Before we address Compliance Automation, we should define its position in enterprise environment. In Europe, Compliance is regarded as an important investment booster, even if the pressure arising from possible legal consequences is not comparable with the situation in the USA. But a closer look on what exactly pushes investment makes clear that it is not only Compliance, but the further reaching Governance with all its different aspects such as Compliance (observing legal, official and internal regulations) and Risk Management. This also includes a generally requested transparency, for example to prevent (legally quite relevant) corruption or simply to control enterprise risks adequately. With all these aspects in mind we easily realize at this point, that the issue of Compliance Automation is a comprehensive one, requiring quite a bit of preliminary work.
The efforts made in connection with Governance, Risk Management and Compliance aiming at building up defined processes and a system-supported management of these requirements do cost money. But they also come up with important benefits. Apart from the above mentioned aspects, these benefits include (inevitably) generated information with regard to process optimization – meaning both efficiency and process quality.
We cannot cope with the challenges of Governance and its subordinate aspects Risk Management and Compliance without automation. In branches requiring tough regulations such as banks and pharmaceutical enterprises, system-supported Compliance Management is already standard. In most of the other branches, we so far rather find a patchwork scenario consisting of different tools supporting automation. Among auditing solutions, automated configuration management and role-based access control, these include for example document management systems as well.
With a view to these tools we might use the term “Governance Automation” – but unfortunately, the mere accumulation of tools without tight integration is not able to cope with these tasks, because the overall transparency is missing. Some time ago, I set up a list of 10 requirements relating to Compliance. They make clear that a couple of isolated tools for specific tasks are not able to do the whole job. What we need are standardized cross-system approaches, which, on the one hand, must allow business requirements such as specific Compliance regulations to be transformed into IT requirements in a standardized way. On the other hand, it must be possible to aggregate and process relevant data such as audit data and events from varying systems. This includes warnings in case of deviations as well as dashboards for the top management allowing a status survey.
To my opinion, the challenges facing us with Governance Automation are connected to four different areas:
- There is a lack of processes between the company management/board of directors, audit, law, controlling and finances department as well as other business areas on the one hand and IT on the other hand
- There is a lack of standards for the description of business requirements and their definition as IT requirements
- There is a lack of standards for regulations which can be used to control existing IT systems
- There is a lack of audit standards which could help to process and aggregate information from unequal systems
To conclude, Governance Automation can be described as processes, standards and integrated IT systems aiming at a consistent approach to meet Governance demands across differing IT systems as well as result analysis. Governance Automation implies the task of developing a consistent concept from existing individual solutions, thus allowing a cross-system control and analysis of Governance, including all its different aspects.
Created: 29.06.07, modified: 11.10.07