This document discusses business drivers for adopting a service-oriented architecture (SOA) approach to information technology in order to increase agility and facilitate regulatory compliance. It notes that rules and regulations are a major driver of IT costs and complexity. Adopting SOA can help isolate rule processing, improve reuse of components, and automate security and auditing efforts. The presenter recommends factoring requirements to leverage commonalities between rules, finding common rules to manage together, and eliminating redundancies in data, processes, and systems.

1. Rules and Regulations Business Drivers for SOA-based Agile IT Presented by Adrian Bowles, Ph.D. Program Director, Regulatory Compliance Object Management Group [email_address] www.omg.org

2. Agenda Business Drivers for IT Agility The Role for Rules Rules and Regulatory Compliance Rules and SOA Technical Foundations Business Drivers/Inhibitors Recommendations

3. PRODUCTS Business Runs on Rules PROCESSES PEOPLE POLICIES Suppliers Customers Regulators RULES

4. IT Enables Innovation & Agility Integration , Execution, Refinement Identify & Model Current Processes Identify & Model Alternatives Evaluate Alternatives Context Analysis Intelligence Application Development Opportunity Identification Opportunity Exploitation Design Identify Requirements Identify & Acquire Packages, Frameworks/ Components Construct Components and Aggregates Integration & Operation Opportunity Evaluation/Selection

5. Flexibility by Design Migration Value Infrastructure Management Applications Operating Systems Horizontal Services Domain Components Hardware Renewal Cycle 1-18 months Web 36-60 months 12-24 months

6. Characteristics of Change Rate of Change Cost of Change Low High High Data Business Logic Infrastructure RULES Pricing New Market Entry Fashion Culture

7. The Fundamental Rule Choice P1 P2 P3 P4 Embedded Rules Rule Management P1 P2 P3 P4 r1,r2,r3 Changing a rule should start a ripple effect throughout a system or systems r1,r6 r5 r1,r5,r7 r7 r6 r5 r4 r3 r2 r1

8. Regulatory Compliance Costs IT $billions The US passes over 4,000 new final rules annually Sarbanes-Oxley (SOX) impacts all US public firms at a typical cost to IT of $.5-1M annually. The UK Companies Act has similar intent, and more jurisdictions will enact governance regulations nationally and collectively. Basel II will cost over $15B globally A typical international bank may be governed by over 1000 regulations Different jurisdictions have conflicting rules Ex. US vs EU fundamental differences in privacy assumptions And, the Rules keep changing!

9. Overlapping Intent & Requirements Governance Privacy Security Sarbanes-Oxley Basel II SEC Rules 17a-3/4 PIPEDA NORPDA SB 1386 USA PATRIOT HIPAA GLBA 21 CFR Part 11 Protecting Critical Data/Infrastructure Protecting Private Information Ensuring Transparency & Validity

10. Regulatory Impact by System

11. Automated IT Compliance C-GRID Global Regulatory Information Database Query: SIC/NAICS, Geography… Relevant Regulations Relevant Regulations IT Compliance Policies/Procedures Gap Analysis Updates Goal: Automated Detection of New Regulatory Requirements and Rule-Based Generation of Policies Other Stake-holders Vendors Auditors Regulators Users IT Strategy & Operations Rules Requirements Rules

12. An SOA is a business-oriented framework for application development that: is based on open standards maps business processes to coarse-grained software “services” ex. “credit check” vs “print” Facilitates integration of these loosely-coupled services into platform-independent applications Loose coupling promotes agility by facilitating: reuse, asynchronous communications, and distributed development/deployment Service Oriented Architecture Basics

13. Leading Drivers for SOA Adoption Complexity of alternatives Focus on demonstrable ROI Maintenance costs of status quo Desire to Build on top of legacy systems and data Achieve widespread reuse Achieve better IT/business alignment (IT following business rules and goals) Rationalize/standardize meta-objectives, like enterprise security initiatives

14. Inhibitors to SOA Adoption Business Inter-firm collaboration still has cultural hurdles, but that’s where the biggest SOA benefits will be found SMB market tougher than large enterprise, which can benefit more from internal SOA projects (where complexity is a bigger factor) Un-integrated departmental/divisional web services projects may erroneously give SOA a bad reputation Up-front costs tied to business risk, currently an inhibitor to new initiatives Technical Trade off between specificity and reusability makes it hard to justify initial efforts Wariness of immature standards and products

15. Architecture SOA as the de facto development approach, supported by increased use of modeling and simulation Rules engines as the default approach to capturing, managing and disclosing policies for business agility and compliance Regulations More global concern for security and privacy More stringent enforcement as the state of the practice matures New geo-specific regulations, will gradually converge Focus on data and storage - retention/recovery/provably accurate Improved & integrated dashboard and scorecard products What to Expect for the Rest of the Decade

16. Summary of Recommendations Applications and Architecture Isolate policy/rule processing to improve visibility and agility Adopt SOA as the underlying approach to component development and communications Compliance Factor requirements to leverage commonalities Find common rules and manage them together Eliminate redundancies in data, processes, and systems Automate Security & Auditing efforts Data, Procedures & Testing

17. Rules and Regulations Business Drivers for SOA-based Agile IT Presented by Adrian Bowles, Ph.D. Program Director, Regulatory Compliance Object Management Group [email_address] www.omg.org