Coping with the compliance headache

More and more, business is being driven through regulation. Multiple regulations, from Sarbanes-Oxley to HIPAA and beyond, will have a big impact on cost but will do nothing for the revenue side. The question becomes how to minimize the impact on business operations.

What if IT had a single configurable system architecture that met most regulatory requirements? To achieve that, companies are trying to find what these regulations may have in common.

For many years, compliance vendor Qumas focused on the life sciences and regulations related to electronic submission of documents to the FDA. What it discovered was that the processes, policy, and procedures for the FDA had a lot in common with the processes for Sarbanes-Oxley, the Patriot Act, and even new regulations such as Rule 38a-1 for the insurance industry. 

For example, the way a life sciences company documents and certifies to the FDA that it cleaned its drug manufacturing tanks is similar to how a company might document and certify a change in procedures that affected revenue, to meet Sarbanes-Oxley requirements.

Qumas’ compliance framework is a suite of configurable products by which IT can change the business rules in the workflow engine and the business rules engine to make it work for a widely varied set of regulations. Thus, if you buy the software for Sarbanes you can also use it to comply with anti-money-laundering regulations in the Patriot Act or to certify that you cleaned those tanks for the FDA.

Mike Jansen, senior director of business consulting at Agile Software, a vendor of product lifecycle management software that focuses on environmental compliance, ticks off a list of features that are common to most compliance software. These include document management, collaboration, process automation, and of course the audit -- all of which cut across most compliance issues. Interestingly enough, as requests come in from the various business units, only IT is in a position to see the commonality.

John Hagerty, vice president of research at AMR Research, says that the “overlapping requirements” of the individual compliance mandates mean that the enterprise must have in place nine technologies: an integration infrastructure; business process management and workflow; learning and education management; content and records management; a data warehouse; a rules engine; an alerting engine; identity and security management; and management dashboards and analytics.

Software vendors are also providing some interesting solutions to the problem. For example, Agile’s Product Governance and Compliance package is a single solution that is suited to both environmental and Food and Drug Administration regulations.

Cyclone Commerce co-developed its solution for e-pedigree compliance -- tracking of drugs through the supply chain to prevent counterfeiting -- with McKesson, a major life sciences company. The goal was to create a solution that minimized the impact of the e-pedigree requirements coming out of individual states by melding McKesson’s business needs with Cyclone’s technology expertise.

The truth is, companies cannot afford to have point solutions for the DEA, DoJ, EPA, FDA, OSHA, and SEC, not to mention state and local requirements. If it is true that more and more business will be driven by regulation in the future, then alignment of business and IT is more critical than ever.