When trying to implement regulatory compliance it seems to me that there are three ways you could go aout implementing human centric regulatory compliance (where people play a big role in the compliance process)

• The first is a rigorous workflow driven process approach, where each step is part of a completely defined process. The process would have little (or no)  flexibility and the people involved would have no discretion how things should be done. This approach would ensure compliance, and could work well when most of the process is automated (done by machines) or by very low level workers. This approach allows for complete process optimization, since every step is choreographed and can be measured and optimized. However, this approach would be very stifling and wouldn’t work for complex regulations or in a changing environment.
• The second is a controls approach. Based on a guideline or best practice, people are trained and would be expected to do their part. Controls in certain critical junctures in the process could be defined and measured to ensure an expected workproduct exists at the control point. This gives people more flexibility since they wouldn’t be told how to do things, but only what is expected of them (they are told the “what”, but have freedom with respect to the “how”). The downside here is that any information about how things get done is lost – and there is no way to use that information to iteratively improve the process. Another problem is that even though the control is compliant – the way that compliance was obtained may be problematic (and I don’t mean malicious intent – just that things were done the wrong way, perhaps for good reasons). 
• The third is a tracking approach. Here too there are a guideline and controls. The difference from the workflow approach is that the “how” isn’t dictated -but unlike the second approach it isn’t ignored, but rather is tracked so that “how” is known after the fact. Like the second approach there are controls defining specific work product at specific junctures in the process. In my opinion this approach blends the best of both worlds for knowledge workers – it doesn’t stifle them by dictating the “how” (which is probably impossible for many regulations), but enables an audit (even in real time) of both the “what” and the “how” enabling both compliance and process optimization.

I was reading an Aberdeen report on “The Reinvention of the Internal Audit” which has lots of interesting statistics about internal audits and auditors. What was most interesting for me was that they came to same conclusion as Michael Rasmussen in his post on the the largest GRC vendor – Excel and Outlook (and a little Sharepoint) are the standard Internal Audit Platform – which by default makes Microsoft the largest Internal Audit Platform provider.

It was also interesting to me that they used the term Internal Audit Platform distinct from GRC.

In any case this meshes with what we see with our Audit.Tracker solution – the use of Excel and Outlook is pervasive for internal audits. Given the changes in the regulatory environment, this is going to be a real problem.

In the current regulatory environment I expect we’ll see more and more calls for increased disclosure requirements for various internal processes. One the latest is SEC’s Release 33-9052 which sets forth proposed amendments to Item 401 of Regulation S-K that will require disclosure of “qualifications, attribute or skills” that qualify a candidate for service in a governance capacity for a particular company, based on that company’s business and structure.

I was reading an interesting post on “Best Practices for Conducting Background Checks on Board of Director and Executive Officer Candidates” which provides a nice guideline on how to do background checks and possible red flags that companies should be on the alert for.  The  guideline is useful, but as a chief compliance officer, or member of the audit committee, how would you know that best practices were followed?

One way would be to make sure that all the documents collected regarding a candidate were stored and accessible. That would at least provide some material, but of course the process used to obtain the information would be completely lost. Another would be to have your IT department build an application, but even using tools like a BPM suite – that would take a while.

Finally you could use an HPM solution like ActionBase – take the guidelines, mark them up as an ActionDoc, and then use ActionMail to manage the process. You could this up and running almost immediately (using guidelines like those in the post, and creation of a few ActionMail templates) – and you would have a simple solution to the problem. Doing it this way provides both the access to the documents, and the process (and of course all the relevant status and historical reports).

I was reading PwCs 2004 whitepaper on “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act” where they state”Many companies rely on spreadsheets as a key tool in their financial reporting and operational processes. As a result, the use of spreadsheets is an integral part of the information and decision-making framework for these companies.”

Not much has changed in that respect in the last 5 years. In the paper they go on to describe that one of the standard uses of spreadsheets in business is operational- which is “spreadsheets used to facilitate tracking and monitoring of workflow to support operational processes, such as a listing of open claims, unpaid invoices and other information that previously would have been retained in manual, paper file folders. These may be used to monitor and control that financial transactions are captured accurately and completely.”. They categorize these spreadsheets as low complexity, which is true, but the risk caused by these operational spreadsheets can be very high. Not only can the operational spreadsheet itself contain an error or omission – but the lack of linkage between the process described by the spreadsheet and actual process invoked can cause a process failure that can be very difficult to uncover and fix.

The linkage between operational spreadsheets and email is pervasive in business, especially in audit processes. I guess that since the focus of the whitepaper was spreadsheets it isn’t surprising that they didn’t mention the actual operational aspects of the tracking and montoring – which is done mostly through email. So the actual operational risk is not only in the spreadsheet, but also in the human processes (i.e. email) generated by the operational information in the spreadsheet. The other risk factors of spreadsheet use defined in the whitepaper. i.e. Analytical/Management Information and Financial, have received attention both from startup vendors and the academic community (e.g. the european spreadsheets risk interest group), but operational side of spreadsheet risk and its link to process risk – seem to be completely ignored.

Except by ActionBase of course

I’d like to invite you all to check out Alan Radding’s great post on his Big Fat Finance blog in light of his conversation with our CTO. It was very interesting talking to Alan following the release of Audit.Tracker .  So much is happening within email and plain documents, it’s a bit scary to even think about it, and with all the new compliance regulations companies need to be well prepared and start managing the unmanaged.

Enjoy the post

Sometimes we get asked the question to describe an unstructured process (especially for people well versed in business process management) as an iconic example of an unstructured, human process. One example we tend to give is the internal audit process – where there is a framework for the way audits are handled, but each specific audit is different than the previous. Another similar example is Board of Directors decision tracking.

Well, in light of the current administration’s focus on governance- I starting thinking about combining the two. So I tried to find what is out there in the way of tools available for the corporate audit committees. What I found was an audit committee toolkit by the American Institute of Certified Public Accounts (AICPA). It looks interesting,containing “checklists, matrices, reports, questionnaires and other pertinent materials  specifically tailored to public companies including and designed to make audit committee best practices actionable”.

I am sure that it is useful, but not really what I would call a tool, it is more of a guideline or best practice – exactly what you would expect to see as the kick-off point for an unstructured, human process. But just providing a guideline doesn’t really mesh with another document I found from the Institute of Internal Auditors – “The Audit Committee” where they state “Audit committee members must maintain an in-depth understanding of internal audit best practices and how internal audit is functioning.”

As with most unstructured processes, they really can’t do that only using documents, email and meetings- since there is no way for them to know how the internal audits are actually functioning – at best they can get a glimpse of the process at both ends – once when they define the processes and the other when they see the result. They really don’t have any visibility into how their audit process is actually executing. If I was on an audit committee, I think I would be worried about that given the current administration’s stance on compliance and audits.

Of course, we would recommend using our human process management system (ActionBase) for this, just as it is used for Board of Directors decision tracking and other unstructured processes.