Why It’s Time to Dust off Your Compliance Documents
I have been looking at why BPM/BPMS projects fail and what can be done about it for some time. Over my years in big consulting I had to rescue more than a couple of projects – both for the companies I worked for and for clients. Increasing the probability of success has been a quest of mine for a lot of years. All of the things that I have found that can avoid failure have been built into my methodology. All but one that is – one that I have recently realized as a big hole that can be easily filled. One that is being added to my methodology now.
The fact is that BPMS tools work. Technical failures seem to be largely related to the BPMS developers on a project’s team, as well as a fundamental misunderstanding of BPM techniques and methods. But the tools themselves are great. The business designs, if done properly, also work and, following iBPM concepts, provide solid new business designs. And, business staff can be taught the new workflows and how to use new support. All of the standard parts can be successful - depending on the way the project is approached. But there is a fundamental problem that we have all really overlooked.
The problem has to do with the implementation of policies, procedures, rules, and compliance requirements. While these things are given some attention, they are not normally given much attention in the actual new design. They are seldom analyzed, vetted, and used to drive the way work is performed and governed. That is probably because they have little to do with efficiency.
We are finding that policies, along with procedures, rules, and the way compliance requirements are supported are often poorly controlled in companies. Few people have any real handle on all the policies in the company – what they are, where they are to be found, who they really apply to, how they are applied, if they are still valid, if they are in conflict, or if they are still even legal. I have not found a comprehensive list of all the policies in any company – they are all over the place. Some are official and some are not – they are “just the way things are done” or they are interpretations of interpretations of what Sally or Bud thought she or he was once told by someone who is long gone. Are some companies in better control of these things? – of course.
But many companies today do not really have their policy administration under solid control. That means:
- no differences in interpretations by staff as well as all being aligned to work
- up to date and vetted by HR/legal/finance
- up to date procedure manuals (not just notebooks of emails, notes, memos)
- rules under control (identified, aligned to where they apply in the business and applications, vetted, and understood by those who must apply them)
- solid enough control over compliance requirements and their implementations that the people who are actually doing work that must comply with some regulation know the regulations and what they are doing to ensure compliance
I believe that this is a hole or blind spot in the ability of companies to create and implement optimal business transformation solutions and to effectively evolve to a digital enterprise.
Unfortunately, unless properly controlled, each of the items on the list above can cause catastrophic consequences with little or no warning. Companies are dealing with the results of these items every day – and it wastes time, money, and energy.
However, I am not suggesting that these things are never considered in transformation projects. They exist and affect business operations and are at least somewhat considered in a redesign. But if they are considered in the new business design, they are more often than not given minimal attention and, if noted, are relegated to the dusty shelves of documentation that no one will look at again until the auditors ask for something.
The fact is that policies guide any business operation and procedures determine how the policies are implemented. But few really understand this relationship and instead focus on tasks without understanding why they do things or what their work adds to the product, service, or customer experience. I believe that this is a problem because it can affect quality and an ability of the line managers and staff to look for ways to improve their work.
Part of the problem is that in looking into these things as part of real business transformation (questioning everything at a fundamental level and not just improving what is there) I have found conflicts, gross misunderstandings, multiple interpretations and, worst of all, illegal policies and procedures. In all honesty, the illegal things were once legal, but over time, as new laws and regulations are put in place, they have become illegal. There are so many policies in most companies that some just get lost and surface from time to time only to get lost again. This is also true for procedures and rules – including those that support compliance requirements. The issue here is that many policies are not linked to procedures or rules and their effect on processes and activities may not be aligned to a desired outcome. When we simply improve things, we really run the risk of thinking we are making things better, but are actually causing more variation through interpretations and conflicting ways of looking at things. That is damaging and costly, but pales in comparison to potentially continuing illegal practices.
Scary stuff, if we are honest with ourselves. Without these links and this alignment between policy, procedure, rules, and implemented activities (including compliance activities), the question becomes – how do we know if policy is being followed and the procedures and rules are valid? And of course all of this affects the work we do, its efficiency and its effectiveness, as well as the potential catastrophic impact it can have on a company’s reputation and on fines. We all know of companies that have been hit with big fines. While some of these were obviously sloppy management or management taking a gamble, a lot of these cases may simply be related to companies thinking they were doing the right things only to find out that they weren’t.
In addition to this impact, there are implications for compliance with union contracts, trading partners and more. All can cause problems and waste time and money.
We are now including time and tasks for the archeological dig needed to find all policies that apply to the business areas we are redesigning, and to review/analyze/update/vet them, as well as looking into procedures, rules, and compliance needs and reporting, in our projects. This includes time for both the activities needed to find those policies/procedures/rules that are written and workshops to find the real but undocumented policies and procedures that direct the work and decisions. We also now align policies, procedures, and rules to activities and to the way compliance regulations are supported. All policies are put through a process that justifies the need for them and modernizes them. Only when all are understood and their relationship to the work is defined can any redesign be effective. I have found that this process not only acquaints people with the justification for the controls that they must deal with in their work, but it also makes them understand the work at a more fundamental level. It lets them understand why they need to do things in a certain way and stops the creation of workarounds that can move the operation slowly back to the way work was always done and kill redesigned work.
In addition, poorly managed policies, etc., can have a seriously negative impact on work, automation, and quality. We may automate things the wrong way – in violation of policy. Those activities that remain manual may also be affected by interpretation as work inconsistency becomes an issue – with customers getting different answers from different sources in a company, complicating any customer interaction.
As much of a potential problem as these issues present in any old or redesigned business operation, they combine to create a serious roadblock in any move to a digital enterprise. This roadblock, for many companies may be the final reason to address this blind spot in their operational improvement.
I believe that companies will soon have no choice but to move to a highly digitized operation. This ability to evolve a company’s digital capabilities will become a real game changer in the near future. The issue becomes having an ability to move quickly to respond to opportunity or react to legislation and compliance requirements in all the countries the company does business with. Without a clearly identified, controlled, vetted, and aligned set of policies, procedures, and rules, any action’s compliance with policy becomes suspect. That can be problematic.
If you do not have a solid foundation in your move to either business transformation or to a digital enterprise model, you are building your house on shifting sands. I personally believe it is better to avoid fines and avoid the need to stop work that is providing a competitive advantage. Maybe it is time to consider cleaning up things that, in the past, were difficult to control but can now be addressed inexpensively with little disruption. Addressing the policy, procedure, rule, and compliance management issues fall into this category.
There are now new approaches and techniques that are supported by custom software tools that can allow you to address this critical issue quickly, with low risk and low cost. The only question is one of priority. But I believe that every company will need to deal with this problem. The question is when and what it will take to give it the priority needed to bring this under control.
Please let me know what you think. Contact me with your thoughts at 630-290-4858 or firstname.lastname@example.org .
As always, thank you for reading my columns. I hope they make you think about business transformation and continually look for ways to do things better. You may also want to look for my other PEX columns – there are now about 40 of them. Some of the topics may be of current interest to you and what you are involved in.