FREE DM Review Site Registration!
Sign-up today and access DM Review on the Web!

Your FREE registration entitles you to:
FREE email newsletters

FREE access to all DM Review content

FREE access to web seminars, resource portals, our white paper library and more!

   

Business Process Management for Sarbanes-Oxley Compliance

Business leaders today face unprecedented challenges in meeting customer and shareholder expectations. Challenges result from increased complexity in executing the right business plan amid the backdrop of changing markets, converging technologies and heightened customer expectations, not to mention the challenges associated with the current economic environment. Leaders also want their decisions swiftly translated into responsive, competitive and measurable actions reflecting their vision and strategy.

Simultaneously the government has increased expectations for ethical business practices and sound reporting. With the U.S. Congress’ July 2002 enactment of the Sarbanes- Oxley Act, the first phase compliance of which is mandated for 2004, the rules for corporate governance and disclosure have been rewritten. CEOs, CFOs and their financial auditors are now required to certify not only the company's financial statements but also the internal controls and financial processes that produced those statements. Furthermore, the regulations for process certification will become more inclusive over time – requiring companies to move from passive to active compliance, with annual process reevaluation.

Increased Attention on Business Process Management

The need to link sound corporate governance to effective control processes has never been more evident. As a result the business concept and technologies of business process management (BPM) are receiving greater attention.

However looking to BPM merely to meet immediate Sarbanes-Oxley (SOX) compliance requirements is shortsighted. Automating and monitoring business processes to become compliant is in line with what companies should be doing anyway from an IT perspective. Setting up strong internal structures to meet SOX mandates can provide benefits above beyond compliance.

Moving into 2004, for many companies BPM will become a cornerstone for long-term active Sarbanes-Oxley compliance. This involves the interlinking of processes: automating manual audit tasks, enforcing rules-based policies and providing a common platform that coordinates both SOX-related activities and other mission-critical processes.

What is BPM?

Its one thing to agree on auditing procedures internally, but the key is to take the next step, to efficiently and accurately carry out the procedures to meet the confidence level of top management and, of course, the auditors. At the most fundamental level a business process management system is essentially software that helps choreograph and carry out the series of steps for business activities and procedures in real time.

As technology designed to model, automate and monitor processes, BPM controls and streamlines the interaction between disparate enterprise IT systems. It embodies the converging of technology covering three categories of interactions: people-to-people, systems-to- systems and systems-to-people interactions – all from a process-centric perspective.

Combining and extending workflow tools and application integration, BPM allows a company to model and execute business processes, e.g., for financial compliance, that span multiple internal systems, external resources and users including suppliers, partners, internal staff and customers.

How Does BPM Fit within IT Infrastructure?

BPM is based on a new set of IT objectives, new business expectations and a new underlying technology infrastructure. For regulatory compliance, for example, it can deliver real-time visibility of end-to-end processes through a management dashboard of aggregated process data. More specifically this can mean the mapping of transactions from front-end systems to back-end financial systems to better insure getting at the “financial truth” quickly.

BPM is at the heart of what analysts such as Gartner Inc. are calling the “enterprise nervous system – the integration infrastructure or intelligent network that continuously monitors the state of the heterogeneous enterprise and its relevant partners.”1

Because much of business today is conducted online, BPM technology must be layered on the new e-business technology infrastructure, in particular J2EE and Microsoft Windows services, XML and Web services. New business initiatives are invariably being built on these new Web-centric architectures and components.

However, today’s top BPM systems are scoped beyond process automation or workflow. They add conceptual innovations and technology from two previously distinct software categories – enterprise application integration (EAI) and business-to-business integration (B2Bi) – in a reliable and integrated modeling and execution environment and reimplement it all on the new Web-based e-business infrastructure. Additionally, some BPM systems provide a coherent framework for integrating existing mainframe and client/server systems throughout the enterprise and a bridge connecting legacy applications to the new architecture.

This concept is not new, but rather dates back over a decade. Early iterations were mostly about assigning and completing internal tasks. Since then BPM has centered on integration of silos of information into seamless, end-to-end flows spanning the extended enterprise – the type of control system ideal for enabling SOX compliance.

Why is BPM Important?

In today’s transforming business environment, a company can no longer be isolated. There is more interactivity than ever, with suppliers, partners and customers touching virtually every aspect of the company. Therefore businesses need the ability to perform accurate mid-course corrections at will – without starting over’ or disrupting the day-to-day operation – with results still being measurable and regulation compliant.

BPM is business mind-set rather than merely technology. It’s also not industry specific. Organizations from a variety of industries, including healthcare, government, manufacturing, telecommunications, insurance, banking and general commercial gain common benefits from adopting BPM. It offers companies unique opportunities to automate and track their internal business processes, tasks and associated financial controls. ROI from BPM includes:

  • Increased efficiency
  • Product/service time to market
  • Greater competitive advantage
  • Lower operational costs
  • Higher customer satisfaction

Critical for SOX Compliance

From a business perspective, what are today’s most pressing challenges, both for SOX compliance and overall business performance?

With unprecedented pressure to perform, to do more with less while complying with more stringent regulations, even most IT decisions must now be made from a business context.

A primary challenge is to improve operational efficiency, i.e., to make existing resources more productive – improving how companies implement overall business procedures or processes. Agreeing upon what the financially relevant processes are and how they interrelate is the first step toward SOX compliance. BPM, while not necessarily helping with the top line, is critical for driving processes to assist with the bottom line.

Secondly companies must be more responsive to stakeholders, whether suppliers, internal customers or external customers. Real-time responsiveness rests largely on a company’s ability to gather and use the information flowing through the business – no matter its location – and make it available to the people who can do the job.

A third business challenge is handling change. Too often the existing IT infrastructure can’t react quickly enough, lacking ability to rapidly adapt internal and external controls and all touch points as the business needs change. As a result companies have been destined to start over when business requirements change.

After processes are identified and defined, the next step is to streamline linkages between these various processes (financial, operational, etc.) and the resources they touch. This is where BPM excels.

As IT organizations seek to become key drivers for business success and support SOX reporting mandates, they must bridge the gap between business needs and IT’s ability to meet them expeditiously and cost- effectively. To do this IT must solve three key problems:

  1. Difficulty in automating business processes.
  2. Complexity in accessing systems.
  3. Rigid, difficult to change IT environments.

The Way Forward

How can companies best comply with requirements and also derive the added process-related benefits discussed here? Support is growing for full-featured BPM with seamless integration of people, processes, and systems on a unified, comprehensive platform, based on open standards and Web services, and capable of customization and scale. When implemented correctly, this convergence of previously separate capabilities becomes a strategic, competitive infrastructure for process efficiency and systematic regulatory compliance.

Sarbanes-Oxley and other regulatory mandates are both mission-critical challenges and significant company drivers for improved processes and automation. Sarbanes-Oxley will continue to test many companies’ process abilities and IT’s strength in deploying them. Becoming SOX-compliant at a business level aligns with what companies should be doing anyway from an IT perspective.

In the big picture, if companies manage their processes and information in a visible and change-enabled manner, they likely will meet or exceed customer and shareholder expectations. Regulatory compliance then becomes a by-product – a mere formality – reflecting best practices that BPM builds into the company’s infrastructure.

References:

1. McCoy, D. “BusinessProcess Management: Core to the ENS.” Gartner Group Commentary. April 3, 2001.


Neal Novotny is senior manager of Integration Product Marketing for BEA Systems, San Jose, California.

For more information on related topics, visit the following channels:



Industry Vendors