I have long argued for the benefits of an outside-in view of business architecture. In 2008-9, Tony Bidgood and I developed a worked example based on the fictional delivery company Springfield Parcels, to illustrate a range of different business improvement paradigms and modelling notations. One of the key insights from this material was the importance of modelling your customer's process as well as your own. See also my post on Customer Orientation (May 2009).
A few years later, I worked with a regulator that had a complex relationship with the industry (industries) that it was regulating. The regulator's processes consisted largely of a series of complex responses to external events and activities, so I built a business service architecture to provide an outside-in view.
In those not-so-far-off days, regulated companies submitted meticulously compiled dossiers of information to the regulator for review and adjudication. This was a highly sequential and slow process, each stage typically taking several months if not years.
This delay was always a particular challenge in industries such as pharmaceuticals, where regulatory approval is needed before a new drug can be put on the market.
The UK drug regulator, the Medicines and Healthcare products Regulatory Agency (MHRA) was already looking at changing this sequential process before the COVID-19 pandemic struck. With the new Rolling Review approach, the regulator is able to start pre-assessment during the late clinical trials, and substantially reduce the time to market for innovative new treatments. This helps to explain the remarkable speed with which the COVID vaccines were tested and approved. The BBC Horizon programme includes a contribution from Christian Schneider, the MHRA's Interim Chief Scientific Officer.
The principle of rolling review also applies internally within organizations, where innovations often need to be reviewed from various perspectives. Some stakeholders prefer to wait until all the details of the innovation have been worked out, so they can be reviewed holistically. Others prefer to be involved as early as possible, since this provides more chance to influence the overall design and approach. Late involvement may seem a more efficient use of expert resource, but often leaves the expert with little more than a go/nogo decision.
We often see this dilemma with privacy and security. Advocates of security-by-design and privacy-by-design like to get in early; however, it may be difficult to carry out a rigorous Data Protection Impact Assessment (DPIA) if you don't yet know any of the answers to the questions on the template.
The fundamental point here is that all these side processes - regulation, assessment or governance - are only meaningful in terms of the main processes that they are regulating, assessing or governing. So it doesn't make sense to optimize the side process in isolation. The point is to innovate quickly and safely, not to make life easier for the regulators. And the outside-in business service architecture is a great tool for focusing everyone's minds on this.
ICO, What is a DPIA?
Sandra Kanthal, Marvellous Medicine (BBC Radio 4 - Horizon, 20 June 2021)
MHRA, Rolling Review for Market Authorisation Applications (UK Government, 31 December 2020)
Richard Veryard and Tony Bidgood, A
Brief Evaluation of Business Modeling and Improvement Methodologies (CBDI Journal, December 2008)