Business modeling and compliance
Blog: Bridgeland and Zahavi on Business Modeling
Businesses always have to comply with something. They must comply with policies or rules they set themselves (e.g. size of a check an employee is allowed to sign), they must comply with policies or rules set by their business partners (e.g. adhere to terms of a loan agreement or terms of a contract), and they must comply with laws and regulations set by local, national, supranational, and foreign governments (e.g. what a company is allowed to export.)
Compliance is achieved when a business adheres, and can demonstrate that it adheres, to a set of rules, standards or regulations. Compliance can be achieved by the use of systems that enforce certain employee behavior and business flow, or through training and oversight to ensure employees are compliant when they perform their work.
Business models help businesses understand how to be compliant, help them understand the impact of compliance, and allow them to manage compliance over time. A business can create business models to better understand what it needs to change in order to be compliant. It can compare the existing organizational structure, processes, and rules against the compliant ones to understand what must be changed. The models can also be used in training so that employees understand what they must do to be compliant.
The business can use the models to understand how being compliant will impact the business. Will efficiency change? Will customers be lost? Will revenue be reduced? Analyzing the differences helps the business understand the impact of the change.
Once a business understands the delta between where it is today and where it is headed in order to be compliant, the business can use business models to manage compliance. As the business changes and the regulations change, the models can be changed to represent the state of the business.
Compliant business processes can be deployed and business rules modified to ensure compliance is followed. Business rules directly model corporate policies. If the rules are executed in a rules engine, the engine will notice when a rule is violated, and when a policy is not being followed. For example, a business might have a policy that a purchase of more than $5000 by a department must be approved by a corporate officer at headquarters. When someone purchases new software licenses for $6329, that purchase is flagged and routed to the appropriate officer for approval.
Let’s look at another example of managing compliance. The US healthcare industry is regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law protecting patient privacy. One of the HIPAA rules is that a hospital cannot disclose protected health information about a patient without first getting written permission from the patient, at least in circumstances where the health information is not needed for treatment, payment or healthcare operations. For example, the hospital cannot share health information with an insurance company to be used for a decision about patient’s coverage, unless the patient OKs the sharing.
To comply with HIPAA, hospitals have to examine all of their business processes that involve private patient information. They must understand all of their interactions with outside organizations-insurance companies, healthcare maintenance organizations (HMOs), pharmaceutical companies, laboratories, etc.-and ensure that all hospital employees who interact with these organizations follow HIPAA-compliant policies.
Business modeling supports compliance with regulations like HIPAA. With a model of the interactions with outside organizations, our hospital can see who shares information with whom. With business process models, our hospital can see that patients are asked for permission before information is shared, in all the situations in which such sharing is needed. With a model of the business rules, our hospital can understand whether their policies cover the HIPAA regulations, and leave no area where private information is inappropriately shared. Our hospital can use business modeling to ensure they have the appropriate interactions, processes, roles and policies to satisfy HIPAA.
In addition to checking regulatory compliance, business modeling also can be used to evaluate the business impact of a new regulation. For example, one state may require parental consent or notification for some medical situations concerning their teenagers, while an adjoining state might not. Such laws impact those states that must enforce them and the nearby states that also suffer the consequences.
What will happen as a result of a parental notification law? Will some patients be treated in a nearby state? What will the impact be on a local hospital business? Should a hospital open a clinic in another state? What will the impact be over time?
Using business modeling and simulations we can evaluate different scenarios to determine the expected impact of a regulation, and experiment with alternative responses. In this case, compliance is not difficult. Instead the challenge is to understand how to adapt the business strategy to the new regulation.