1. Technical Field
The present invention relates in general to the field of computers and similar technology systems, and in particular to software utilized by such systems to implement methods and processes. Still more particularly, the present invention relates to a computer-implementable method and system for coordinating data structures to populate, manage and enable regulatory compliance applications through a single infrastructure that adapts to existing and future compliance requirements.
2. Description of the Related Art
Enterprises face an alphabet soup of regulatory requirements that are continually being propagated and amended by federal, state and local governments, as well as other regulatory bodies. Such regulatory requirements include those promulgated by the U.S. government, including the Sarbanes-Oxley Act (SOX), the Patriot Act, the Occupational Safety and Health Act (OSHA), the Bank for International Settlements' Basel Committee “Basel II” regulation for the banking industry, the Health Insurance Portability and Accountability Act (HIPAA), etc. While some regulations are industry specific (e.g., OSHA CFR 1926 standards apply only to the construction industry), others are cross-industry regulations (e.g., OSHA CFR 1910 standards).
Besides governmental regulations, enterprises also must comply with industry standards, such as accreditation requirements from the Joint Commission on Accreditation of Hospitals (JCAH) for hospitals and nursing homes; the International Organization for Standardization's ISO 9000 et seq. standards for manufacturing and other industries, etc.
Besides the difference in promulgating bodies (i.e., governments promulgate regulations while private organizations promulgate standards), regulations tend to be more nebulous than standards. That is, regulations tend to require an enterprise to achieve a final result (e.g., HIPAA's requirement that an employer must keep employee's health records confidential), but without expressly stating how such results are to be achieved. Furthermore, regulations often involve some sort of governmental enforcement agency that is able to levy fines and/or criminal penalties for non-compliance. Standards, on the other hand, tend to be more prescriptive in nature, and often provide model formats and procedures that are to be followed to be in compliance with the standard.
Whether an enterprise is attempting to comply with a regulation or a standard, some degree of decision making is required by the enterprise on how to come into compliance. As a result, most enterprises attack the problem of compliance in a piecemeal manner. That is, to come into compliance with a first governmental regulation, an enterprise will typically establish a top-level strategy created by upper management. A committee is often formed to establish the processes and policies needed to come into compliance, as well as determining what infrastructure (including hardware and software) are needed. After multiple iterations, a program is set-up, but often becomes stale (outdated) as soon as amendments are made to the regulation. If the committee still has ownership of the process, then the program may or may not be updated to comport with the updates to the regulation.
When the enterprise decides to come into compliance with a second governmental regulation (or an industry standard), the process starts all over again to create a second compliance program. Besides “reinventing the wheel” for aspects of the first compliance program that were already established during the first governmental regulation compliance program, the second program may cause conflicts (e.g., conflicting policies, procedures, resource usage, etc.) with the first program.
The documentation requirements of regulations and standards are considerable. Such documentation must often be in a mandated format, which is populated with specific data related to an enterprise's operations. Thus, a typical approach to compliance with one or more such regulations/standards is extremely costly, both in hardware/software resources as well as in labor/implementation costs. Again, adhering to compliance-related requirements becomes an additional challenge as new regulations are introduced, vaguely written regulations need to be interpreted, multiple regulations overlap and contradict one another, and existing regulations change.