Escolar Documentos
Profissional Documentos
Cultura Documentos
Speaking today
David Baker
Principal, PwC Advisory Enterprise Architecture Center of Excellence PricewaterhouseCoopers LLP
david.c.baker@us.pwc.com +1.512.554.9035 (mobile)
Colin Tong
Manager, PwC Advisory Information Risk Management PricewaterhouseCoopers LLP
colin.d.tong@us.pwc.com +1.415.412.9723
01/31/2013 2
Learning objectives
Understand key complexities facing the implementation of governance, risk, and compliance (GRC) solutions See the similarities in how Enterprise Architecture (EA) and GRC consider the enterprise Learn about EA techniques that may reduce the complexity sometimes associated with GRC Understand how enterprise architecture models can support GRC activities
Learn the roles that EA and GRC play together in breaking down GRC silos
01/31/2013 3
Companies continue to face increasing change combined with increasing need for oversight and transparency
Increasing stakeholder demands
+
Expansion of Risk and Control Oversight Functions IT
Shareholder
The Board
Community
Industry Regulators
Others
Legal
Finance
Risk Mgmt
Compliance
Internal Audit
+
Expanding Risks, Laws and Regulations
SOX Anti-Fraud Privacy AML Credit FCPA BCP Info Sec. Op Risk FSG
=
Business Fatigue Lack of coordination Duplicate efforts Risks falling through the cracks Competition for attention
2013 PricewaterhouseCoopers LLP
Business Unit
01/31/2013 4
The current governance, risk and compliance (GRC) environment faces many complications
1. The multifaceted risk environment presents multiple, fragmented views of risk management 2. GRC work tends to be performed in silos such as IT, Legal, Operations, Finance 3. Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries 4. Compliance is often based on checklists of requirements
Adapted from Foundations of GRC: Establishing an Enterprise View of Risk & Compliance, Michael Rasmussen, 2009
01/31/2013 5
Poll Question
01/31/2013 6
The solutions to these complications all involve use of a holistic enterprise operating model
1. Link enterprise risk management to enterprise performance management 3. Use the enterprise view to help the organization meet strategic plans and objectives while staying within mandatory and voluntary boundaries
CORPORATE STRATEGY
Customers
Ambition
Strategic Agenda
CUSTOMER OFFERING Products, Services & Solutions Alliance Partners Channels Intermediaries Brands BUSINESS CAPABILITIES PROCESS Processes Policies ORGANISATION Organisation Structure Roles & Accountabilities Physical Environment
2. Holistic view of how the enterprise operates with integrated GRC capabilities
TECHNOLOGY Application Integration Infrastructure Networks & Interdependencies Governance Arrangements Suppliers
PEOPLE CAPABILITIES Competencies Workforce & Talent Reward Culture & Behaviours
4. GRC should be managed by specific outcomes (principled performance) rather than checklists.
CORPORATE STRUCTURE Tax Structure & Arrangements Legal & Regulatory Structure Cash, Banking & Treasury Structure
Capital Structure
01/31/2013 7
That same holistic enterprise operating model has also been the holy grail of the Enterprise Architecture (EA) discipline
CORPORATE STRATEGY
How can I innovate? How quickly can I get it? How much does it cost / save? What are the risks?
CUSTOMER OFFERING
BUSINESS CAPABILITIES
Whats possible?
01/31/2013 8
Like twins separated at birth, GRC and EA work toward the same outcomes
Portfolio Mgmt
Architecture Governance
Reference Architecture
Innovation
Standards Definition
Lets return to the GRC complications and see how to apply EA solutions to each
Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook
01/31/2013 9
Issue: The multifaceted risk environment presents multiple, fragmented views of risk management
Departments or functions that serve on the compliance committee
01/31/2013 10
Understand the factors that motivate the business Extract and drive additional detail into elements of the business model
Vision Statement
Mission Statement
Amplifies
A component of
Goals
Channels Effort
Clearly articulate the Ambition things that the business wishes to achieve
Clearly articulate the decisions things that the business will employ to achieve the Ambition
Strategies
Ambition
In this way, the business model becomes a common foundation for identifying risks to the business intent
01/31/2013 11
Some terms and relationships adapted from the Object Management Groups Business Motivation Model, Release 1.3
Issue: GRC work tends to be performed in silos such as IT, Legal, Operations, Finance
GRC functions sharing a common GRC-specific tool, technology or platform with other functions
01/31/2013 12
EA Answer: Holistic view of how the enterprise operates with integrated GRC capabilities
Corporate Ambition
Goals Strategies
Business Model
CUSTOMER OFFERING BUSINESS CAPABILITIES CORPORATE STRUCTURE ENTERPRISE PERFORMANCE MANAGEMENT METRICS
Measure
2013 PricewaterhouseCoopers LLP
Impact P
Impact Q
Impact R
01/31/2013 13
Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook
Poll Question
01/31/2013 14
Issue: Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries
Includes material copied from or derived from Making the Business Case: Integrating Governance, Risk and Compliance to Drive Principled Performance, page 6, http://www.oceg.org/view/IllusBigPictureBusinessCase
01/31/2013 15
EA Answer: Use the enterprise view to help the organization meet strategic plans and objectives while staying within mandatory and voluntary boundaries
Strategic Roadmaps: Modernization plans for business areas. Typically 3-5 year view.
01/31/2013 16
How do you ensure the checklists are complete, accurate, and up to date?
Do A Check B Redo C Do D
01/31/2013 17
EA Answer: GRC should be managed by specific outcomes (principled performance) rather than checklists
Principled Performance Reliable achievement of objectives while addressing uncertainty and acting with integrity
The EA constitution, in combination with an EA roadmap, enable the EA governance process to assist you in getting where you are going, while maintaining alignment with corporate goals and objectives
Includes material copied from or derived from Increase Principled Performance and Reduce the Cost (and Hassle) of Risk Management and Compliance, http://www.oceg.org/event/increase-principled-performance-and-reduce-cost-and-hassle-risk-management-and-compliance Image courtesy of Stock.xchng
01/31/2013 18
Poll Question
01/31/2013 19
Weve discussed 4 EA techniques that can help implement your GRC program
Unify your multifaceted GRC environment by linking your risk and compliance measures to the corporate strategy. (EA modeling) Bridge your GRC silos by designing a common set of GRC capabilities and assess the impact by using a holistic operating model of your enterprise. (GRC capability mapping and impact analysis) Help your efforts stay within voluntary and mandatory boundaries by creating an EA constitution (strategic planning, reference architectures, standards and guiding principles) Avoid the pitfalls associated with management by checklist by leveraging the EA constitution (EA governance)
01/31/2013 20
Thank you
2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. PwC helps organisations and individuals create the value theyre looking for. Were a network of firms in 158 countries with more than 180,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com. Includes material copied from or derived from OCEG at http://www.oceg.org