MEGA Webinar - PwC - Baker/Tong - EA & GRC, Separated at Birth

Separated at Birth –
EA and GRC

January 31, 2013

Speaking today

David Baker Colin Tong
Principal, PwC Advisory Manager, PwC Advisory
Enterprise Architecture Center of Excellence Information Risk Management
PricewaterhouseCoopers LLP PricewaterhouseCoopers LLP

david.c.baker@us.pwc.com colin.d.tong@us.pwc.com
+1.512.554.9035 (mobile) +1.415.412.9723

01/31/2013
© 2013 PricewaterhouseCoopers LLP 2

Learning objectives

•  Understand key complexities facing the implementation of
governance, risk, and compliance (GRC) solutions

•  See the similarities in how Enterprise Architecture (EA) and GRC
consider the enterprise

•  Learn about EA techniques that may reduce the complexity
sometimes associated with GRC

•  Understand how enterprise architecture models can support GRC
activities

•  Learn the roles that EA and GRC play together in breaking down
GRC silos

01/31/2013

Companies continue to face increasing change combined
with increasing need for oversight and transparency

Increasing stakeholder
demands Share- The Comm- Industry
Others
holder Board unity Regulators
+

Expansion of Risk and
IT Legal Finance Risk Mgmt Compliance Internal Audit
Control Oversight Functions

+

Expanding Risks, Laws
SOX Anti-Fraud Privacy AML Credit FCPA BCP Info Sec. Op Risk FSG
and Regulations

=
•  Business Fatigue
•  Lack of coordination
•  Duplicate efforts
•  Risks falling through
the cracks
•  Competition for attention Business Unit

01/31/2013

The current governance, risk and compliance (GRC)
environment faces many complications

1.  The multifaceted risk environment presents multiple, fragmented views of
risk management

2.  GRC work tends to be performed in silos such as IT, Legal, Operations,
Finance

3.  Compliance involves enterprise alignment and control to stay within
mandated and voluntary boundaries

4.  Compliance is often based on checklists of requirements

Adapted from “Foundations of GRC: Establishing an Enterprise View of Risk & Compliance, Michael Rasmussen, 2009
01/31/2013

Poll Question

01/31/2013

The solutions to these complications all involve use of a
holistic enterprise operating model
v
CORPORATE STRATEGY 2. Holistic view of
1. Link enterprise how the
risk Ambition Business Model Strategic Agenda
enterprise
management to
enterprise
u Strategic Foundation
operates with

performance
management
w integrated GRC
capabilities
CUSTOMER OFFERING

Products, Services Alliance
Customers Channels Intermediaries Brands
& Solutions Partners
3. Use the
enterprise view BUSINESS CAPABILITIES
to help the
PROCESS ORGANISATION
organization 4. GRC should be
Processes Policies
meet strategic Organisation
Structure
Roles &
Accountabilities
Physical
Environment managed by
plans and TECHNOLOGY specific
objectives while Application Integration Infrastructure
Networks &
Interdependencies
Governance
Arrangements
Suppliers
outcomes
staying within (principled
INFORMATION PEOPLE CAPABILITIES
mandatory and Reports & Workforce Culture & performance)
voluntary Analytics
Semantics Data Competencies
& Talent
Reward
Behaviours
rather than
boundaries checklists.
CORPORATE STRUCTURE

Tax Structure & Legal & Regulatory Cash, Banking &
Capital Structure
Arrangements Structure Treasury Structure

ENTERPRISE PERFORMANCE
MANAGEMENT METRICS
x
PwC’s Operating Model Framework
01/31/2013

That same holistic enterprise operating model has also been
the holy grail of the Enterprise Architecture (EA) discipline

Business Managers
wants to know CORPORATE STRATEGY
want to know

How can I innovate? CUSTOMER OFFERING Is my portfolio of activities aligned
How quickly can I get it? with the strategy?
How much does it cost / save?
BUSINESS CAPABILITIES Have we done this before?
What are the risks? How do we get it done?
CORPORATE STRUCTURE
What’s possible? How do I make sure it’s
ENTERPRISE PERFORMANCE done correctly?
MANAGEMENT METRICS
What’s possible?
Am I meeting expectations
efficiently?
Staff What risks am I taking?
wants to know

What do I change?
What do I build it with?
When do I change it?
How well am I aligning with our EA?
What things should I NOT be changing?
01/31/2013

Like twins separated at birth, GRC and EA work toward the
same outcomes

PWC EA CAPABILITY MODEL

Strategic
Planning

Portfolio Architecture
Mgmt Governance

Reference
Architecture Innovation

Standards
Definition

Let’s return to the GRC complications and see how to apply EA
solutions to each

Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook
01/31/2013

u Issue: The multifaceted risk environment presents
multiple, fragmented views of risk management

Departments or functions that serve on the compliance committee

Source: PwC State of Compliance: 2012 Study, June 2012
01/31/2013

u EA Answer: Link enterprise risk management to corporate
performance management

•  Understand the factors that motivate the
Internal & External Drivers
business
Makes
operative
Vision Mission •  Extract and drive additional detail into
Statement Statement
elements of the business model

Amplifies A component
of •  Clearly articulate the Ambition – things that
Channels
the business wishes to achieve
Effort
Goals
•  Clearly articulate the decisions – things that
the business will employ to achieve the
Quantifies Strategies Ambition
Channels
Objectives Effort
& Metrics In this way, the business model becomes
a common foundation for identifying
Ambition Business Model
risks to the business intent
Decisions

Some terms and relationships adapted from the Object Management Group’s Business Motivation Model, Release 1.3
01/31/2013

v Issue: GRC work tends to be performed in silos such as IT,
Legal, Operations, Finance

GRC functions sharing a common GRC-specific tool, technology or platform with
other functions

Source: PwC State of Compliance: 2012 Study, June 2012
01/31/2013

v EA Answer: Holistic view of how the enterprise operates
with integrated GRC capabilities

Corporate Ambition Business Model Enterprise Operating
Model
Goals CORPORATE STRATEGY

Strategies CUSTOMER OFFERING

BUSINESS CAPABILITIES
Objectives &
Metrics CORPORATE STRUCTURE

ENTERPRISE PERFORMANCE
MANAGEMENT METRICS

Business Operating
Ambition
Model Model
Impact
Desired GRC Capabilities Impact Impact
Organize Impact A Impact B Impact C

Assess Impact D Impact E Impact F

Proact Impact G Impact H Impact I

Detect Impact J Impact K Impact L

Respond Impact M Impact N Impact O

Measure Impact P Impact Q Impact R

Includes material copied from or derived from the OCEG Red Book GRC Capability Model, 01/31/2013
© 2013 PricewaterhouseCoopers LLP Version 2.1, page 3, http://www.oceg.org/RedBook 13

Poll Question

01/31/2013

w Issue: Compliance involves enterprise alignment and
control to stay within mandated and voluntary boundaries

Includes material copied from or derived from “Making the Business Case: Integrating Governance, Risk and Compliance to Drive Principled Performance”,
page 6, http://www.oceg.org/view/IllusBigPictureBusinessCase
01/31/2013

w EA Answer: Use the enterprise view to help the
organization meet strategic plans and objectives while
staying within mandatory and voluntary boundaries

•  Strategic Roadmaps: Modernization plans
for business areas. Typically 3-5 year view.

•  Reference Architectures: reusable patterns
for technical and operations solutions

•  Guiding Principles: statements used as filters
for decision making

•  Standards: a library of stable technologies
and processes for consistency

Image courtesy of Wikimedia Commons
01/31/2013

x Issue: Compliance is often based on checklists of
requirements

Checklists are like looking in a rearview mirror

How do you q  Do A
ensure the Have you asked
checklists are q Check B all the right
complete, questions?
accurate, and up
q Redo C
to date? q Do D

Checklists can lead to a false sense of security

Image courtesy of Wikimedia Commons
01/31/2013

x EA Answer: GRC should be managed by specific outcomes
(principled performance) rather than checklists

Principled Performance
“Reliable achievement of objectives while addressing uncertainty and acting with integrity”

Current Target
State State
Operating Operating
Model Model

The EA constitution, in combination with an EA roadmap, enable the
EA governance process to assist you in getting where you are going,
while maintaining alignment with corporate goals and objectives
Includes material copied from or derived from “Increase Principled Performance and Reduce the Cost (and Hassle) of Risk Management and Compliance”, http://www.oceg.org/event/
increase-principled-performance-and-reduce-cost-and-hassle-risk-management-and-compliance

Image courtesy of Stock.xchng
01/31/2013

Poll Question

01/31/2013

We’ve discussed 4 EA techniques that can help implement
your GRC program

Unify your multifaceted GRC environment by linking your risk and
compliance measures to the corporate strategy. (EA modeling)
Bridge your GRC silos by designing a common set of GRC
capabilities and assess the impact by using a holistic operating
model of your enterprise. (GRC capability mapping and impact
analysis)
Help your efforts stay within voluntary and mandatory boundaries
by creating an EA constitution (strategic planning, reference
architectures, standards and guiding principles)
Avoid the pitfalls associated with management by checklist by
leveraging the EA constitution (EA governance)

01/31/2013

Thank you

© 2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its
member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for
further details. This content is for general information purposes only, and should not be used as
a substitute for consultation with professional advisors. PwC helps organizations and individuals
create the value they’re looking for. We’re a network of firms in 158 countries with more than
180,000 people who are committed to delivering quality in assurance, tax and advisory
services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

Includes material copied from or derived from OCEG at http://www.oceg.org

Separated at Birth: EA and GRC ...to be
continu
in Part ed
Putting II
GRC A
method rchitec
s into p ture
ractice

MEGA is revolutionizing the approach to
operational governance

Imagine your business united...

Imagine your business

www.mega.com - @mega_int -

MEGA Webinar - PwC - Baker/Tong - EA & GRC, Separated at Birth

In this document

More Related Content

What's hot

Viewers also liked

Similar to MEGA Webinar - PwC - Baker/Tong - EA & GRC, Separated at Birth

Recently uploaded

MEGA Webinar - PwC - Baker/Tong - EA & GRC, Separated at Birth