Process Driven Compliance Controls
An interesting take on process is the role it can play in compliance. Internal compliance controls traditionally look to either enforce policies or monitor for compliance issues. While this approach has merits, it has several characteristics that fall short of the goals of the organization.
First, the “process” portion of compliance controls often remains disconnected from the work people perform outside of these processes. Compliance processes move people through appropriate workflows to enforce policies, but rely on the feedback of people for the status of work actually performed. Of course, saying (e.g. – checking of requirements in tasks of a process) work was performed correctly is far different from ensuring work as performed correctly. This is why the second type of control is so important because the process control is not validating compliance, it is simply providing a structure to facilitate better compliance. Any mistakes, shortcuts, or oversights are left to be found my the monitoring controls.
Enter Process Drive Compliance Controls
Process driven controls, however, bridge this gap in a powerful way. Leveraging the capabilities of BPM (business process management) technologies, compliance processes can include validation – comparing the “what we said we did” to “what we actually did” as part of the process. In its basic form, these kinds of compliance processes included validation in the process that is triggered after work is completed.
An important step, this makes compliance processes self-monitoring, with the ability to detect many of the compliance issues that can occur as part of the process where they can then be assessed and corrected.
Finish with Proactive Process Compliance Controls
The last mile is the incorporation of validation “in flight.” This is where compliance controls realize their true potential. When validation control is implemented within a process-based compliance control, the control proactively enforces compliance rules with validation of what actually happened as part of the actual work being performed.
These compliance controls actually control, via process design, the compliance outcome. Issues, gaps, and oversights are no longer identified by external monitoring controls. They are no longer validated after work is complete, identifying issues and gaps so that they can be assessed and corrected before the process is finished.
Instead, they control the compliance outcome as work is actually performed, leaving nothing to be found by external compliance monitoring controls or tail-end process exception handling. This approach manages compliance as work is performed, ensuring that no gaps, issues or oversights occur. The result is a substantial improvement in compliance, reduction of the internal cost of compliance, and real-time control over compliance objectives.