In financial services, process rules content

I came into the process automation industry by way of content-driven workflow: the scanning of a paper document – such as an application form – triggered a workflow that was focused on manual data entry of the information on this document into a transaction processing system. I became more interested in how to design and optimize the process side of things, but never lost sight of the fact that unstructured content (documents, emails, media) is an integral part of many processes. What became increasingly apparent is that in order to have properly-governed content-rich processes, process must control access to content, in addition to whatever controls are in place in the content management systems themselves.

This is especially true of complex customer-facing processes such as insurance underwriting and claims, where the underlying purpose of the process is to collect sufficient information in order to make a decision (whether or not to insure, or whether to pay a claim) and set a value associated with that decision (the premium or claim amount). Some of that information comes in the form of data, captured from the customer in a web form or manually entered from their submitted application, but some will be unstructured content: property evaluations, photos, proof of income, medical reports, and more. This content may need to be accessed by anyone involved in the process, including the underwriter, claims manager, other internal workers, third parties, and even the customer themselves.

However, you can’t just give all of these people open access to the content: there must be limits set on who can see what content, and at what point in the process. This is where process and rules come into play, plus some clever handling of the content itself.

First of all, there’s the question of whether someone should be able to see a piece of content at all: this is usually based on their role and the particular task that they are performing within the process, but may also be filtered by the specific case or customer. For example, a junior underwriter may be able to see all content related to all of their customer cases and also access similar cases for context, but must be prevented from accessing content related to high-profile customers such as politicians or their own company executives. A third party, such as a property evaluator, may require access to some of the content in order to determine the scope of their evaluation, but only for the cases assigned to them. And the customer should be able to see the documents that they submitted as well as some of the underwriter’s work in progress, although not anything that would violate company confidentiality or that of other customers.

Next, there’s the question of whether someone should be able to see all of the information within a particular piece of content. This is especially true of content such as application forms, which may contain private customer information such as banking details. Even if someone has access to the content based on their role in the process, some part of the content may need to be redacted to ensure customer privacy.

A good content management system will apply both access control and redaction based on the specific user, but that misses two key things: first of all, the same user may take on different roles in the context of different processes, and thereby require different types of access. Secondly, most companies don’t keep all of their information in a good content management system: instead, it’s spread across an ad hoc collection of content management systems (some of them dating back decades) and network file shares. Internal employees have too much access, and can directly access any content that is available on their internal network. External third parties and customers aren’t given enough access, since they can’t see any of the internally-stored content even if they need it for their own work.

Follow Sandy on her personal blog Column 2.