by stating that Enterprise 2.0 simply means Web 2.0 and how that phenomenon applies to the enterprise. The key element of Web 2.0 and indeed Enterprise 2.0 is the ‘social network’ or the idea that in everything you do that involves communication with others there is a set of attributes or ‘social fabric’ that ties you together with that person or group you are interacting with. This allows you to participate in each task you perform everyday with those attributes front and center in the form of a collective context or ‘presence’. Presence is something you are familiar with if you’ve ever used an internet chat program and categorized your ‘buddies’ into groups for family, work, friends, etc. In the enterprise however presence is a more richly intuitive list of who’s available to you and what their role is in the scope of tasks you are currently working on. The other thing about Enterprise 2.0 in this collaborative scope of activities are the communications that come from this presence interface such as instant messaging but also including voice over IP (VOIP), video conferencing or web conferencing where a user’s desktop or document(s) are shared.
The other services provided in an Enterprise 2.0 fabric are those that were previously thought of as content management applications but now are seamlessly integrated into the ability to search for content, create it on the fly and share it any way imaginable. What you are working with at all times is data from your SOA that can be materialized as a printable document on the fly. For imaging or other legacy captured documents those can be passed as part of a ‘worklist’ that may be subscribed to for personal tasks assigned to you or tasks assigned to those in a certain role necessary to perform the work. In any case the idea of a ‘document repository’ or really locations in general is abstracted from the users in an Enterprise 2.0 environment. And since everything is locatable via a search engine interface or by attribute tags that give the documents the same project based context as presence, producing, accessing or editing documentation becomes a seamless part of a business user’s tasks.
Enterprise 2.0 components known as wikis and blogs allow for effectively introducing your new BPM centric SOA to personnel, both old and new. Wikis are essentially online encyclopedias of knowledge about things in your enterprise. Everyone can make entries in a wiki and those wiki entries are searchable as content. This is really a readable index of what people think is important to your organization and again its entries are presented along the hierarchy of your business taxonomies. Blogs are essentially similar but are more personal in nature in that it is used to record notes about how certain things were accomplished or perhaps more importantly are to be accomplished thereby alleviating the pain for the next individuals who experience the same challenges. Blogs allow for community comments on their content whereas wiki comments are effectively another entry into the wiki linked to the previous entry. These things provided together are known as a ‘mashup’ in Web 2.0 parlance and delivered to your users as an AJAX based Rich Internet Application (RIA). This combination also allows for a harness of sorts to be provided for business users to accomplish a very necessary goal of having a self identifying, self training work environment to be immersed in. Ideally this environment has gleaned all of the knowledge from your body of workers that is subject to disappear if not captured adequately. There is no bigger need for this than the current set of baby boomers that have been performing their work for decades and have their respective and collective knowledge bottled up in a form currently not transferable to the next generation. This paradigm allows for capture of that knowledge and its embrace by the new systems you put forth in order to address the challenges of the future while assuring good practices are not lost and also of equal importance that others are.


In today’s environment of regulations, competition and changing market conditions software vendors have thrust an abundance of new offerings into the marketplace in an attempt to enable their customers to cope and either remain in or gain a proactive posture towards IT investments. In this white paper we’ve presented some of these new patterns of software as well as visibility into some of the drivers necessitating an agile approach. You are hopefully now armed with a holistic view of these matters which you can bring to the attention of the appropriate decision makers within your organization to take action. Understand also that this story itself could start at any section in this white paper and easily transition to other sections as they part of a contiguous whole. This is a gestalt of the largest order in that it is increasingly difficult to enact certain combinations of these capabilities in a silo and still more difficult to actually do some of them without consideration for the others. Yet every day products are purchased and architectures are founded without consideration for a whole picture similar to the one drawn here.
When you start down the path of SOA with BPM as the key driver it becomes a self fulfilling prophecy due to the nature of how the onion is peeled with these techniques. Your BPM effort allows you to start with what your business actually does today and use that to drive the fa├žade around your existing systems that becomes your initial SOA. You then take BPM a step further to analyze appropriate frameworks and methodologies that need to be embraced for the reasons discussed in this document. Next you add the study of your workforce and their enablement within these systems via Identity Management and its BPM components. Finally you modernize the way your business users interact in this new world of BPM by introducing Enterprise 2.0 with Identity Management as the secured wrapper that allows them to be entrenched in the appropriate role based contexts for the work they are expected to carry out. This is in stark contrast to those institutions today who for instance can’t even lend money even though lending is their primary line of business, all due to their own accumulated risk they’ve realized with their poor controls (or absence thereof)
On the road to this nirvana is the ability to rationalize the appropriate portfolio of services for your SOA as well as a cookie cutter understanding of how to procure IT assets. In the end rolling out a new virtualized line of business or change to your mission should be as easy as filling your plate at a buffet and not much more difficult to put into this framework with newly enabled personnel who are now able to more effectively multi-task due to the homogenized IT environment presented to them. In the end this really makes IT transparent if not invisible to businesses who have struggled in large part due to the antithesis to this picture that exists in many places today.

No comments: