1
1
Rules and RegulationsBusiness Drivers for SOA-based Agile IT
Presented by
Adrian Bowles, Ph.D.Program Director, Regulatory
ComplianceObject Management Group
www.omg.org
2
2
Agenda
Business Drivers for IT Agility– The Role for Rules
Rules and Regulatory Compliance Rules and SOA
– Technical Foundations– Business Drivers/Inhibitors
Recommendations
PRODUCTS
Business Runs on Rules
PROCESSES
PEOPLE POLICIES
SuppliersCustomers
RegulatorsRULES
3
IT Enables Innovation & Agility
Integration, Execution, Refinement
Identify & Model Current Processes
Identify & Model Alternatives
Evaluate
Alternatives
Context AnalysisIntelligence
Application Development
Opportunity Identification
Opportunity Exploitation
Design
IdentifyRequirements
Identify & Acquire Packages, Frameworks/
Components
Construct Components
and Aggregates
Integration& Operation
Opportunity Evaluation/Selection
4
Migration
Value
Infrastructure ManagementInfrastructure Management
ApplicationsApplications
Operating SystemsOperating Systems
HorizontalServices
HorizontalServices
Domain Components
Domain Components
HardwareHardwareRenewal Cycle
1-18 months
Web Web
36-60 months
12-24 months
Flexibility by Design5
Characteristics of Change
Rate of Change
Cost of ChangeLow
High
High
Data
Business Logic
Infrastructure
RULESRULES
Pricing
New MarketEntry
Fashion
Culture
6
The Fundamental Rule Choice
P1P1P1P1 P2P2P2P2 P3P3P3P3 P4P4P4P4EmbeddedRules
Rule Management
P1P1P1P1
P2P2P2P2
P3P3P3P3
P4P4P4P4
r1,r2,r3r1,r2,r3
r1
r2
r3
r4
r5
r6
r7
Changing a rule should start a ripple effect throughout a system or systems
7
r1,r6r1,r6 r5r5 r1,r5,r7r1,r5,r7
Regulatory Compliance Costs IT $billions
The US passes over 4,000 new final rules annually Sarbanes-Oxley (SOX) impacts all US public firms at a
typical cost to IT of $.5-1M annually. The UK Companies Act has similar intent, and more jurisdictions will enact governance regulations nationally and collectively.
Basel II will cost over $15B globally A typical international bank may be governed by over 1000
regulations Different jurisdictions have conflicting rules
– Ex. US vs EU fundamental differences in privacy assumptions
And, the Rules keep changing!
8
Overlapping Intent & Requirements
GovernanceGovernance
PrivacyPrivacy SecuritySecurity
Sarbanes-OxleySarbanes-OxleyBasel IIBasel II
SEC Rules 17a-3/4SEC Rules 17a-3/4
PIPEDAPIPEDANORPDANORPDASB 1386SB 1386
USA PATRIOTUSA PATRIOT
HIPAAHIPAAGLBAGLBA
21 CFR Part 1121 CFR Part 11 Protecting Protecting Critical Data/InfrastructureCritical Data/Infrastructure
Protecting Protecting Private InformationPrivate Information
Ensuring Ensuring Transparency & ValidityTransparency & Validity
9
Regulatory Impact by System
Type of RegulationIT ImpactPrivacy Security Governance Environmental Trade/Tariff
Email/IM Customerdata (CRM)
Partner Data PlanningData/ERP
FinancialData
OperationalData (ERP)
Storage andaccesscontrol
Analytics/BI Processmanagement
Workflow
DBMS InfrastructureNetworking
10
Automated IT Compliance
C-GRIDC-GRIDGlobal Regulatory Global Regulatory
Information DatabaseInformation Database
Query: SIC/NAICS,Geography…
RelevantRegulations
Relevant Regulations
IT CompliancePolicies/Procedures
Gap Analysis
Updates
Goal: Automated Detection of New Regulatory Requirements and Rule-Based Generation of Policies
Other Stake-holders
Other Stake-holders
VendorsVendors AuditorsAuditors
RegulatorsRegulators
UsersUsers
IT Strategy & Operations
RulesRules
11
Requirements
RulesRules
An SOA is a business-oriented framework for application development that:– is based on open standards– maps business processes to coarse-grained software
“services”ex. “credit check” vs “print”
– Facilitates integration of these loosely-coupled services into platform-independent applications
Loose coupling promotes agility by facilitating:– reuse, – asynchronous communications, and – distributed development/deployment
12
Service Oriented Architecture Basics
Leading Drivers for SOA Adoption
Complexity of alternatives Focus on demonstrable ROI Maintenance costs of status quo Desire to
– Build on top of legacy systems and data– Achieve widespread reuse– Achieve better IT/business alignment
(IT following business rules and goals)– Rationalize/standardize meta-objectives, like
enterprise security initiatives
13
Inhibitors to SOA Adoption Business
– Inter-firm collaboration still has cultural hurdles, but that’s where the biggest SOA benefits will be found
– SMB market tougher than large enterprise, which can benefit more from internal SOA projects (where complexity is a bigger factor)
– Un-integrated departmental/divisional web services projects may erroneously give SOA a bad reputation
– Up-front costs tied to business risk, currently an inhibitor to new initiatives Technical
– Trade off between specificity and reusability makes it hard to justify initial efforts
– Wariness of immature standards and products
14
Architecture– SOA as the de facto development approach, supported by
increased use of modeling and simulation– Rules engines as the default approach to capturing, managing
and disclosing policies for business agility and compliance Regulations
– More global concern for security and privacy– More stringent enforcement as the state of the practice
matures– New geo-specific regulations, will gradually converge– Focus on data and storage - retention/recovery/provably
accurate– Improved & integrated dashboard and scorecard products
What to Expect for the Rest of the Decade 15
16
16
Summary of Recommendations Applications and Architecture
– Isolate policy/rule processing to improve visibility and agility
– Adopt SOA as the underlying approach to component development and communications
Compliance– Factor requirements to leverage commonalities
• Find common rules and manage them together• Eliminate redundancies in data, processes, and
systems– Automate Security & Auditing efforts
• Data, Procedures & Testing
17
17
Rules and RegulationsBusiness Drivers for SOA-based Agile IT
Presented by
Adrian Bowles, Ph.D.Program Director, Regulatory
ComplianceObject Management Group
www.omg.org