For the past few years, the big buzz in application and system design has been to “support business processes.” Unfortunately, many organizations have a blind spot in a critical area of business processes: compliance. The focus in new application development has often been on workflow, information flow and user interaction. Not enough attention is being paid to supporting critical compliance factors. For example, as I discovered at a recent CIO roundtable in Boston, some new hospital patient record systems still dont have full compliance with HIPAA. And in the financial sector, I found that too many account management systems have no links to provisioning or identity management systems.
The bottom line is that many of the newest applications dont fully support business operations because they cannot meet requirements for compliance, audit and regulation. These applications will create more problems than they solve. The cost of retrofitting compliance is going to be far larger than building it in.
Merely stating that organizations need a compliance infrastructure built into IT systems doesnt create the budget to do it. Despite improving business conditions, budget dollars arent exactly raining from the sky. Some creative approaches may be needed.
One method of finessing the budget issue is to burden one of the larger new applications with the cost of key compliance infrastructure products that it will eventually need. For example, as an educational institution puts in a student information system, the ID management software and infrastructure is added into the cost of the project. This allows succeeding applications to use the same ID management tools for which one key application has paid.
In some cases, the project is too far along or the accountants too sharp-eyed for this to work. In those cases, some smart CIOs and senior IT professionals are building a cost into new systems that is combined with the “contributions” in the same area from other new applications, up to the point where enough funds are available to implement a complete solution. In this example, a group of three or four new applications can be “taxed” to pay for the implementation of a provisioning system that is essential to meeting privacy or information access guidelines for an entire organization.
Regardless of how an organization pays for them, compliance and regulatory reporting capabilities are a fundamental part of the business operations that IT must support. A CRM system must have a tracking system that covers who has access to customer records, just as much as it needs management tools that empower account managers who use the underlying information. Compliance and regulatory issues have arrived. Dont plan on them leaving any time soon.