1

1

Rules and RegulationsBusiness Drivers for SOA-based Agile IT

Presented by

Adrian Bowles, Ph.D.Program Director, Regulatory

ComplianceObject Management Group

adrian@omg.org

www.omg.org

2

2

Agenda Business Drivers for IT Agility

– The Role for Rules Rules and Regulatory Compliance Rules and SOA

– Technical Foundations– Business Drivers/Inhibitors

Recommendations

PRODUCTS

Business Runs on Rules

PROCESSES

PEOPLE POLICIES

Suppliers Customers

RegulatorsRULES

3

IT Enables Innovation & Agility

Integration, Execution, Refinement

Identify & Model Current Processes

Identify & Model Alternatives

Evaluate Alternatives

Context AnalysisIntelligence

Application Development

Opportunity Identification

Opportunity Exploitation

Design

IdentifyRequirements

Identify & Acquire Packages, Frameworks/

Components

Construct Components

and Aggregates

Integration& Operation

Opportunity Evaluation/Selection

4

Migration

Value

Infrastructure Management

Applications

Operating Systems

HorizontalServices

Domain Components

HardwareRenewal Cycle

1-18 months

Web

36-60 months

12-24 months

Flexibility by Design5

Characteristics of Change

Rate of Change

Cost of ChangeLow

High

High

Data

Business Logic

Infrastructure

RULESRULES

Pricing

New MarketEntry

Fashion

Culture

6

The Fundamental Rule Choice

P1P1 P2P2 P3P3 P4P4EmbeddedRules

Rule Management

P1P1

P2P2

P3P3

P4P4

r1,r2,r3r1,r2,r3

r1r2r3r4r5r6r7

Changing a rule should start a ripple effect throughout a system or systems

7

r1,r6r1,r6 r5r5 r1,r5,r7r1,r5,r7

Regulatory Compliance Costs IT $billions The US passes over 4,000 new final rules annually Sarbanes-Oxley (SOX) impacts all US public firms at a typical

cost to IT of $.5-1M annually. The UK Companies Act has similar intent, and more jurisdictions will enact governance regulations nationally and collectively.

Basel II will cost over $15B globally A typical international bank may be governed by over 1000

regulations Different jurisdictions have conflicting rules

– Ex. US vs EU fundamental differences in privacy assumptions

And, the Rules keep changing!

8

Overlapping Intent & Requirements

GovernanceGovernance

PrivacyPrivacy SecuritySecurity

Sarbanes-OxleySarbanes-OxleyBasel IIBasel II

SEC Rules 17a-3/4SEC Rules 17a-3/4

PIPEDAPIPEDANORPDANORPDASB 1386SB 1386

USA PATRIOTUSA PATRIOT

HIPAAHIPAAGLBAGLBA

21 CFR Part 1121 CFR Part 11 Protecting Protecting Critical Data/InfrastructureCritical Data/Infrastructure

Protecting Protecting Private InformationPrivate Information

Ensuring Ensuring Transparency & ValidityTransparency & Validity

9

Regulatory Impact by SystemType of RegulationIT Impact

Privacy Security Governance Environmental Trade/TariffEmail/IM Customerdata (CRM)

Partner Data PlanningData/ERP

FinancialData

OperationalData (ERP)

Storage andaccesscontrol

Analytics/BI Processmanagement

Workflow

DBMS InfrastructureNetworking

10

Automated IT Compliance

C-GRIDC-GRIDGlobal Regulatory Global Regulatory

Information DatabaseInformation Database

Query: SIC/NAICS,Geography…

RelevantRegulations

Relevant Regulations

IT CompliancePolicies/Procedures

Gap Analysis

Updates

Goal: Automated Detection of New Regulatory Requirements and Rule-Based Generation of Policies

Other Stake-holders

Vendors Auditors

Regulators

Users

IT Strategy & Operations

Rules

11

Requirements

Rules

An SOA is a business-oriented framework for application development that:– is based on open standards– maps business processes to coarse-grained software

“services”ex. “credit check” vs “print”

– Facilitates integration of these loosely-coupled services into platform-independent applications

Loose coupling promotes agility by facilitating:– reuse, – asynchronous communications, and – distributed development/deployment

12Service Oriented Architecture Basics

Leading Drivers for SOA Adoption

Complexity of alternatives Focus on demonstrable ROI Maintenance costs of status quo Desire to

– Build on top of legacy systems and data– Achieve widespread reuse– Achieve better IT/business alignment

(IT following business rules and goals)– Rationalize/standardize meta-objectives, like

enterprise security initiatives

13

Inhibitors to SOA Adoption Business

– Inter-firm collaboration still has cultural hurdles, but that’s where the biggest SOA benefits will be found

– SMB market tougher than large enterprise, which can benefit more from internal SOA projects (where complexity is a bigger factor)

– Un-integrated departmental/divisional web services projects may erroneously give SOA a bad reputation

– Up-front costs tied to business risk, currently an inhibitor to new initiatives Technical

– Trade off between specificity and reusability makes it hard to justify initial efforts

– Wariness of immature standards and products

14

Architecture– SOA as the de facto development approach, supported by

increased use of modeling and simulation– Rules engines as the default approach to capturing, managing

and disclosing policies for business agility and compliance Regulations

– More global concern for security and privacy– More stringent enforcement as the state of the practice

matures– New geo-specific regulations, will gradually converge– Focus on data and storage - retention/recovery/provably

accurate– Improved & integrated dashboard and scorecard products

What to Expect for the Rest of the Decade 15

16

16

Summary of Recommendations Applications and Architecture

– Isolate policy/rule processing to improve visibility and agility

– Adopt SOA as the underlying approach to component development and communications

Compliance– Factor requirements to leverage commonalities

• Find common rules and manage them together• Eliminate redundancies in data, processes, and

systems– Automate Security & Auditing efforts

• Data, Procedures & Testing

17

17

Rules and RegulationsBusiness Drivers for SOA-based Agile IT

Presented by

Adrian Bowles, Ph.D.Program Director, Regulatory

ComplianceObject Management Group

adrian@omg.org

www.omg.org