Standards are of two main types: management/ process and regulatory.
Regulatory standards are mandated by law. Management or process standards are
not mandatory and the organization is usually free to choose the ones it wants
to or needs to follow. However, there could be circumstances that make it
necessary for an organization to toe the line of such standards-like being
associated with another organization or a government that mandates its partners
to follow a certain standard. While the importance of adhering to standards,
both to be within the bounds of the law as well as to maintain a minimum level
of competency cannot be denied, their implementation and enforcement can be
assisted with IT.
Management/process standards
These are a set of guidelines or principles set forth by reputed management
institutions or experts. The four most common standards are as follows.
Six Sigma
A quality of process standard that measures perfection of that process or
deliverable. It can be applied to any process to measure how much quality is
delivered. It measures how many opportunities existed to deliver a unit of
perfect quality and how many of them had at least one defined defect. Depending
on how critical the process is, the specification can be relaxed.
For example, one can define that a manufactured car chassis is completely
defective if there exists even one deviation from the exact technical
specifications for that chassis (even though the car may still work fine with
that defect). To be considered a Six Sigma compliant process, the calculation
must not yield more than 3.4 defects per million opportunities. The
implementation requires the assistance of experienced Six Sigma leaders called
'green belts' who are themselves overseen by a master called a 'black belt.'
ITIL
Information Technology Information Library (ITIL) is a set of management best
practices that lead the enterprise toward the achievement of value for money, as
well as maintain quality in their IT services. ITIL is vendor independent and is
published as a series of books by the OGC (Office of Government Commerce), a UK
treasury office. Different international standards like ISO 20000 have come out
of ITIL practices. It standardizes IT practices of all organizations, along a
set of guidelines, amongst different organizations. Although IT services are
covered under the original/existing ITIL specifications, the OGC has issued a
new specification of the ITIL to specifically deal with various aspects of IT
services. These include the design, introduction, operation, improvement and
strategies of IT services. ITIL v3 is expected to become available in Q2 of
2007.
Just-in-time (JIT)
This is an inventory strategy that improves cost management by reducing
in-process inventory. JIT is the standard that gave us the well known 're-order
level' for stocks, which is nothing but a pre-defined limit based on historical
demand patterns for stocks of different products or components. Visual signals
known as 'kanban,' govern the re-order rate, by calling for fresh supplies when
stocks disappear from the shelves.
However, when demand increases suddenly in an unpredicted manner, JIT can
actually hinder the process and increase costs. JIT recommends that to smoothen
the ride over such unstable periods, two standard deviations of stock be
maintained. The right balance is achieved when reorder levels are reduced to
very low quantities and refreshed frequently instead of keeping surplus stocks.
CMMI
The SEI (Carnegie-Mellon Software Engineering Institute) developed the original
CMM as a process assessment model that helps refine processes in an
organization. The original CMM dealt only with software development. The model
evaluates the maturity of a process (benchmark) in an organization based on the
project and its client.
The SEI upgraded CMM to CMMI (CMM Integration) in 2002. CMMI helps you
integrate different organizational processes. The latest version of CMMI
(version 1.2 released in a few months ago) supersedes the CMM and this has three
main areas for development, services and acquisition. The CMM identifies five
key areas to evaluate the maturity for: goals, commitment, ability, measurement
and verification and sets up five levels of maturity for each: initial,
repeatable, defined, managed and optimizing.
CMM and CMMI are not off-the-shelf models, they need to be customized on a
per organization basis. For this reason, no organization can be 'certified' as
being CMMI compliant. They can only be benchmarked/appraised and the results of
that appraisal released.
Regulatory standards
Devised by various regulatory bodies and governments of different nations, these
are rules that organizations must follow to continue functioning within the
framework of law.
Sarbanes-Oxley & Clause 49
The actual name of Sarbanes-Oxley is Public Company Accounting Reform and
Investor Protection Act of 2002. The Act, among several other provisions it
contains, mandates financial disclosure. In order to make the reporting as
effective, transparent and trustworthy as possible, two kinds of certifications
are required under the Sarb-Ox.
One is from the authorized signatories of the organization, certifying that
they are responsible for establishing and maintaining internal controls and that
they have designed such controls to provide information about the company and
its subsidiaries to the internal officers for the period that these reports are
about.
These signatories must also certify that they have verified the effectiveness
of these controls. Similarly, the management must prepare and present an
internal controls report as a part of each report as per the US Annual Exchange
Act.
This report must certify that the management is responsible for establishing
and maintaining accurate financial reporting processes and that they have been
assessed and found effective.
Companies listed with the Indian Stock Exchanges must adhere to the Listing
Agreement. Clause 49 of this agreement is currently in the limelight because of
changes inculcated into it based on the recommendations of the Committee on
Corporate Governance chaired by Narayana Murthy.
This clause sets out guidelines for companies regarding their disclosure
policies with specific steps that key decision makers in the organization must
take. The key requirement of Clause 49 is the CEO/CFO certification that proper
controls are in place for financial and non-financial processes and that no
transactions have been entered into that are fraudulent, illegal or violate the
code of conduct of
the company.
Tools you can use |
||
Regulation/Standard |
Vendor |
Software |
Six Sigma |
Minitab | Minitab 14, Quality Companion and (Service) Mentoring |
SigmaXL | SigmaXL | |
iGrafx | Process for Six Sigma |
|
ITIL | BPMSpace | BPMSpace |
IBM | Tivoli | |
CA | Service Management Accelerator |
|
SAP/Virsa | Compliance Calibrator |
|
OpenPages | Sarbanes-Oxley Express 404 |
|
Oracle | Tools for compliance |
|
Clause 49 | Skelta Software | Skelta Accelerator |
Sarb-Ox, Basel II, FDA | SAP | GRC |
Sarb-Ox | Oracle | PeopleSoft Enterprise Internal Controls Enforcer |
COBIT
The Control Objectives of Information and Related Technology is an
internationally accepted IT governance framework. COBIT allows for effective
policy development and IT control practices throughout the enterprise. The
current version of COBIT is 4.0. The framework identifies four domains of
planning and organization, acquisition and implementation, delivery and support,
and monitoring of 34 IT processes. For each domain, the framework defines
criteria like effectiveness, efficiency, confidentiality, integrity,
availability, compliance and reliability.
COBIT is a learning process that prompts the top management of an enterprise
to ask of each IT process, questions pertaining to the relevancy of a particular
domain to their business, its performance, accountability for the process; and
how or whether the process and its control is formalized. As a framework, COBIT
is useful for the management, users and auditors.
Basel II and RBI
This is a banking standard that looks at risk improvement in the measurement of
capital requirements, regulatory compliance to risk management and market-
facing disclosures by the bank. Basel I adopted in 1988 did not take risk
management into account and arbitration by regulators can easily circumvent the
provisions of Basel I. Therefore in 2001, the 'three pillar' Basel II was
adopted by the BCBS (Basel Committee on Banking Supervision). The first 'pillar'
of Basel II takes care of credit, operational and market risk management. The
second pillar arms regulators with tools to assess and govern risk of various
types including legal and liquidation. The final pillar gives the market a
better picture of the risk position of the bank.
The RBI in February 2005 decreed that stipulations of the Basel II regulation
would apply only to scheduled commercial banks. Further, it had allowed banks in
India only to use supervisory haircuts (extent of marginal capital for a
particular asset) and no internal haircuts.
The regulation does not take into account factors of double default
(obligator and guarantor defaulting) before a loss is recorded as incurred.
Neither does it take portfolio diversification (which is a standard practice
today) into account. Post-Basel II, the onus for assessing and maintaining
capital requirements (including implementation of required processes for doing
them) is put squarely on banks.
HIPAA
This is a standard for the medical health insurance industry that was voted into
effect by the US Congress in 1996. The act governs individual and group health
insurance and how they can be accessed, transferred, renewed, protected against
misuse (fraud). Basically, group health plans are placed out of reach for
individuals with the exclusion of private health plans. The regulation also
specifies how to deal with misuse of health insurance plans and claims and sets
out penalties for this. A privacy rule was added in 2003, which governs how
certain types of health related information can be disclosed or protected-this
is called PHI (Protected Health Information). The specified types were: status
of health, how health care was being provided for/availed of and payments made
as applicable to an individual within certain types of entities. Such
individuals can also safeguard contact information. They must then maintain
records of all disclosures made, appoint a privacy official and give training
about PHI.