baker tong webinar - grc and ea separated at birth

7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth

1/21

Separated at Birth

EA and GRC

January 31, 2013


2/21

Speaking today

01/31/20132 2013 PricewaterhouseCoopers LLP

David BakerPrincipal, PwC AdvisoryEnterprise Architecture Center of ExcellencePricewaterhouseCoopers LLP

[email protected]+1.512.554.9035 (mobile)

Colin TongManager, PwC AdvisoryInformation Risk ManagementPricewaterhouseCoopers LLP

[email protected]+1.415.412.9723


3/21

Learning objectives

Understand key complexities facing the implementation ofgovernance, risk, and compliance (GRC) solutions

See the similarities in how Enterprise Architecture (EA) and GRCconsider the enterprise

Learn about EA techniques that may reduce the complexitysometimes associated with GRC

Understand how enterprise architecture models can support GRCactivities

Learn the roles that EA and GRC play together in breaking downGRC silos



4/21

Companies continue to face increasing change combinedwith increasing need for oversight and transparency


FSGPrivacy Info Sec.Anti-Fraud BCPSOX CreditAML FCPA Op Risk

Business Unit

Share-

holder

The

Board

Comm-

unity

Industry

RegulatorsOthers

Internal AuditComplianceRisk MgmtFinanceLegalIT

Increasing stakeholder

demands

+

Expansion of Risk and

Control Oversight Functions

+

Expanding Risks, Laws

and Regulations

= Business Fatigue

Lack of coordination

Duplicate efforts

Risks falling through

the cracks

Competition for attention


5/21

The current governance, risk and compliance (GRC)environment faces many complications

1. The multifaceted risk environment presents multiple, fragmented views ofrisk management

2. GRC work tends to be performed in silos such as IT, Legal, Operations,Finance

3. Compliance involves enterprise alignment and control to stay withinmandated and voluntary boundaries

4. Compliance is oftenbased on checklists of requirements


Adapted from Foundations of GRC: Establishing an Enterprise View of Risk & Compliance, Michael Rasmussen, 2009


6/21

Poll Question



7/21

The solutions to these complications all involve use of aholistic enterprise operating model


Ambition Business Model Strategic Agenda

Strategic Foundation

CORPORATE STRATEGY

Customers

CUSTOMER OFFERING

Products, Services

& SolutionsChannels Intermediaries

Alliance

PartnersBrands

PROCESS

BUSINESS CAPABILITIES

ORGANISATION

Processes Policies

TECHNOLOGY

Application Integration Infrastructure

INFORMATION

Reports &Analytics Semantics Data

PEOPLE CAPABILITIES

Competencies Workforce& Talent Reward Culture &Behaviours

Networks &

Interdependencies

Governance

Arrangements

Physical

Environment

Roles &

Accountabilities

Suppliers

Organisation

Structure

Tax Structure &

Arrangements

CORPORATE STRUCTURE

Legal & Regulatory

StructureCapital Structure

Cash, Banking &

Treasury Structure

ENTERPRISE PERFORMANCEMANAGEMENT METRICS

1. Link enterpriseriskmanagement toenterpriseperformancemanagement

2. Holistic view ofhow theenterpriseoperates withintegrated GRCcapabilities

3. Use theenterprise viewto help theorganizationmeet strategicplans andobjectives whilestaying withinmandatory andvoluntaryboundaries

4. GRC should bemanaged byspecificoutcomes(principledperformance)rather thanchecklists.

PwCs Operating Model Framework


8/21

That same holistic enterprise operating model has also beenthe holy grail of the Enterprise Architecture (EA) discipline


Is my portfolio of activities alignedwith the strategy?

Have we done this before?How do we get it done?

How do I make sure itsdone correctly?

Whats possible?

Am I meeting expectationsefficiently?

What risks am I taking?

Businesswants to know

Managerswant to know

Staff

wants to know

What do I change?

What do I build it with?

When do I change it?

How well am I aligning with our EA?

What things should I NOT be changing?

How can I innovate?

How quickly can I get it?

How much does it cost / save?What are the risks?

Whats possible?

CORPORATE STRATEGY

CUSTOMER OFFERING


CORPORATE STRUCTURE

ENTERPRISE PERFORMANCEMANAGEMENT METRICS


9/21

Like twins separated at birth, GRC and EA work toward thesame outcomes


Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook

StandardsDefinition

Innovation

ArchitectureGovernance

StrategicPlanning

PortfolioMgmt

ReferenceArchitecture

PWC EA CAPABILITY MODEL

Lets return to the GRC complications and see how to apply EAsolutions to each


10/21

Issue: The multifaceted risk environment presentsmultiple, fragmented views of risk management


Departments or functions that serve on the compliance committee

Source: PwC State of Compliance: 2012 Study, June 2012


11/21

EA Answer: Link enterprise risk management to corporateperformance management


MissionStatement

VisionStatement

Goals

Objectives& Metrics

StrategiesQuantifies

Makesoperative

Amplifies

ChannelsEffort

ChannelsEffort

A component

of

Ambition Business ModelDecisions

Internal & External Drivers

Some terms and relationships adapted from the Object Management Groups Business Motivation Model, Release 1.3

Understand the factors that motivate thebusiness

Extract and drive additional detail intoelements of the business model

Clearly articulate the Ambition things thatthe business wishes to achieve

Clearly articulate the decisions things thatthe business will employ to achieve theAmbition

In this way, the business model becomesa common foundation for identifying

risks to the business intent


12/21

Issue: GRC work tends to be performed in silos such as IT,Legal, Operations, Finance


GRC functions sharing a common GRC-specific tool, technology or platform withother functions

Source: PwC State of Compliance: 2012 Study, June 2012


13/21

EA Answer: Holistic view of how the enterprise operateswith integrated GRC capabilities


Corporate Ambition Business Model

Desired GRC Capabilities

Enterprise OperatingModel

CORPORATE STRATEGY

CUSTOMER OFFERING


CORPORATE STRUCTURE

ENTERPRISE PERFORMANCE

MANAGEMENT METRICS

Includes material copied from or derived from the OCEG Red Book GRC Capability Model,Version 2.1, page 3, http://www.oceg.org/RedBook

Goals

Objectives &Metrics

Strategies

AmbitionImpact

BusinessModelImpact

OperatingModelImpact

Organize Impact A Impact B Impact C

Assess Impact D Impact E Impact F

Proact Impact G Impact H Impact I

Detect Impact J Impact K Impact L

Respond Impact M Impact N Impact O

Measure Impact P Impact Q Impact R


14/21

Poll Question



15/21

Issue: Compliance involves enterprise alignment andcontrol to stay within mandated and voluntary boundaries


Includes material copied from or derived from Making the Business Case: Integrating Governance, Risk and Compliance to Drive Principled Performance,page 6, http://www.oceg.org/view/IllusBigPictureBusinessCase


16/21

EA Answer: Use the enterprise view to help theorganization meet strategic plans and objectives whilestaying within mandatory and voluntary boundaries


Strategic Roadmaps: Modernization plansfor business areas. Typically 3-5 year view.

Reference Architectures: reusable patternsfor technical and operations solutions

Guiding Principles: statements used asfilters for decision making

Standards: a library of stable technologiesand processes for consistency

Image courtesy of Wikimedia Commons


17/21

Issue: Compliance is often based on checklists ofrequirements


Checklists are like looking in a rearview mirror

Do A

Check B

Redo C

Do D

How do you

ensure thechecklists are

complete,

accurate, and up

to date?

Have you askedall the right

questions?

Checklists can lead to a false sense of security

Image courtesy of Wikimedia Commons


18/21

EA Answer: GRC should be managed by specific outcomes(principled performance) rather than checklists


Principled PerformanceReliable achievement of objectives while addressing uncertainty and acting with integrity

Includes material copied from or derived from Increase Principled Performance and Reduce the Cost (and Hassle) of Risk Management and Compliance,http://www.oceg.org/event/increase-principled-performance-and-reduce-cost-and-hassle-risk-management-and-compliance

Image courtesy of Stock.xchng

Current

StateOperating

Model

Target

StateOperating

Model

The EA constitution, in combination with an EA roadmap, enable theEA governance process to assist you in getting where you are going,while maintaining alignment with corporate goals and objectives


19/21

Poll Question



20/21

Weve discussed 4 EA techniques that can help implementyour GRC program

Unify your multifaceted GRC environment by linking your risk andcompliance measures to the corporate strategy. (EA modeling)

Bridge your GRC silos by designing a common set of GRCcapabilities and assess the impact by using a holistic operatingmodel of your enterprise. (GRC capability mapping and impact

analysis)Help your efforts stay within voluntary and mandatory boundaries

by creating an EA constitution (strategic planning, referencearchitectures, standards and guiding principles)

Avoid the pitfalls associated with management by checklist by

leveraging the EA constitution (EA governance)



21/21

Thank you

2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its

member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for

further details. This content is for general information purposes only, and should not be used as

a substitute for consultation with professional advisors. PwC helps organisations and individuals

create the value theyre looking for. Were a network of firms in 158 countries with more than

180,000 people who are committed to delivering quality in assurance, tax and advisory

services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

Includes material copied from or derived from OCEG at http://www.oceg.org

baker tong webinar - grc and ea separated at birth

Documents