English   Deutsch

Governance automation
What is Compliance Automation?
The right term - the right strategy
Recently, the term Compliance Automation has become quite common. But – as often with new terms – a consistent comprehension of its meaning is still missing. In the following I would like to try a definition and a contextual placement.
by Martin Kuppinger
mk@kuppingercole.com

Before we address Compliance Automation, we should define its position in enterprise environment. In Europe, Compliance is regarded as an important investment booster, even if the pressure arising from possible legal consequences is not comparable with the situation in the USA. But a closer look on what exactly pushes investment makes clear that it is not only Compliance, but the further reaching Governance with all its different aspects such as Compliance (observing legal, official and internal regulations) and Risk Management. This also includes a generally requested transparency, for example to prevent (legally quite relevant) corruption or simply to control enterprise risks adequately. With all these aspects in mind we easily realize at this point, that the issue of Compliance Automation is a comprehensive one, requiring quite a bit of preliminary work.

The efforts made in connection with Governance, Risk Management and Compliance aiming at building up defined processes and a system-supported management of these requirements do cost money. But they also come up with important benefits. Apart from the above mentioned aspects, these benefits include (inevitably) generated information with regard to process optimization – meaning both efficiency and process quality.

We cannot cope with the challenges of Governance and its subordinate aspects Risk Management and Compliance without automation. In branches requiring tough regulations such as banks and pharmaceutical enterprises, system-supported Compliance Management is already standard. In most of the other branches, we so far rather find a patchwork scenario consisting of different tools supporting automation. Among auditing solutions, automated configuration management and role-based access control, these include for example document management systems as well.

With a view to these tools we might use the term “Governance Automation” – but unfortunately, the mere accumulation of tools without tight integration is not able to cope with these tasks, because the overall transparency is missing. Some time ago, I set up a list of 10 requirements relating to Compliance. They make clear that a couple of isolated tools for specific tasks are not able to do the whole job. What we need are standardized cross-system approaches, which, on the one hand, must allow business requirements such as specific Compliance regulations to be transformed into IT requirements in a standardized way. On the other hand, it must be possible to aggregate and process relevant data such as audit data and events from varying systems. This includes warnings in case of deviations as well as dashboards for the top management allowing a status survey.

To my opinion, the challenges facing us with Governance Automation are connected to four different areas:

  • There is a lack of processes between the company management/board of directors, audit, law, controlling and finances department as well as other business areas on the one hand and IT on the other hand
  • There is a lack of standards for the description of business requirements and their definition as IT requirements
  • There is a lack of standards for regulations which can be used to control existing IT systems
  • There is a lack of audit standards which could help to process and aggregate information from unequal systems

To conclude, Governance Automation can be described as processes, standards and integrated IT systems aiming at a consistent approach to meet Governance demands across differing IT systems as well as result analysis. Governance Automation implies the task of developing a consistent concept from existing individual solutions, thus allowing a cross-system control and analysis of Governance, including all its different aspects.

Created: 29.06.07, modified: 11.10.07
Information
Newsletter
Kuppinger Cole Identity Management Newsletter
Services
KCP provides strategic consulting services for vendor and user companies covering all areas of identity & access management.
Reports
Use KCP as an independent, objective, and neutral authority on the Market for Identity Management products and solutions
Podcasts
Free audio and video presentations on important IAM-topics
Current surveys
IAM-Studie 2010
PARTICIPATE 
Blogs
Martin Kuppinger
27.07.2010 09:26
Facebook – they won’t understand
READ 
European Identity Conference Blog
26.07.2010 17:51
Facebook authentication support
READ 
Sachar Paulus
19.07.2010 10:11
Impressions from the IT-Analyst Event in London
READ 
Tim Cole
29.06.2010 19:03
No more Mr. Nice Guy
READ 
Sebastian Rohr
08.04.2010 11:36
Gemalto invests in Strong Auth Tokens
READ 
Felix Gaehtgens
19.02.2010 17:40
Gerry Gebel joins Axiomatics
READ 
Joerg Resch
17.02.2010 11:15
Identity Management is key to Smart Grid Security
READ 
Links
 Kuppinger Cole News

 Kuppinger Cole Podcasts

 Kuppinger Cole on Facebook

 Kuppinger Cole on Twitter

 Visit us at Xing

 IAM-Wiki

 GenericIAM
Imprint Terms and conditions Privacy policy
© 2003-2010 Kuppinger Cole