Regulatory Compliance Processes
Regulatory compliance processes
An audit is just one way human processes are used for regulatory compliance. In today's dynamic regulatory environment, new regulations and greater regulatory supervision are the norm for many industries.
In most cases, the process for handling these regulations are human-centric and unstructured-until the organization familiarizes itself with the regulation and its consequences. Over time, the organization may decide to codify the handling of compliance through a structured process supported by IT. Until then, though, most companies will handle it through a human process that is probably executed via e-mail messages and documents.
For example, the new "breach notification" provision of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) is a healthcare regulation that has just been enacted. The regulation requires Health Insurance Portability and Accountability Act (HIPAA)-covered entities to promptly notify affected individuals, the health and human services secretary, and the media, of any breach affecting more than 500 individuals.
Since this is a new regulation, one possible way to handle compliance is to assign someone as the breach process owner. Her first act will most likely include sending out instructions on how to handle the breach. The first step in handling a breach might be sending an e-mail message to the breach process owner when a problem is discovered. At that point, the company would need to organize a response to the breach, making sure to meet the regulatory requirements and any relevant internal processes. That means ensuring affected individuals are notified and, if needed, that the government and media are notified.
The company may also launch an internal investigation of the breach. Without adaptive case management, all of these steps will probably be done via documents and e-mail messages-making it impossible to manage, track and audit compliance with the regulations.