Mention the word "compliance" and it is likely to conjure up images of scandalous performance by companies such as Worldcom, Enron, and Tyco. But beyond corporate governance and government regulations such as Sarbanes-Oxley, HIPAA, and the National Do Not Call Registry, compliance is creating a new need for technology in less obvious areas.
Perhaps the largest of these relates to the rise of outsourcing, whereby companies are moving non-core functions to outside vendors. Along with the rise of outsourcing, there is an attendant increase in the use of service-level agreements (SLAs). An SLA is a contract between a provider and recipient to deliver one or more services according to an agreed upon set of performance standards. It contains a description of the service or deliverable to be provided; it sets performance expectations in terms of cost, volume of work, responsiveness, and quality; and it defines metrics for evaluating whether or not the performance requirements have been met.
As more companies outsource their IT infrastructure and business functions, they rely increasingly on contractual obligations and SLAs to ensure their needs are met and they are getting their money's worth. A June 2004 survey of 320 IT professionals conducted by Oblicore found that outsourcing has become important to 76% of companies. About half of the companies had 10 or more SLAs, 28% had more than 50, and 7% had more than 1,000. Forty-two percent of companies reported they had more SLAs than a year ago, while 56% predicted more SLAs in the year ahead. Interestingly, 64% of respondents said their SLAs had major or moderate financial consequences for not reaching SLA targets. Perhaps most importantly, 75% of companies said that it was important to improve SLA management, which is an important type of compliance.
The survey also found that 49% of companies have a mix of internal, customer, and supplier SLAs. This shows that many companies now participate in a "service chain," whereby the performance of suppliers can directly affect a company's ability to satisfy its own customers. This was most apparent in industries with the word "service" in their name, such as financial services, telecommunication services, and healthcare services. While it is clear that SLAs are on the rise and are becoming more important and difficult to monitor, 43% of companies do not report on contracts at all, while another 16% only report quarterly or even less frequently. At the other end of the spectrum, in terms of "best practices," 13% of companies reported on contracts in real time, 11% did so daily, and 21% weekly. Companies indicated that the primary benefits of more frequent SLA monitoring and management were increased customer satisfaction, improved operational efficiency, and increased performance visibility.
Balanced against the increased importance of outsourcing and the general lack of reporting are numerous industry studies that show that as many as 75% of major outsourcing projects fail to "comply" with their original objectives. What's wrong with this picture?
Companies are finding that compliance is not easy or cheap. Business "regulations," often in the form of SLAs and other legal agreements, are intended to help companies specify, monitor, and measure internal performance as well as their relationships with customers and suppliers. Government regulations place their own compliance demands on companies. Yet compliance monitoring and reporting is hampered by the fact that many large companies are geographically and functionally diverse, and the trends toward outsourcing and service chains make compliance even more challenging.
What are the implications of this for technology and in particular for Web services, and what new opportunities are they creating? Consider the example of a health insurance provider and its relationship with external entities such as customers, doctors, hospitals, etc. HIPAA requires that the provider implement safeguards to protect against the misuse of individually identifiable health information. At the same time, the insurance provider may have signed IT outsourcing agreements with one or more vendors to manage and run its back office operations. So how does the insurance provider proactively monitor the performance of its outsourcing vendors to ensure that they are not inadvertently and illegally disclosing sensitive patient health information without the company's consent, thereby exposing the company to major legal liability? Most companies are now resorting to SLAs and active monitoring to ensure compliance.
Consider another example, from the world of financial services. Compliance is creating a need for companies to exchange different forms of performance data in a seamless and real-time manner. For instance, financial services firms are dependent on global providers of network services to provide brokerage services to customers around the globe. To gain a competitive advantage, financial services companies commit to providing high levels of service, during specific time periods, in different geographies, at low cost. To achieve this, they outsource major portions of their IT to best-of-breed network providers that offer high-quality bandwidth at low rates due to economies of scale. To facilitate this service chain, there needs to be a continuous flow of performance data between multiple parties. Financial service companies need to monitor the health of their networks and compare it to industry standard benchmarks. At the same time, they must constantly monitor the level of service that they are providing to customers, in the form of service availability, response time, transaction throughput, and call center responsiveness to customer issues. This requires gathering, aggregating, correlating, analyzing, and reporting reams of performance data from heterogeneous IT systems and business applications.
What has become apparent is that "compliance" is more than adhering to static government regulations by establishing high-level guidelines, training personnel, filling out forms, gathering quarterly signatures on financial documents, and filing paperwork that is rarely viewed. Compliance today requires the ongoing proactive monitoring, management, and reporting on a dynamic set of business commitments and standards. It is causing three separate disciplines that previously were performed independently to become intricately intertwined.
Prior to the enhanced litigiousness of our society and the related increase in the use of SLAs, it was commonplace for companies to separately manage contracts, measure financial results, and monitor IT service levels. However, with the onslaught of SLAs, and especially now that there are serious financial consequences for not meeting service targets, it is causing companies to carefully connect the dots between legal, financial, and IT performance. Failure to do so could have potentially disastrous effects to the tune of millions of dollars in assessed penalties, lost revenue, and even jail time in the event of fraud.
The challenge of compliance reporting is aggravated by performance data that is present in systems that have grown independently and that is brought together only by using manual methods. A supplier may provide a company with a spreadsheet via e-mail. This approach is error prone and does not lend itself to providing an adequate picture of compliance for a business. More often than not manual performance data is late and out of context, providing little value in the effort to satisfy compliance requirements. Lack of accurate and timely data due to manual collection and transfer processes is the bane of chief compliance officers everywhere.
The characteristics of today's systems, where silos of information do not readily communicate with each other, lead to a set of problems that make compliance very difficult to implement and manage, except at a most rudimentary level. These characteristics include:
- Inconsistent data management policies across systems
- Inconsistent data formats across systems
- Non-integrated systems that do not share information
- Poor data reconciliation across systems for compliance
The result is a new set of compliance requirements that is spurring the need for technology innovation:
Capture all aspects of regulations, including legal, financial and technical. Most regulations, whether internal or external, contain a combination of legal, financial, and technical terms. This invites the need for a Web service for updating and exchanging contractual and regulatory data between multiple parties on an ongoing basis.
Combine data from disparate systems and manage a wide range of processes. As noted, required compliance data exists in multiple systems that are geographically and functionally disperse. Compliance applications need to take required data from systems, transform it to a common denominator, correlate it to regulations, and generate reports, all in real time. For example, Section 409 of Sarbanes-Oxley requires real-time reporting on any event that materially impacts the financial health of the company. A bad debt should not only be captured by the compliance system, it should also be reported in real time to concerned executives. Complying with section 409 would require a compliance application to access bad debt data from the financial system, generate reports, and access the e-mail system to send the reports. Accessing and integrating these disparate systems and data is a call to arms for Web services.
Provide relevant reports to regulatory bodies. Different constituencies of a compliance system require different types of reports. If multiple external or internal customers are served with a compliance report, several report flavors may be required at the same time. Not only are the report contents different, they might also be viewed on a different frequency. The CFO might want a management dashboard that updates every time a compliance violation occurs, whereas an account receivables manager might look at a daily report and a monthly summary report on outstanding debts. A noncompliance indicator on an online report might prompt the user to drill down to the source of the problem. Reports must not only be generated on the fly, but also offer the ability to be highly flexible, creating a need for Web services that can provide this type of data access.
Monitor compliance continuously and reveal underlying causes of noncompliance. A compliance system should be "always on," recording transactions that affect compliance as they happen. Reporting after the fact will not meet business and government compliance requirements. Furthermore, a compliance system should be able to drill down to the root cause of non-compliance and allow for "what-if" analysis of the compliance event. This elevates the compliance system from a static reporting tool to a proactive business monitoring application. Web services that provide real-time event notification and access to relevant compliance data are needed.
In summary, compliance requires a diverse set of performance data to be evaluated in the context of contractual obligations. If ever there was an opportunity that requires the need to easily and securely exchange data between multiple companies as well as ease the interoperability of disparate and heterogeneous applications and data, compliance is a major driver that will encourage the development of new Web services.
Subscribe to SOA World Magazine Email News Alerts
Subscribe via RSS
