1 1 Rules and Regulations Business Drivers for SOA-based Agile IT Presented by Adrian Bowles, Ph.D. Program Director, Regulatory Compliance Object Management Group

2 2 Agenda  Business Drivers for IT Agility –The Role for Rules  Rules and Regulatory Compliance  Rules and SOA –Technical Foundations –Business Drivers/Inhibitors  Recommendations

PRODUCTS Business Runs on Rules PROCESSES PEOPLE POLICIES Suppliers Customers Regulators RULES 3

IT Enables Innovation & Agility Integration, Execution, Refinement Identify & Model Current Processes Identify & Model Alternatives Evaluate Alternatives Context Analysis Intelligence Application Development Opportunity Identification Opportunity Exploitation Design Identify Requirements Identify & Acquire Packages, Frameworks/ Components Construct Components and Aggregates Integration & Operation Opportunity Evaluation/Selection 4

Migration Value Infrastructure Management Applications Operating Systems Horizontal Services Domain Components Hardware Renewal Cycle 1-18 months Web months months Flexibility by Design 5

Characteristics of Change Rate of Change Cost of Change Low High Data Business Logic Infrastructure RULES Pricing New Market Entry Fashion Culture 6

The Fundamental Rule Choice P1P2P3P4 Embedded Rules Rule Management P1 P2 P3 P4 r1,r2,r3 r1,r2,r3 r1 r2 r3 r4 r5 r6 r7 Changing a rule should start a ripple effect throughout a system or systems 7 r1,r6r5 r1,r5,r7 r1,r5,r7

Regulatory Compliance Costs IT $billions  The US passes over 4,000 new final rules annually  Sarbanes-Oxley (SOX) impacts all US public firms at a typical cost to IT of $.5-1M annually. The UK Companies Act has similar intent, and more jurisdictions will enact governance regulations nationally and collectively.  Basel II will cost over $15B globally  A typical international bank may be governed by over 1000 regulations  Different jurisdictions have conflicting rules –Ex. US vs EU fundamental differences in privacy assumptions And, the Rules keep changing! 8

Overlapping Intent & Requirements Governance Privacy Security Sarbanes-Oxley Basel II SEC Rules 17a-3/4 PIPEDANORPDA SB 1386 USA PATRIOT HIPAA GLBA 21 CFR Part 11 Protecting Critical Data/Infrastructure Protecting Private Information Ensuring Transparency & Validity 9

Regulatory Impact by System 10

Automated IT Compliance C-GRID Global Regulatory Information Database Query: SIC/NAICS, Geography… Relevant Regulations Relevant Regulations IT Compliance Policies/Procedures Gap Analysis Updates Goal: Automated Detection of New Regulatory Requirements and Rule-Based Generation of Policies Other Stake-holders Vendors Auditors Regulators Users IT Strategy & Operations Rules 11 Requirements Rules

 An SOA is a business-oriented framework for application development that: –is based on open standards –maps business processes to coarse-grained software “services” ex. “credit check” vs “print” –Facilitates integration of these loosely-coupled services into platform-independent applications  Loose coupling promotes agility by facilitating: –reuse, –asynchronous communications, and –distributed development/deployment 12 Service Oriented Architecture Basics

Leading Drivers for SOA Adoption  Complexity of alternatives  Focus on demonstrable ROI  Maintenance costs of status quo  Desire to –Build on top of legacy systems and data –Achieve widespread reuse –Achieve better IT/business alignment (IT following business rules and goals) –Rationalize/standardize meta-objectives, like enterprise security initiatives 13

Inhibitors to SOA Adoption  Business –Inter-firm collaboration still has cultural hurdles, but that’s where the biggest SOA benefits will be found –SMB market tougher than large enterprise, which can benefit more from internal SOA projects (where complexity is a bigger factor) –Un-integrated departmental/divisional web services projects may erroneously give SOA a bad reputation –Up-front costs tied to business risk, currently an inhibitor to new initiatives  Technical –Trade off between specificity and reusability makes it hard to justify initial efforts –Wariness of immature standards and products 14

 Architecture –SOA as the de facto development approach, supported by increased use of modeling and simulation –Rules engines as the default approach to capturing, managing and disclosing policies for business agility and compliance  Regulations –More global concern for security and privacy –More stringent enforcement as the state of the practice matures –New geo-specific regulations, will gradually converge –Focus on data and storage - retention/recovery/provably accurate –Improved & integrated dashboard and scorecard products What to Expect for the Rest of the Decade 15

16 Summary of Recommendations  Applications and Architecture –Isolate policy/rule processing to improve visibility and agility –Adopt SOA as the underlying approach to component development and communications  Compliance –Factor requirements to leverage commonalities Find common rules and manage them together Eliminate redundancies in data, processes, and systems –Automate Security & Auditing efforts Data, Procedures & Testing

17 Rules and Regulations Business Drivers for SOA-based Agile IT Presented by Adrian Bowles, Ph.D. Program Director, Regulatory Compliance Object Management Group