-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
1/21
Separated at Birth
EA and GRC
January 31, 2013
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
2/21
Speaking today
01/31/20132 2013 PricewaterhouseCoopers LLP
David BakerPrincipal, PwC AdvisoryEnterprise Architecture Center of ExcellencePricewaterhouseCoopers LLP
[email protected]+1.512.554.9035 (mobile)
Colin TongManager, PwC AdvisoryInformation Risk ManagementPricewaterhouseCoopers LLP
[email protected]+1.415.412.9723
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
3/21
Learning objectives
Understand key complexities facing the implementation ofgovernance, risk, and compliance (GRC) solutions
See the similarities in how Enterprise Architecture (EA) and GRCconsider the enterprise
Learn about EA techniques that may reduce the complexitysometimes associated with GRC
Understand how enterprise architecture models can support GRCactivities
Learn the roles that EA and GRC play together in breaking downGRC silos
01/31/20133 2013 PricewaterhouseCoopers LLP
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
4/21
Companies continue to face increasing change combinedwith increasing need for oversight and transparency
401/31/2013 2013 PricewaterhouseCoopers LLP
FSGPrivacy Info Sec.Anti-Fraud BCPSOX CreditAML FCPA Op Risk
Business Unit
Share-
holder
The
Board
Comm-
unity
Industry
RegulatorsOthers
Internal AuditComplianceRisk MgmtFinanceLegalIT
Increasing stakeholder
demands
+
Expansion of Risk and
Control Oversight Functions
+
Expanding Risks, Laws
and Regulations
= Business Fatigue
Lack of coordination
Duplicate efforts
Risks falling through
the cracks
Competition for attention
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
5/21
The current governance, risk and compliance (GRC)environment faces many complications
1. The multifaceted risk environment presents multiple, fragmented views ofrisk management
2. GRC work tends to be performed in silos such as IT, Legal, Operations,Finance
3. Compliance involves enterprise alignment and control to stay withinmandated and voluntary boundaries
4. Compliance is oftenbased on checklists of requirements
01/31/20135 2013 PricewaterhouseCoopers LLP
Adapted from Foundations of GRC: Establishing an Enterprise View of Risk & Compliance, Michael Rasmussen, 2009
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
6/21
Poll Question
01/31/20136 2013 PricewaterhouseCoopers LLP
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
7/21
The solutions to these complications all involve use of aholistic enterprise operating model
01/31/20137 2013 PricewaterhouseCoopers LLP
Ambition Business Model Strategic Agenda
Strategic Foundation
CORPORATE STRATEGY
Customers
CUSTOMER OFFERING
Products, Services
& SolutionsChannels Intermediaries
Alliance
PartnersBrands
PROCESS
BUSINESS CAPABILITIES
ORGANISATION
Processes Policies
TECHNOLOGY
Application Integration Infrastructure
INFORMATION
Reports &Analytics Semantics Data
PEOPLE CAPABILITIES
Competencies Workforce& Talent Reward Culture &Behaviours
Networks &
Interdependencies
Governance
Arrangements
Physical
Environment
Roles &
Accountabilities
Suppliers
Organisation
Structure
Tax Structure &
Arrangements
CORPORATE STRUCTURE
Legal & Regulatory
StructureCapital Structure
Cash, Banking &
Treasury Structure
ENTERPRISE PERFORMANCEMANAGEMENT METRICS
1. Link enterpriseriskmanagement toenterpriseperformancemanagement
2. Holistic view ofhow theenterpriseoperates withintegrated GRCcapabilities
3. Use theenterprise viewto help theorganizationmeet strategicplans andobjectives whilestaying withinmandatory andvoluntaryboundaries
4. GRC should bemanaged byspecificoutcomes(principledperformance)rather thanchecklists.
PwCs Operating Model Framework
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
8/21
That same holistic enterprise operating model has also beenthe holy grail of the Enterprise Architecture (EA) discipline
01/31/20138 2013 PricewaterhouseCoopers LLP
Is my portfolio of activities alignedwith the strategy?
Have we done this before?How do we get it done?
How do I make sure itsdone correctly?
Whats possible?
Am I meeting expectationsefficiently?
What risks am I taking?
Businesswants to know
Managerswant to know
Staff
wants to know
What do I change?
What do I build it with?
When do I change it?
How well am I aligning with our EA?
What things should I NOT be changing?
How can I innovate?
How quickly can I get it?
How much does it cost / save?What are the risks?
Whats possible?
CORPORATE STRATEGY
CUSTOMER OFFERING
BUSINESS CAPABILITIES
CORPORATE STRUCTURE
ENTERPRISE PERFORMANCEMANAGEMENT METRICS
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
9/21
Like twins separated at birth, GRC and EA work toward thesame outcomes
901/31/2013 2013 PricewaterhouseCoopers LLP
Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook
StandardsDefinition
Innovation
ArchitectureGovernance
StrategicPlanning
PortfolioMgmt
ReferenceArchitecture
PWC EA CAPABILITY MODEL
Lets return to the GRC complications and see how to apply EAsolutions to each
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
10/21
Issue: The multifaceted risk environment presentsmultiple, fragmented views of risk management
01/31/201310 2013 PricewaterhouseCoopers LLP
Departments or functions that serve on the compliance committee
Source: PwC State of Compliance: 2012 Study, June 2012
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
11/21
EA Answer: Link enterprise risk management to corporateperformance management
01/31/201311 2013 PricewaterhouseCoopers LLP
MissionStatement
VisionStatement
Goals
Objectives& Metrics
StrategiesQuantifies
Makesoperative
Amplifies
ChannelsEffort
ChannelsEffort
A component
of
Ambition Business ModelDecisions
Internal & External Drivers
Some terms and relationships adapted from the Object Management Groups Business Motivation Model, Release 1.3
Understand the factors that motivate thebusiness
Extract and drive additional detail intoelements of the business model
Clearly articulate the Ambition things thatthe business wishes to achieve
Clearly articulate the decisions things thatthe business will employ to achieve theAmbition
In this way, the business model becomesa common foundation for identifying
risks to the business intent
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
12/21
Issue: GRC work tends to be performed in silos such as IT,Legal, Operations, Finance
01/31/201312 2013 PricewaterhouseCoopers LLP
GRC functions sharing a common GRC-specific tool, technology or platform withother functions
Source: PwC State of Compliance: 2012 Study, June 2012
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
13/21
EA Answer: Holistic view of how the enterprise operateswith integrated GRC capabilities
01/31/201313 2013 PricewaterhouseCoopers LLP
Corporate Ambition Business Model
Desired GRC Capabilities
Enterprise OperatingModel
CORPORATE STRATEGY
CUSTOMER OFFERING
BUSINESS CAPABILITIES
CORPORATE STRUCTURE
ENTERPRISE PERFORMANCE
MANAGEMENT METRICS
Includes material copied from or derived from the OCEG Red Book GRC Capability Model,Version 2.1, page 3, http://www.oceg.org/RedBook
Goals
Objectives &Metrics
Strategies
AmbitionImpact
BusinessModelImpact
OperatingModelImpact
Organize Impact A Impact B Impact C
Assess Impact D Impact E Impact F
Proact Impact G Impact H Impact I
Detect Impact J Impact K Impact L
Respond Impact M Impact N Impact O
Measure Impact P Impact Q Impact R
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
14/21
Poll Question
01/31/201314 2013 PricewaterhouseCoopers LLP
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
15/21
Issue: Compliance involves enterprise alignment andcontrol to stay within mandated and voluntary boundaries
01/31/201315 2013 PricewaterhouseCoopers LLP
Includes material copied from or derived from Making the Business Case: Integrating Governance, Risk and Compliance to Drive Principled Performance,page 6, http://www.oceg.org/view/IllusBigPictureBusinessCase
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
16/21
EA Answer: Use the enterprise view to help theorganization meet strategic plans and objectives whilestaying within mandatory and voluntary boundaries
01/31/201316 2013 PricewaterhouseCoopers LLP
Strategic Roadmaps: Modernization plansfor business areas. Typically 3-5 year view.
Reference Architectures: reusable patternsfor technical and operations solutions
Guiding Principles: statements used asfilters for decision making
Standards: a library of stable technologiesand processes for consistency
Image courtesy of Wikimedia Commons
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
17/21
Issue: Compliance is often based on checklists ofrequirements
01/31/201317 2013 PricewaterhouseCoopers LLP
Checklists are like looking in a rearview mirror
Do A
Check B
Redo C
Do D
How do you
ensure thechecklists are
complete,
accurate, and up
to date?
Have you askedall the right
questions?
Checklists can lead to a false sense of security
Image courtesy of Wikimedia Commons
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
18/21
EA Answer: GRC should be managed by specific outcomes(principled performance) rather than checklists
01/31/201318 2013 PricewaterhouseCoopers LLP
Principled PerformanceReliable achievement of objectives while addressing uncertainty and acting with integrity
Includes material copied from or derived from Increase Principled Performance and Reduce the Cost (and Hassle) of Risk Management and Compliance,http://www.oceg.org/event/increase-principled-performance-and-reduce-cost-and-hassle-risk-management-and-compliance
Image courtesy of Stock.xchng
Current
StateOperating
Model
Target
StateOperating
Model
The EA constitution, in combination with an EA roadmap, enable theEA governance process to assist you in getting where you are going,while maintaining alignment with corporate goals and objectives
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
19/21
Poll Question
01/31/201319 2013 PricewaterhouseCoopers LLP
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
20/21
Weve discussed 4 EA techniques that can help implementyour GRC program
Unify your multifaceted GRC environment by linking your risk andcompliance measures to the corporate strategy. (EA modeling)
Bridge your GRC silos by designing a common set of GRCcapabilities and assess the impact by using a holistic operatingmodel of your enterprise. (GRC capability mapping and impact
analysis)Help your efforts stay within voluntary and mandatory boundaries
by creating an EA constitution (strategic planning, referencearchitectures, standards and guiding principles)
Avoid the pitfalls associated with management by checklist by
leveraging the EA constitution (EA governance)
01/31/201320 2013 PricewaterhouseCoopers LLP
-
7/29/2019 Baker Tong Webinar - GRC and EA Separated at Birth
21/21
Thank you
2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its
member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for
further details. This content is for general information purposes only, and should not be used as
a substitute for consultation with professional advisors. PwC helps organisations and individuals
create the value theyre looking for. Were a network of firms in 158 countries with more than
180,000 people who are committed to delivering quality in assurance, tax and advisory
services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
Includes material copied from or derived from OCEG at http://www.oceg.org