Recently I had the pleasure of doing a guest lecture at the Utrecht University on the relevance of #BPM for organizations and governments. After my lecture, I got into an interesting conversation with a bright young student (Daan Ykema) on how BPM can help organizations be more effective when it comes to managing regulations. I don’t want to keep the insights from that conversation with you all, so I decided to dedicate this episode of my Process Extraordinaire newsletter to the topic of Regulation Management and BPM, a match made in heaven it seems.
If you search for the words ‘regulatory tsunami’ on Google, you’ll end up with over 31 million hits and most of these hits are either consultancy firms telling you how to navigate the upcoming down poor of new regulations or they are interest groups (for example for legal or financial service providers) explaining how this tsunami is affecting their productivity and capabilities. I guess they’re both right, because the number of regulations and norms that companies need to comply with has been growing steadily over the last years, and more than steadily for the last 5 years. Especially around topics such as data privacy, sustainability and operational resilience new regulations pops up quicker than the magic mushrooms in Super Mario brothers.
Generally speaking, how are regulations dealt with in organizations (and I realize I am generalizing here quite a bit, but I would like to keep it relatively simple, so please bear with me)? Within organizations (and certainly within larger organizations) there often is a department that deals with keeping inventory of all the relevant regulations and norms that they need to comply with. This department can have many different names, but usually it is a department on corporate level (so providing services to all of the rest of the organization). They gather and study all of the relevant regulations and then work together with the functional domains to translate these regulations (and the clauses and articles within these regulations) into business requirements, that translate the somewhat formal language of a regulation into more relevant and actionable statements that are appropriate for the organization. I’ve depicted this in figure 1. By the way, you can also turn to a 3rd party to do the analysis and management of the regulations for you and notify you in case of changes. You could even opt to have them send over a delta-load of changed regulations into your BPM platform.
The next step is to figure out what business processes have been put in place or need to be put in place to fulfill these business requirements. A simple example of this is that if you have a business requirement around spending money on behalf of the organization (usually called procurement) you typically put in place a process around purchase requisitioning and more importantly, the financial approval of this requisition (before it is turned into a purchase order). This is of course a very obvious example but you can imagine that regulations and the subsequent requirements for sustainability topics or operational resilience topics are far more complex and far-reaching. This also means that many more processes will be linked to these regulations through the business requirements. Figure 2 depicts this connection.
The last step is all about how to stay in control and this, for me, has two major components to it. First, how do you know that the people in your organization are actually sticking to the agreements made in the form of processes and work instructions and second, how can you make sure that your processes continue to stay aligned to the requirements and the preceding regulations. It would be a waste of time and money if you have spend considerable energy in gathering the regulations, translating them into requirements, connecting them to processes and putting these processes in place if you then don’t look after them and find out 6 months down the road that a significant portion of it is already outdated.
So, two things can help here. To mitigate point 1, the technology of process mining is often deployed. Reconstructing executed processes based on their logged data and comparing them to the documented process (the way it is supposed to be done) is one of the most effective ways to check for conformance nowadays. This used to be a very much manual and time consuming activity. I just need to think back to the ISO audit I had to go through as a global supply chain manager back in 2010 and remember that I had to spend hours crunching data and talking to people just to ensure that we were in control.
The second point (staying aligned) can be supported via a rigorous management of change process. Most people that follow me for a while know that this is one of my favorite topics, it is also one of the most underrated topics in organizations. How to effectively deal with changes to your enterprise artefacts (be it processes, risks, regulations, applications etc). Without it, you will be overhauling a massive amount of processes every 6-12 months. Figure 3 shows the conceptual solution here.
To make a long story short. The combination of regulation management and BPM is a very powerful one and it will most likely develop into one of the core engines running the operational resilience machine, next to risk & control management.
Want to know more about this? Don’t hesitate to reach out to me, or my esteemed colleagues Karin Bruls, Eric Roovers or Frank Weise.
Ciao and I hope you enjoyed this read…