MEGA Webinar - PwC - Baker/Tong - EA & GRC, Separated at Birth

Separated at Birth – EA and GRC

January 31, 2013

Speaking today

01/31/2013 2 © 2013 PricewaterhouseCoopers LLP

David Baker Principal, PwC Advisory Enterprise Architecture Center of Excellence PricewaterhouseCoopers LLP [email protected] +1.512.554.9035 (mobile)

Colin Tong Manager, PwC Advisory Information Risk Management PricewaterhouseCoopers LLP [email protected] +1.415.412.9723

Learning objectives

•  Understand key complexities facing the implementation of governance, risk, and compliance (GRC) solutions

•  See the similarities in how Enterprise Architecture (EA) and GRC consider the enterprise

•  Learn about EA techniques that may reduce the complexity sometimes associated with GRC

•  Understand how enterprise architecture models can support GRC activities

•  Learn the roles that EA and GRC play together in breaking down GRC silos


Companies continue to face increasing change combined with increasing need for oversight and transparency

4 01/31/2013

© 2013 PricewaterhouseCoopers LLP

FSG Privacy Info Sec. Anti-Fraud BCP SOX Credit AML FCPA Op Risk

Business Unit

Share- holder

The Board

Comm- unity

Industry Regulators Others

Internal Audit Compliance Risk Mgmt Finance Legal IT

Increasing stakeholder demands

+

Expansion of Risk and Control Oversight Functions

+

Expanding Risks, Laws and Regulations

= •  Business Fatigue •  Lack of coordination •  Duplicate efforts •  Risks falling through

the cracks •  Competition for attention

The current governance, risk and compliance (GRC) environment faces many complications

1.  The multifaceted risk environment presents multiple, fragmented views of risk management

2.  GRC work tends to be performed in silos such as IT, Legal, Operations, Finance

3.  Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries

4.  Compliance is often based on checklists of requirements


Adapted from “Foundations of GRC: Establishing an Enterprise View of Risk & Compliance, Michael Rasmussen, 2009

Poll Question


The solutions to these complications all involve use of a holistic enterprise operating model


Ambition Business Model Strategic Agenda

Strategic Foundation

CORPORATE STRATEGY

Customers

CUSTOMER OFFERING

Products, Services & Solutions Channels Intermediaries Alliance

Partners Brands

PROCESS

BUSINESS CAPABILITIES

ORGANISATION

Processes Policies

TECHNOLOGY

Application Integration Infrastructure

INFORMATION

Reports & Analytics Semantics Data

PEOPLE CAPABILITIES

Competencies Workforce & Talent Reward Culture &

Behaviours

Networks & Interdependencies

Governance Arrangements

Physical Environment

Roles & Accountabilities

Suppliers

Organisation Structure

Tax Structure & Arrangements

CORPORATE STRUCTURE

Legal & Regulatory Structure Capital Structure Cash, Banking &

Treasury Structure

ENTERPRISE PERFORMANCE MANAGEMENT METRICS

1. Link enterprise risk management to enterprise performance management

2. Holistic view of how the enterprise operates with integrated GRC capabilities

3. Use the enterprise view to help the organization meet strategic plans and objectives while staying within mandatory and voluntary boundaries

u

v

w

4. GRC should be managed by specific outcomes (principled performance) rather than checklists.

xPwC’s Operating Model Framework

That same holistic enterprise operating model has also been the holy grail of the Enterprise Architecture (EA) discipline


Is my portfolio of activities aligned with the strategy?

Have we done this before? How do we get it done? How do I make sure it’s

done correctly? What’s possible?

Am I meeting expectations efficiently?

What risks am I taking?

Business wants to know

Managers want to know

Staff wants to know

What do I change? What do I build it with?

When do I change it? How well am I aligning with our EA?

What things should I NOT be changing?

How can I innovate? How quickly can I get it?

How much does it cost / save? What are the risks?

What’s possible?

CORPORATE STRATEGY

CUSTOMER OFFERING


CORPORATE STRUCTURE


Like twins separated at birth, GRC and EA work toward the same outcomes

9 01/31/2013

© 2013 PricewaterhouseCoopers LLP

Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook

Standards Definition

Innovation

Architecture Governance

Strategic Planning

Portfolio Mgmt

Reference Architecture

PWC EA CAPABILITY MODEL

Let’s return to the GRC complications and see how to apply EA solutions to each

Issue: The multifaceted risk environment presents multiple, fragmented views of risk management


u

Departments or functions that serve on the compliance committee

Source: PwC State of Compliance: 2012 Study, June 2012

EA Answer: Link enterprise risk management to corporate performance management


Mission Statement

Vision Statement

Goals

Objectives & Metrics

Strategies Quantifies

Makes operative

Amplifies

Channels Effort

Channels Effort

A component of

Ambition Business Model Decisions

Internal & External Drivers

Some terms and relationships adapted from the Object Management Group’s Business Motivation Model, Release 1.3

u

•  Understand the factors that motivate the business

•  Extract and drive additional detail into elements of the business model

•  Clearly articulate the Ambition – things that the business wishes to achieve

•  Clearly articulate the decisions – things that the business will employ to achieve the Ambition

In this way, the business model becomes a common foundation for identifying

risks to the business intent

Issue: GRC work tends to be performed in silos such as IT, Legal, Operations, Finance


v

GRC functions sharing a common GRC-specific tool, technology or platform with other functions

Source: PwC State of Compliance: 2012 Study, June 2012

EA Answer: Holistic view of how the enterprise operates with integrated GRC capabilities


Corporate Ambition Business Model

Desired GRC Capabilities

Enterprise Operating Model

CORPORATE STRATEGY

CUSTOMER OFFERING


CORPORATE STRUCTURE


v

Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook

Goals

Objectives & Metrics

Strategies

Ambition Impact

Business Model Impact

Operating Model Impact

Organize Impact A Impact B Impact C

Assess Impact D Impact E Impact F

Proact Impact G Impact H Impact I

Detect Impact J Impact K Impact L

Respond Impact M Impact N Impact O

Measure Impact P Impact Q Impact R

Poll Question


Issue: Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries


w

Includes material copied from or derived from “Making the Business Case: Integrating Governance, Risk and Compliance to Drive Principled Performance”, page 6, http://www.oceg.org/view/IllusBigPictureBusinessCase

EA Answer: Use the enterprise view to help the organization meet strategic plans and objectives while staying within mandatory and voluntary boundaries


w

•  Strategic Roadmaps: Modernization plans for business areas. Typically 3-5 year view.

•  Reference Architectures: reusable patterns for technical and operations solutions

•  Guiding Principles: statements used as filters for decision making

•  Standards: a library of stable technologies and processes for consistency

Image courtesy of Wikimedia Commons

Issue: Compliance is often based on checklists of requirements


x

Checklists are like looking in a rearview mirror

q  Do A q Check B q Redo C q Do D

How do you ensure the

checklists are complete,

accurate, and up to date?

Have you asked all the right questions?

Checklists can lead to a false sense of security

Image courtesy of Wikimedia Commons

EA Answer: GRC should be managed by specific outcomes (principled performance) rather than checklists


x

Principled Performance “Reliable achievement of objectives while addressing uncertainty and acting with integrity”

Includes material copied from or derived from “Increase Principled Performance and Reduce the Cost (and Hassle) of Risk Management and Compliance”, http://www.oceg.org/event/increase-principled-performance-and-reduce-cost-and-hassle-risk-management-and-compliance

Image courtesy of Stock.xchng

Current State

Operating Model

Target State

Operating Model

The EA constitution, in combination with an EA roadmap, enable the EA governance process to assist you in getting where you are going,

while maintaining alignment with corporate goals and objectives

Poll Question


We’ve discussed 4 EA techniques that can help implement your GRC program

Unify your multifaceted GRC environment by linking your risk and compliance measures to the corporate strategy. (EA modeling) Bridge your GRC silos by designing a common set of GRC capabilities and assess the impact by using a holistic operating model of your enterprise. (GRC capability mapping and impact analysis) Help your efforts stay within voluntary and mandatory boundaries by creating an EA constitution (strategic planning, reference architectures, standards and guiding principles) Avoid the pitfalls associated with management by checklist by leveraging the EA constitution (EA governance)


Thank you

© 2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. PwC helps organizations and individuals create the value they’re looking for. We’re a network of firms in 158 countries with more than 180,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

Includes material copied from or derived from OCEG at http://www.oceg.org

Questions?

Separated at Birth: EA and GRC

Putting GRC Architecture methods into practice

...to be continued in Part II

MEGA is revolutionizing the approach to

operational governance

Imagine your business united...

Imagine your business

www.mega.com - @mega_int -

Date post:	20-Jan-2015
Category:	Business
Upload:	david-baker
View:	1,011 times
Download:	1 times