Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Baker Tong Webinar - GRC and EA Separated at Birth

    Enviado por

    Colin Tong
    261 visualizações21 páginas
    Enterprise Architecture (EA) and Governance, Risk and Compliance (GRC) are disciplines, philosophies and capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity… including the governance, assurance and management of performance, risk, and compliance. Enterprise Architecture (EA) has its origin in Information Technology (IT) Architecture and has been playing a role in IT Governance for some time. With the ascent of Business Architecture as an EA discipline, EA reaches beyond IT and now maintains a holistic view of an organization’s operations in alignment with the integration of Governance, Risk and Compliance (GRC) considerations. GRC has its origins in ensuring a business and the people within its extended enterprise ecosystem are sufficiently equipped to operate within voluntary and involuntary boundaries, identify and navigate obstacles and uncertainty, and achieve breakthrough results beyond performance barriers of the past. EA and GRC share common goals and aid business leaders in achieving strategic objectives. When properly assessed, designed and implemented, these disciplines together enhance an organization’s capabilities to measurably create, grow, uncover and safeguard shareholder value. You will learn: • The similarities in how EA and GRC consider the enterprise • How EA techniques can reduce the complexity sometimes associated with GRC • How enterprise architecture models can support GRC activities • The role EA and GRC play together in breaking down silos

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PPTX, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    Enterprise Architecture (EA) and Governance, Risk and Compliance (GRC) are disciplines, philosophies and capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity… including the governance, assurance and management of performance, risk, and compliance. Enterprise Architecture (EA) has its origin in Information Technology (IT) Architecture and has been playing a role in IT Governance for some time. With the ascent of Business Architecture as an EA discipline, EA reaches beyond IT and now maintains a holistic view of an organization’s operations in alignment with the integration of Governance, Risk and Compliance (GRC) considerations. GRC has its origins in ensuring a business and the people within its extended enterprise ecosystem are sufficiently equipped to operate within voluntary and involuntary boundaries, identify and navigate obstacles and uncertainty, and achieve breakthrough results beyond performance barriers of the past. EA and GRC share common goals and aid business leaders in achieving strategic objectives. When properly assessed, designed and implemented, these disciplines together enhance an organization’s capabilities to measurably create, grow, uncover and safeguard shareholder value. You will learn: • The similarities in how EA and GRC consider the enterprise • How EA techniques can reduce the complexity sometimes associated with GRC • How enterprise architecture models can support GRC activities • The role EA and GRC play together in breaking down silos

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPTX, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    261 visualizações21 páginas

    Baker Tong Webinar - GRC and EA Separated at Birth

    Enviado por

    Colin Tong
    Enterprise Architecture (EA) and Governance, Risk and Compliance (GRC) are disciplines, philosophies and capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity… including the governance, assurance and management of performance, risk, and compliance. Enterprise Architecture (EA) has its origin in Information Technology (IT) Architecture and has been playing a role in IT Governance for some time. With the ascent of Business Architecture as an EA discipline, EA reaches beyond IT and now maintains a holistic view of an organization’s operations in alignment with the integration of Governance, Risk and Compliance (GRC) considerations. GRC has its origins in ensuring a business and the people within its extended enterprise ecosystem are sufficiently equipped to operate within voluntary and involuntary boundaries, identify and navigate obstacles and uncertainty, and achieve breakthrough results beyond performance barriers of the past. EA and GRC share common goals and aid business leaders in achieving strategic objectives. When properly assessed, designed and implemented, these disciplines together enhance an organization’s capabilities to measurably create, grow, uncover and safeguard shareholder value. You will learn: • The similarities in how EA and GRC consider the enterprise • How EA techniques can reduce the complexity sometimes associated with GRC • How enterprise architecture models can support GRC activities • The role EA and GRC play together in breaking down silos

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPTX, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 21

    Separated at Birth EA and GRC

    January 31, 2013

    Speaking today

    David Baker
    Principal, PwC Advisory Enterprise Architecture Center of Excellence PricewaterhouseCoopers LLP
    david.c.baker@us.pwc.com +1.512.554.9035 (mobile)

    Colin Tong
    Manager, PwC Advisory Information Risk Management PricewaterhouseCoopers LLP
    colin.d.tong@us.pwc.com +1.415.412.9723

    2013 PricewaterhouseCoopers LLP

    01/31/2013 2

    Learning objectives

    Understand key complexities facing the implementation of governance, risk, and compliance (GRC) solutions See the similarities in how Enterprise Architecture (EA) and GRC consider the enterprise Learn about EA techniques that may reduce the complexity sometimes associated with GRC Understand how enterprise architecture models can support GRC activities

    Learn the roles that EA and GRC play together in breaking down GRC silos

    2013 PricewaterhouseCoopers LLP

    01/31/2013 3

    Companies continue to face increasing change combined with increasing need for oversight and transparency
    Increasing stakeholder demands

    +
    Expansion of Risk and Control Oversight Functions IT

    Shareholder

    The Board

    Community

    Industry Regulators

    Others

    Legal

    Finance

    Risk Mgmt

    Compliance

    Internal Audit

    +
    Expanding Risks, Laws and Regulations
    SOX Anti-Fraud Privacy AML Credit FCPA BCP Info Sec. Op Risk FSG

    =
    Business Fatigue Lack of coordination Duplicate efforts Risks falling through the cracks Competition for attention
    2013 PricewaterhouseCoopers LLP

    Business Unit
    01/31/2013 4

    The current governance, risk and compliance (GRC) environment faces many complications
    1. The multifaceted risk environment presents multiple, fragmented views of risk management 2. GRC work tends to be performed in silos such as IT, Legal, Operations, Finance 3. Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries 4. Compliance is often based on checklists of requirements

    Adapted from Foundations of GRC: Establishing an Enterprise View of Risk & Compliance, Michael Rasmussen, 2009

    2013 PricewaterhouseCoopers LLP

    01/31/2013 5

    Poll Question

    2013 PricewaterhouseCoopers LLP

    01/31/2013 6

    The solutions to these complications all involve use of a holistic enterprise operating model

    1. Link enterprise risk management to enterprise performance management 3. Use the enterprise view to help the organization meet strategic plans and objectives while staying within mandatory and voluntary boundaries
    CORPORATE STRATEGY

    Customers

    Ambition

    Business Model Strategic Foundation

    Strategic Agenda

    CUSTOMER OFFERING Products, Services & Solutions Alliance Partners Channels Intermediaries Brands BUSINESS CAPABILITIES PROCESS Processes Policies ORGANISATION Organisation Structure Roles & Accountabilities Physical Environment

    2. Holistic view of how the enterprise operates with integrated GRC capabilities

    TECHNOLOGY Application Integration Infrastructure Networks & Interdependencies Governance Arrangements Suppliers

    INFORMATION Reports & Analytics Semantics Data

    PEOPLE CAPABILITIES Competencies Workforce & Talent Reward Culture & Behaviours

    4. GRC should be managed by specific outcomes (principled performance) rather than checklists.

    CORPORATE STRUCTURE Tax Structure & Arrangements Legal & Regulatory Structure Cash, Banking & Treasury Structure

    Capital Structure

    ENTERPRISE PERFORMANCE MANAGEMENT METRICS

    01/31/2013 7

    PwCs Operating Model Framework


    2013 PricewaterhouseCoopers LLP

    That same holistic enterprise operating model has also been the holy grail of the Enterprise Architecture (EA) discipline

    Business wants to know

    CORPORATE STRATEGY

    Managers want to know


    Is my portfolio of activities aligned with the strategy? Have we done this before? How do we get it done? How do I make sure its done correctly? Whats possible? Am I meeting expectations efficiently? What risks am I taking?

    How can I innovate? How quickly can I get it? How much does it cost / save? What are the risks?

    CUSTOMER OFFERING

    BUSINESS CAPABILITIES

    CORPORATE STRUCTURE ENTERPRISE PERFORMANCE MANAGEMENT METRICS

    Whats possible?

    Staff wants to know


    What do I change? What do I build it with? When do I change it? How well am I aligning with our EA? What things should I NOT be changing?
    2013 PricewaterhouseCoopers LLP

    01/31/2013 8

    Like twins separated at birth, GRC and EA work toward the same outcomes

    PWC EA CAPABILITY MODEL


    Strategic Planning

    Portfolio Mgmt

    Architecture Governance

    Reference Architecture

    Innovation

    Standards Definition

    Lets return to the GRC complications and see how to apply EA solutions to each
    Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook

    2013 PricewaterhouseCoopers LLP

    01/31/2013 9

    Issue: The multifaceted risk environment presents multiple, fragmented views of risk management
    Departments or functions that serve on the compliance committee

    Source: PwC State of Compliance: 2012 Study, June 2012

    2013 PricewaterhouseCoopers LLP

    01/31/2013 10

    EA Answer: Link enterprise risk management to corporate performance management


    Internal & External Drivers
    Makes operative

    Understand the factors that motivate the business Extract and drive additional detail into elements of the business model

    Vision Statement

    Mission Statement

    Amplifies

    A component of

    Goals

    Channels Effort

    Clearly articulate the Ambition things that the business wishes to achieve
    Clearly articulate the decisions things that the business will employ to achieve the Ambition

    Quantifies Channels Effort

    Strategies

    Objectives & Metrics

    Ambition

    Business Model Decisions

    In this way, the business model becomes a common foundation for identifying risks to the business intent
    01/31/2013 11

    Some terms and relationships adapted from the Object Management Groups Business Motivation Model, Release 1.3

    2013 PricewaterhouseCoopers LLP

    Issue: GRC work tends to be performed in silos such as IT, Legal, Operations, Finance
    GRC functions sharing a common GRC-specific tool, technology or platform with other functions

    Source: PwC State of Compliance: 2012 Study, June 2012

    2013 PricewaterhouseCoopers LLP

    01/31/2013 12

    EA Answer: Holistic view of how the enterprise operates with integrated GRC capabilities
    Corporate Ambition
    Goals Strategies

    Business Model

    Enterprise Operating Model


    CORPORATE STRATEGY

    CUSTOMER OFFERING BUSINESS CAPABILITIES CORPORATE STRUCTURE ENTERPRISE PERFORMANCE MANAGEMENT METRICS

    Objectives & Metrics

    Desired GRC Capabilities


    Organize Assess Proact Detect Respond

    Ambition Impact Impact A Impact D Impact G Impact J Impact M

    Business Model Impact Impact B Impact E Impact H Impact K Impact N

    Operating Model Impact Impact C Impact F Impact I Impact L Impact O

    Measure
    2013 PricewaterhouseCoopers LLP

    Impact P

    Impact Q

    Impact R
    01/31/2013 13

    Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook

    Poll Question

    2013 PricewaterhouseCoopers LLP

    01/31/2013 14

    Issue: Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries

    Includes material copied from or derived from Making the Business Case: Integrating Governance, Risk and Compliance to Drive Principled Performance, page 6, http://www.oceg.org/view/IllusBigPictureBusinessCase

    2013 PricewaterhouseCoopers LLP

    01/31/2013 15

    EA Answer: Use the enterprise view to help the organization meet strategic plans and objectives while staying within mandatory and voluntary boundaries

    Strategic Roadmaps: Modernization plans for business areas. Typically 3-5 year view.

    Reference Architectures: reusable patterns for technical and operations solutions

    Guiding Principles: statements used as filters for decision making

    Standards: a library of stable technologies and processes for consistency

    Image courtesy of Wikimedia Commons

    2013 PricewaterhouseCoopers LLP

    01/31/2013 16

    Issue: Compliance is often based on checklists of requirements


    Checklists are like looking in a rearview mirror

    How do you ensure the checklists are complete, accurate, and up to date?

    Do A Check B Redo C Do D

    Have you asked all the right questions?

    Checklists can lead to a false sense of security


    Image courtesy of Wikimedia Commons

    2013 PricewaterhouseCoopers LLP

    01/31/2013 17

    EA Answer: GRC should be managed by specific outcomes (principled performance) rather than checklists
    Principled Performance Reliable achievement of objectives while addressing uncertainty and acting with integrity

    Current State Operating Model

    Target State Operating Model

    The EA constitution, in combination with an EA roadmap, enable the EA governance process to assist you in getting where you are going, while maintaining alignment with corporate goals and objectives
    Includes material copied from or derived from Increase Principled Performance and Reduce the Cost (and Hassle) of Risk Management and Compliance, http://www.oceg.org/event/increase-principled-performance-and-reduce-cost-and-hassle-risk-management-and-compliance Image courtesy of Stock.xchng

    2013 PricewaterhouseCoopers LLP

    01/31/2013 18

    Poll Question

    2013 PricewaterhouseCoopers LLP

    01/31/2013 19

    Weve discussed 4 EA techniques that can help implement your GRC program
    Unify your multifaceted GRC environment by linking your risk and compliance measures to the corporate strategy. (EA modeling) Bridge your GRC silos by designing a common set of GRC capabilities and assess the impact by using a holistic operating model of your enterprise. (GRC capability mapping and impact analysis) Help your efforts stay within voluntary and mandatory boundaries by creating an EA constitution (strategic planning, reference architectures, standards and guiding principles) Avoid the pitfalls associated with management by checklist by leveraging the EA constitution (EA governance)

    2013 PricewaterhouseCoopers LLP

    01/31/2013 20

    Thank you

    2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 158 countries with more than 180,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com. Includes material copied from or derived from OCEG at http://www.oceg.org

    Você também pode gostar