Date post: | 20-Jan-2015 |
Category: |
Business |
Upload: | david-baker |
View: | 1,011 times |
Download: | 1 times |
Separated at Birth – EA and GRC
January 31, 2013
Speaking today
01/31/2013 2 © 2013 PricewaterhouseCoopers LLP
David Baker Principal, PwC Advisory Enterprise Architecture Center of Excellence PricewaterhouseCoopers LLP [email protected] +1.512.554.9035 (mobile)
Colin Tong Manager, PwC Advisory Information Risk Management PricewaterhouseCoopers LLP [email protected] +1.415.412.9723
Learning objectives
• Understand key complexities facing the implementation of governance, risk, and compliance (GRC) solutions
• See the similarities in how Enterprise Architecture (EA) and GRC consider the enterprise
• Learn about EA techniques that may reduce the complexity sometimes associated with GRC
• Understand how enterprise architecture models can support GRC activities
• Learn the roles that EA and GRC play together in breaking down GRC silos
01/31/2013 3 © 2013 PricewaterhouseCoopers LLP
Companies continue to face increasing change combined with increasing need for oversight and transparency
4 01/31/2013
© 2013 PricewaterhouseCoopers LLP
FSG Privacy Info Sec. Anti-Fraud BCP SOX Credit AML FCPA Op Risk
Business Unit
Share- holder
The Board
Comm- unity
Industry Regulators Others
Internal Audit Compliance Risk Mgmt Finance Legal IT
Increasing stakeholder demands
+
Expansion of Risk and Control Oversight Functions
+
Expanding Risks, Laws and Regulations
= • Business Fatigue • Lack of coordination • Duplicate efforts • Risks falling through
the cracks • Competition for attention
The current governance, risk and compliance (GRC) environment faces many complications
1. The multifaceted risk environment presents multiple, fragmented views of risk management
2. GRC work tends to be performed in silos such as IT, Legal, Operations, Finance
3. Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries
4. Compliance is often based on checklists of requirements
01/31/2013 5 © 2013 PricewaterhouseCoopers LLP
Adapted from “Foundations of GRC: Establishing an Enterprise View of Risk & Compliance, Michael Rasmussen, 2009
Poll Question
01/31/2013 6 © 2013 PricewaterhouseCoopers LLP
The solutions to these complications all involve use of a holistic enterprise operating model
01/31/2013 7 © 2013 PricewaterhouseCoopers LLP
Ambition Business Model Strategic Agenda
Strategic Foundation
CORPORATE STRATEGY
Customers
CUSTOMER OFFERING
Products, Services & Solutions Channels Intermediaries Alliance
Partners Brands
PROCESS
BUSINESS CAPABILITIES
ORGANISATION
Processes Policies
TECHNOLOGY
Application Integration Infrastructure
INFORMATION
Reports & Analytics Semantics Data
PEOPLE CAPABILITIES
Competencies Workforce & Talent Reward Culture &
Behaviours
Networks & Interdependencies
Governance Arrangements
Physical Environment
Roles & Accountabilities
Suppliers
Organisation Structure
Tax Structure & Arrangements
CORPORATE STRUCTURE
Legal & Regulatory Structure Capital Structure Cash, Banking &
Treasury Structure
ENTERPRISE PERFORMANCE MANAGEMENT METRICS
1. Link enterprise risk management to enterprise performance management
2. Holistic view of how the enterprise operates with integrated GRC capabilities
3. Use the enterprise view to help the organization meet strategic plans and objectives while staying within mandatory and voluntary boundaries
u
v
w
4. GRC should be managed by specific outcomes (principled performance) rather than checklists.
xPwC’s Operating Model Framework
That same holistic enterprise operating model has also been the holy grail of the Enterprise Architecture (EA) discipline
01/31/2013 8 © 2013 PricewaterhouseCoopers LLP
Is my portfolio of activities aligned with the strategy?
Have we done this before? How do we get it done? How do I make sure it’s
done correctly? What’s possible?
Am I meeting expectations efficiently?
What risks am I taking?
Business wants to know
Managers want to know
Staff wants to know
What do I change? What do I build it with?
When do I change it? How well am I aligning with our EA?
What things should I NOT be changing?
How can I innovate? How quickly can I get it?
How much does it cost / save? What are the risks?
What’s possible?
CORPORATE STRATEGY
CUSTOMER OFFERING
BUSINESS CAPABILITIES
CORPORATE STRUCTURE
ENTERPRISE PERFORMANCE MANAGEMENT METRICS
Like twins separated at birth, GRC and EA work toward the same outcomes
9 01/31/2013
© 2013 PricewaterhouseCoopers LLP
Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook
Standards Definition
Innovation
Architecture Governance
Strategic Planning
Portfolio Mgmt
Reference Architecture
PWC EA CAPABILITY MODEL
Let’s return to the GRC complications and see how to apply EA solutions to each
Issue: The multifaceted risk environment presents multiple, fragmented views of risk management
01/31/2013 10 © 2013 PricewaterhouseCoopers LLP
u
Departments or functions that serve on the compliance committee
Source: PwC State of Compliance: 2012 Study, June 2012
EA Answer: Link enterprise risk management to corporate performance management
01/31/2013 11 © 2013 PricewaterhouseCoopers LLP
Mission Statement
Vision Statement
Goals
Objectives & Metrics
Strategies Quantifies
Makes operative
Amplifies
Channels Effort
Channels Effort
A component of
Ambition Business Model Decisions
Internal & External Drivers
Some terms and relationships adapted from the Object Management Group’s Business Motivation Model, Release 1.3
u
• Understand the factors that motivate the business
• Extract and drive additional detail into elements of the business model
• Clearly articulate the Ambition – things that the business wishes to achieve
• Clearly articulate the decisions – things that the business will employ to achieve the Ambition
In this way, the business model becomes a common foundation for identifying
risks to the business intent
Issue: GRC work tends to be performed in silos such as IT, Legal, Operations, Finance
01/31/2013 12 © 2013 PricewaterhouseCoopers LLP
v
GRC functions sharing a common GRC-specific tool, technology or platform with other functions
Source: PwC State of Compliance: 2012 Study, June 2012
EA Answer: Holistic view of how the enterprise operates with integrated GRC capabilities
01/31/2013 13 © 2013 PricewaterhouseCoopers LLP
Corporate Ambition Business Model
Desired GRC Capabilities
Enterprise Operating Model
CORPORATE STRATEGY
CUSTOMER OFFERING
BUSINESS CAPABILITIES
CORPORATE STRUCTURE
ENTERPRISE PERFORMANCE MANAGEMENT METRICS
v
Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook
Goals
Objectives & Metrics
Strategies
Ambition Impact
Business Model Impact
Operating Model Impact
Organize Impact A Impact B Impact C
Assess Impact D Impact E Impact F
Proact Impact G Impact H Impact I
Detect Impact J Impact K Impact L
Respond Impact M Impact N Impact O
Measure Impact P Impact Q Impact R
Poll Question
01/31/2013 14 © 2013 PricewaterhouseCoopers LLP
Issue: Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries
01/31/2013 15 © 2013 PricewaterhouseCoopers LLP
w
Includes material copied from or derived from “Making the Business Case: Integrating Governance, Risk and Compliance to Drive Principled Performance”, page 6, http://www.oceg.org/view/IllusBigPictureBusinessCase
EA Answer: Use the enterprise view to help the organization meet strategic plans and objectives while staying within mandatory and voluntary boundaries
01/31/2013 16 © 2013 PricewaterhouseCoopers LLP
w
• Strategic Roadmaps: Modernization plans for business areas. Typically 3-5 year view.
• Reference Architectures: reusable patterns for technical and operations solutions
• Guiding Principles: statements used as filters for decision making
• Standards: a library of stable technologies and processes for consistency
Image courtesy of Wikimedia Commons
Issue: Compliance is often based on checklists of requirements
01/31/2013 17 © 2013 PricewaterhouseCoopers LLP
x
Checklists are like looking in a rearview mirror
q Do A q Check B q Redo C q Do D
How do you ensure the
checklists are complete,
accurate, and up to date?
Have you asked all the right questions?
Checklists can lead to a false sense of security
Image courtesy of Wikimedia Commons
EA Answer: GRC should be managed by specific outcomes (principled performance) rather than checklists
01/31/2013 18 © 2013 PricewaterhouseCoopers LLP
x
Principled Performance “Reliable achievement of objectives while addressing uncertainty and acting with integrity”
Includes material copied from or derived from “Increase Principled Performance and Reduce the Cost (and Hassle) of Risk Management and Compliance”, http://www.oceg.org/event/increase-principled-performance-and-reduce-cost-and-hassle-risk-management-and-compliance
Image courtesy of Stock.xchng
Current State
Operating Model
Target State
Operating Model
The EA constitution, in combination with an EA roadmap, enable the EA governance process to assist you in getting where you are going,
while maintaining alignment with corporate goals and objectives
Poll Question
01/31/2013 19 © 2013 PricewaterhouseCoopers LLP
We’ve discussed 4 EA techniques that can help implement your GRC program
Unify your multifaceted GRC environment by linking your risk and compliance measures to the corporate strategy. (EA modeling) Bridge your GRC silos by designing a common set of GRC capabilities and assess the impact by using a holistic operating model of your enterprise. (GRC capability mapping and impact analysis) Help your efforts stay within voluntary and mandatory boundaries by creating an EA constitution (strategic planning, reference architectures, standards and guiding principles) Avoid the pitfalls associated with management by checklist by leveraging the EA constitution (EA governance)
01/31/2013 20 © 2013 PricewaterhouseCoopers LLP
Thank you
© 2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. PwC helps organizations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with more than 180,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
Includes material copied from or derived from OCEG at http://www.oceg.org
Questions?
Separated at Birth: EA and GRC
Putting GRC Architecture methods into practice
...to be continued in Part II
MEGA is revolutionizing the approach to
operational governance
Imagine your business united...
Imagine your business
www.mega.com - @mega_int -