You are on page 1of 21

Separated at Birth EA and GRC

January 31, 2013

Speaking today

David Baker
Principal, PwC Advisory Enterprise Architecture Center of Excellence PricewaterhouseCoopers LLP
david.c.baker@us.pwc.com +1.512.554.9035 (mobile)

Colin Tong
Manager, PwC Advisory Information Risk Management PricewaterhouseCoopers LLP
colin.d.tong@us.pwc.com +1.415.412.9723

2013 PricewaterhouseCoopers LLP

01/31/2013 2

Learning objectives

Understand key complexities facing the implementation of governance, risk, and compliance (GRC) solutions See the similarities in how Enterprise Architecture (EA) and GRC consider the enterprise Learn about EA techniques that may reduce the complexity sometimes associated with GRC Understand how enterprise architecture models can support GRC activities

Learn the roles that EA and GRC play together in breaking down GRC silos

2013 PricewaterhouseCoopers LLP

01/31/2013 3

Companies continue to face increasing change combined with increasing need for oversight and transparency
Increasing stakeholder demands

+
Expansion of Risk and Control Oversight Functions IT

Shareholder

The Board

Community

Industry Regulators

Others

Legal

Finance

Risk Mgmt

Compliance

Internal Audit

+
Expanding Risks, Laws and Regulations
SOX Anti-Fraud Privacy AML Credit FCPA BCP Info Sec. Op Risk FSG

=
Business Fatigue Lack of coordination Duplicate efforts Risks falling through the cracks Competition for attention
2013 PricewaterhouseCoopers LLP

Business Unit
01/31/2013 4

The current governance, risk and compliance (GRC) environment faces many complications
1. The multifaceted risk environment presents multiple, fragmented views of risk management 2. GRC work tends to be performed in silos such as IT, Legal, Operations, Finance 3. Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries 4. Compliance is often based on checklists of requirements

Adapted from Foundations of GRC: Establishing an Enterprise View of Risk & Compliance, Michael Rasmussen, 2009

2013 PricewaterhouseCoopers LLP

01/31/2013 5

Poll Question

2013 PricewaterhouseCoopers LLP

01/31/2013 6

The solutions to these complications all involve use of a holistic enterprise operating model

1. Link enterprise risk management to enterprise performance management 3. Use the enterprise view to help the organization meet strategic plans and objectives while staying within mandatory and voluntary boundaries
CORPORATE STRATEGY

Customers

Ambition

Business Model Strategic Foundation

Strategic Agenda

CUSTOMER OFFERING Products, Services & Solutions Alliance Partners Channels Intermediaries Brands BUSINESS CAPABILITIES PROCESS Processes Policies ORGANISATION Organisation Structure Roles & Accountabilities Physical Environment

2. Holistic view of how the enterprise operates with integrated GRC capabilities

TECHNOLOGY Application Integration Infrastructure Networks & Interdependencies Governance Arrangements Suppliers

INFORMATION Reports & Analytics Semantics Data

PEOPLE CAPABILITIES Competencies Workforce & Talent Reward Culture & Behaviours

4. GRC should be managed by specific outcomes (principled performance) rather than checklists.

CORPORATE STRUCTURE Tax Structure & Arrangements Legal & Regulatory Structure Cash, Banking & Treasury Structure

Capital Structure

ENTERPRISE PERFORMANCE MANAGEMENT METRICS

01/31/2013 7

PwCs Operating Model Framework


2013 PricewaterhouseCoopers LLP

That same holistic enterprise operating model has also been the holy grail of the Enterprise Architecture (EA) discipline

Business wants to know

CORPORATE STRATEGY

Managers want to know


Is my portfolio of activities aligned with the strategy? Have we done this before? How do we get it done? How do I make sure its done correctly? Whats possible? Am I meeting expectations efficiently? What risks am I taking?

How can I innovate? How quickly can I get it? How much does it cost / save? What are the risks?

CUSTOMER OFFERING

BUSINESS CAPABILITIES

CORPORATE STRUCTURE ENTERPRISE PERFORMANCE MANAGEMENT METRICS

Whats possible?

Staff wants to know


What do I change? What do I build it with? When do I change it? How well am I aligning with our EA? What things should I NOT be changing?
2013 PricewaterhouseCoopers LLP

01/31/2013 8

Like twins separated at birth, GRC and EA work toward the same outcomes

PWC EA CAPABILITY MODEL


Strategic Planning

Portfolio Mgmt

Architecture Governance

Reference Architecture

Innovation

Standards Definition

Lets return to the GRC complications and see how to apply EA solutions to each
Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook

2013 PricewaterhouseCoopers LLP

01/31/2013 9

Issue: The multifaceted risk environment presents multiple, fragmented views of risk management
Departments or functions that serve on the compliance committee

Source: PwC State of Compliance: 2012 Study, June 2012

2013 PricewaterhouseCoopers LLP

01/31/2013 10

EA Answer: Link enterprise risk management to corporate performance management


Internal & External Drivers
Makes operative

Understand the factors that motivate the business Extract and drive additional detail into elements of the business model

Vision Statement

Mission Statement

Amplifies

A component of

Goals

Channels Effort

Clearly articulate the Ambition things that the business wishes to achieve
Clearly articulate the decisions things that the business will employ to achieve the Ambition

Quantifies Channels Effort

Strategies

Objectives & Metrics

Ambition

Business Model Decisions

In this way, the business model becomes a common foundation for identifying risks to the business intent
01/31/2013 11

Some terms and relationships adapted from the Object Management Groups Business Motivation Model, Release 1.3

2013 PricewaterhouseCoopers LLP

Issue: GRC work tends to be performed in silos such as IT, Legal, Operations, Finance
GRC functions sharing a common GRC-specific tool, technology or platform with other functions

Source: PwC State of Compliance: 2012 Study, June 2012

2013 PricewaterhouseCoopers LLP

01/31/2013 12

EA Answer: Holistic view of how the enterprise operates with integrated GRC capabilities
Corporate Ambition
Goals Strategies

Business Model

Enterprise Operating Model


CORPORATE STRATEGY

CUSTOMER OFFERING BUSINESS CAPABILITIES CORPORATE STRUCTURE ENTERPRISE PERFORMANCE MANAGEMENT METRICS

Objectives & Metrics

Desired GRC Capabilities


Organize Assess Proact Detect Respond

Ambition Impact Impact A Impact D Impact G Impact J Impact M

Business Model Impact Impact B Impact E Impact H Impact K Impact N

Operating Model Impact Impact C Impact F Impact I Impact L Impact O

Measure
2013 PricewaterhouseCoopers LLP

Impact P

Impact Q

Impact R
01/31/2013 13

Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook

Poll Question

2013 PricewaterhouseCoopers LLP

01/31/2013 14

Issue: Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries

Includes material copied from or derived from Making the Business Case: Integrating Governance, Risk and Compliance to Drive Principled Performance, page 6, http://www.oceg.org/view/IllusBigPictureBusinessCase

2013 PricewaterhouseCoopers LLP

01/31/2013 15

EA Answer: Use the enterprise view to help the organization meet strategic plans and objectives while staying within mandatory and voluntary boundaries

Strategic Roadmaps: Modernization plans for business areas. Typically 3-5 year view.

Reference Architectures: reusable patterns for technical and operations solutions

Guiding Principles: statements used as filters for decision making

Standards: a library of stable technologies and processes for consistency

Image courtesy of Wikimedia Commons

2013 PricewaterhouseCoopers LLP

01/31/2013 16

Issue: Compliance is often based on checklists of requirements


Checklists are like looking in a rearview mirror

How do you ensure the checklists are complete, accurate, and up to date?

Do A Check B Redo C Do D

Have you asked all the right questions?

Checklists can lead to a false sense of security


Image courtesy of Wikimedia Commons

2013 PricewaterhouseCoopers LLP

01/31/2013 17

EA Answer: GRC should be managed by specific outcomes (principled performance) rather than checklists
Principled Performance Reliable achievement of objectives while addressing uncertainty and acting with integrity

Current State Operating Model

Target State Operating Model

The EA constitution, in combination with an EA roadmap, enable the EA governance process to assist you in getting where you are going, while maintaining alignment with corporate goals and objectives
Includes material copied from or derived from Increase Principled Performance and Reduce the Cost (and Hassle) of Risk Management and Compliance, http://www.oceg.org/event/increase-principled-performance-and-reduce-cost-and-hassle-risk-management-and-compliance Image courtesy of Stock.xchng

2013 PricewaterhouseCoopers LLP

01/31/2013 18

Poll Question

2013 PricewaterhouseCoopers LLP

01/31/2013 19

Weve discussed 4 EA techniques that can help implement your GRC program
Unify your multifaceted GRC environment by linking your risk and compliance measures to the corporate strategy. (EA modeling) Bridge your GRC silos by designing a common set of GRC capabilities and assess the impact by using a holistic operating model of your enterprise. (GRC capability mapping and impact analysis) Help your efforts stay within voluntary and mandatory boundaries by creating an EA constitution (strategic planning, reference architectures, standards and guiding principles) Avoid the pitfalls associated with management by checklist by leveraging the EA constitution (EA governance)

2013 PricewaterhouseCoopers LLP

01/31/2013 20

Thank you

2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 158 countries with more than 180,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com. Includes material copied from or derived from OCEG at http://www.oceg.org