Café Innovation The practice of security and compliance needs business process enrichment
Let us consider a hypothetical situation….
Jill Lee is seated across from her manager, Burt Litman. She has just finished explaining that as a security expert and one charged with compliance enforcement she finds the changing environment very challenging. The fact that many in the organization are punching out of the firewall to external web sources of data, and that many are spending a lot of time collaborating with peers across and beyond the organization using Facebook has left her wondering if there is any such thing as standard process in the organization. She feels that the company’s data, and implicitly its future, is being compromised with these actions – actions that she is having a hard time trying to fit in her model of acceptable process execution behavior. She is worried that the auditors are going to have a whole bunch of things to complain about. She has an idea of what should happen next but wants to first hear from her manager.
This conversation is making Burt very uncomfortable. He is not sure how to respond to her concerns. He has been a diligent and hardworking employee who has always followed the rules and has earned kudos for holding down costs while maintaining good performance levels on his team. He has seen the messages from higher up that speak of how the future is all about adopting more interactive ways of executing processes. He has heard the pitch about collaborative business models, and he has agreed with others that a more end-to-end business process view should be adopted all around. However, he is not sure what to do about it. He wonders how best to push forth on the high level direction he has received but is at a loss about how to accomplish it without sacrificing the demands of security, risk management, and of ensuring compliance.
Does this sound familiar?
In this forum we have focused on the aspects of innovation and what that means from a business process perspective. We have also touched on the topic of governance. Within this last topic is included the topic of security and compliance. Today, this assumes greater importance because with SAP Business Suite 7 we have an enhanced ability to flexibly model new processes. As we do this we break old paradigms about how certain transactions should be conducted. Should the notions about security and compliance be tied to old-fashioned ideas of what is acceptable and what is not? While there will always be some absolute “don’ts” there is ample room for the practice of security and compliance to grow and figure out new controls to match new processes. Perhaps there is a need to remodel the notion of what constitutes acceptable execution of business processes such that as processes are flexibly changed they do not constantly run into a “no compliance” zone. How can this be made easy or possible for organizations? Let us see what Jill might be thinking….
Jill was trying to piece together the rather confusing explanation she had just heard from Burt, and then decided to go boldly where she had not gone before…. She ventured to suggest something that had been percolating in her mind for some time. She proceeded to remind Burt about a presentation they had both attended. It had been given by one Shiva Vijayraj, a passionate yet reasonable evangelist for business process innovation. He had spoken about the concept of the “business process perspective” and how an organization could evolve into a Business Process Enterprise and what that meant for the future of how business processes could be flexibly improved thus continuously providing new competitive strength. She then explained to Burt that for her to do her job well and stay in tune with what was changing around them, she needed to get closer to the business process action and structure a framework that would allow for her and her team-members to weigh in with security and compliance input whenever a changed/improved process ran into an existing requirement for compliance. What this meant, she explained, was that what is acceptable today may have to be revisited tomorrow, as long as the overall objectives of compliance and security were not compromised.
“How do you propose starting down this path?” asked Burt. “I will become as much of a business process expert as anyone else so that as a process expert I see the value in an improved process before I question its acceptability from a compliance standpoint.” This was all too revolutionary for Burt, but in some strange way he could see her point. It was late and he had to get home to catch the game he had been waiting for all season. “Let us continue this discussion tomorrow,” he said and reached for the his laptop’s power cord.
Jill and Burt can wait until tomorrow; let us start this discussion today! Let us keep it going for it is important to have compliance needs working together with, and not against, those engaged in process innovation.
P.S. Please note that Jill Lee, Burt Litman, and Shiva Vijayraj are fictional characters. Any resemblance they may bear to any person living or dead is purely accidental and certainly not intentional. If you do happen to personally identify with any of these characters then please congratulate yourself for you are in a position to influence your organization’s success!