Slideshow used for a webinar to the Association of Enterprise Architects (https://www.globalaea.org/) on 28th June 2023) - promoting the development of the EA Mindset

1. Enterprise
Systems
Architecture
Daljit R Banger FBCS
Aligning the Business
Operating Model and
the Technology
Ecosystem
Webinar : 28th June 2023
Video available available for AEA
Members at the AEA Portal

2. Agenda
• Part 1
• Definitions
• Some Basic Thinking
• A View – A Notional Stack
• Layers Discussed
• BOM
• Business Process
• Technology Layers (Capability-Service-Enabler)
• Alternate Views of Value
• Data layer
• Hygiene Services
• Part 2
• EU PSD2
• Data Privacy
• Recap
• Final Thought
• Q&A
} Intro / Stack View 25 Mins
} Use Cases 20 Mins
} Q&A 10~15 Mins

3. About Me
• 40 years of Industry proven experience having undertaken assignments
across the globe; UK, USA, Sweden, Switzerland, Finland, Hong Kong,
Brazil all on behalf of large multinational companies developing and
delivering IT Systems and Capabilities.
• Developed several systems, and successfully managed large professional
teams of Architects, Developers and Analysts,
• Published numerous articles and blogs.
• Master of Science (MSc) Degree and is a charted fellow of the BCS
(FBCS). As an active member in the British Computer Society (BCS) he
currently co-chairs the Enterprise Architecture Specialist Group and is an
elected member of the BCS Council)
• Book “Enterprise Systems Architecture – Aligning Business Operating
Models to Technology Landscapes” available on a wide variety of
platforms.
• Sad fact - In the Late 80’s I set up a Turbo C User Group in the UK and produced a
regular newsletter ,which I would post out via snail mail for the fun.

4. Innumerable EA definitions
Source for definitions : Multiple Web Sites

5. A Simple View/Definition
External Forces
Disruptors
Organization
Technology Ecosystem
Drives, Delivers and
Maintains Capabilities that
enable and support the
Organization in its mission
Creates, delivers and maintains
Value while seeking to meet its
Charter and Obligations
Other
Change Agents Structure and organize its
resources to deliver the
desired outcomes
Manage, Procure, Build and
Leverage Various Digital
Services to enable the desired
outcomes supporting change

6. Other
Change Agents
Realizing our Definition Contd..

7. The Stack (Another View)
1.Align and focus ICT and associated activities to
delivering value to the BOM
2.Developing Technology Synergies and cost
efficiencies
3.Promote Re-using System Components
4.Exposing System Services to new processes.
5.Understanding the impact of any change for
new systems on the performance and capacity
of enabling technologies

8. Dissecting the Stack – Level 0 (BOM)

9. BOM – Concerns to Consider
?
External
forces
Government
Regulators
Markets
Influential
Individuals
Competitors
Drivers for
Change
Strategy
Industry
cognitive AI
Climate
Pandemic
State
disruptors
Enterprise
Structure
Corp
Target
Lines of
business
Business
Models
B2B
B2C
C2B
C2C
Information
resources
Pull
Push
Financial
Management
Capital
Management
Funding
Cash Flow
Reporting
See YouTube Video : https://youtu.be/MYzh1DZ-vyE

10. Importance of understanding the BOM
Analyse the current
situation of your
organization.- Value
Streams , Forces,
Disruptors etc
Optimisation /
Efficiency
Drivers and
Capabilities
Determine the
Target
Operating
Model for the
organization.
Develop an
action plan.
Conduct a
'Proof of
Concept' - Tip
the Toes
before Diving
in !
Implement the
change plan.
Review /
Recalibrate
By analyzing and understanding the various
components of the Business and the Environment that
it operates in one and can plan for any drivers or
industry initiations that will impact the technology
ecosystem moving forward.
The Operating Model we move to the next level which
is the level that seeks to address the business
processes required to deliver the operating model and
more importantly address the process orchestrations
as we move through the various value delivering
streams of activity.
The BOM enables the understanding and
definition of an operating model (current /
future) this requires various process (level 1)
which when orchestrated act as the enablers
to deliver the value and drive the capabilities
(Level 2)

11. Level 1 – Business Processes
Process
Fundamentals Process
Representation

12. Business Processes
Core
Represents, at a minimum, the
individual tasks to be accomplished
to achieve a certain level of
uniformity in output, without
consideration to any underlying
resources (people, technology etc.).
e.g., take order, which can be
executed simply by writing on a
piece of paper the order or as
complex as capture via an order
entry system. However, irrespective
of approach, this is still an essential
process in the sales lifecycle that
must be captured and understood.
Guiding
Used as guardrails in the design
and governance of the
organization. In some cases, these
processes may be dictated in part
and audited by third parties e.g.,
evidence of Identity checks, which
may be part of a regulatory
requirement for finance
companies.
Enabling
Provide the fulfilment of a core
business process and subsequent
delivery of capabilities e.g., IT
Service Delivery, Marketing, HR etc.

13. Business Processes Cont.

14. Technology Centric Layers

15. Alternate View (Capability – Service – Enabler)

16. Example : Capability – Service – Enabler
A ‘Classification’ and Control Mechanism for
functional enablement
MES = Manufacturing Execution System

17. Technology Layers – Alternate Representations
Service to Application View
Leve 0 / Level 1 Enterprise Views (IAM Example)
System Context (API Example) View
The Stack is there to support the
mindset and act as another tick list
– However, for project specific
work will require various diagram
views

18. Enterprise Data Management
Data
People
Related
Reference
Operational
Financial
Asset
Systems /
Pipelines
Transactional
Transient
Master
V
Dimensions
AI Learning
Data

19. Cross Cutting Hygiene Services
Non
Functionals

20. Putting it all together - Single Unified View

21. PART 2
• EU PSD2
• Data Privacy

22. Industry Disruptor – EU PSD-2
The EU European Payment Services Directive (EU) 2015/2366 (PSD-2) - 2018
PSD-2 is having major impact on established companies operating in the financial sector, with the intent to further secure payments and
drive the unification of transactions via elevation of Application Program Interfaces (APIs) supported by the ‘Open Banking’ initiative
where there is a focus on securely exchanging data by connecting banks, third parties and technical providers under one interconnected
technical ecosystem
Introducing the concept of ‘trust and consent’ which must be given, obtained, revoked, validated and
time stamped for the new models to work.
A Payment Initiation Service Provider (PISP) lets a customer pay companies directly from their bank account rather
than using a debit or credit card through a third-party adopting the following simplistic workflow.
1. Customer provides ‘Consent’ to authorizes the PISP to transact using a designated bank account with their bank
where the authority is registered as Active.
2. Customer Initiates Purchase through a Digital Channel which accepts the payment method via the PISP
3. Merchant accepts the method of payment
4. Transaction is transferred to the PISP for payment
5. PISP Makes an API Call to the customer bank to check available funds and request funds transfer
6. Confirmation of funds and payment initiation sent performed to merchant.
7. Bank validates and releases funds to the merchant bank
8. Merchants bank account updated to reflect the credit.

23. Industry Disruptor – EU PSD-2 Cont.
Use Cases
PISP Workflow
AISP Workflow
Simple View/Definition

24. Impact on Service Provision (API) - PSD-2 Cont.

25. Expanding View to a Pattern / Solution

26. Simplifying Complexity for Stakeholders

27. Regulatory Change – EU GDPR
GDPR had a major impact on the way
organization collected, processed,
transformed, stored, presented, and
consumed information. This impact prior to
the law coming into force required
organizations to analyze subsequent impact
on their technology landscape and any new
capabilities to ensure compliance
On May 2018 the European Union’s General
Data Protection Regulation (GDPR) [21] came
into force representing the regulation for data
protection, privacy, and the transfer of
personal data outside of the EU and the
European Economic Area (EEA)

28. Regulatory Change – EU GDPR Contd..
Business Operating Model (BOM)
The key driver for change from the regulation was the
potential fines for non-compliance which influenced
changes to the BOM.
The appointment or nomination of an Organization Data
Protection Officer (DPO), whilst a standard function in
many government agencies and departments is now
replicated in the non-government sectors.
Consideration needed to need to be given to methods
and techniques for presenting, pulling, consuming, and
pushing information in and out of the organization
Business processes
Many organizations adopted a modified BOM and modified core
business processes with a major impact on existing projects in
which required be recalibration to meet the requirements of GDPR.
Additional Management and Reporting of GDPR was inevitable and
organizations re-evaluated existing business and technical process
(triggers, execution methods, data sets) for reporting. This analysis
resulted in the introduction or refinement of additional processes
some of which, but not limited to, were processes to support;
• The Management of Subject Access Requests (SARs)
• Complaints receipt and handling
• Notifications (received and sent) to Data Subjects
• Information retention (audit/traceability)
• Governance of Data and associated controls
• The DPO in their duties.
Capabilities Services
The channels of data exchange between the enterprise and data
subjects required review and in many cases updating, as this is the
point at which the subject provided his/her data to the Enterprise
Applications
The channels of data exchange between the enterprise
and data Applications which interacted with Users and
captured information required evaluation to ensure that
“consent was freely given” for the use of this information.
In case of Commercial off-the-shelf packages then the
requirement could easily be pushed back to the
vendor/supplier. However, in-house or 3rd party
developed custom development may have required
refactoring.
Applications which extract, transform, and push or pull
subject data to any 3rd party System internal or external
to the Organization would require analysis and, in many
cases, flagged for recalibration to ensure they remained
compliant with GDPR.
Data and Information
GDPR is a data-centric policy and therefore impacted the
way information was collected, transformed, shared, and
persisted both internally and externally of the organization.
Analysis of existing stores and custodians of the stores
required analysis, especially as full transparency must be
shown on who has access rights to the data and how those
access rights were controlled
DPOs required new Reporting Data Stores to enable them
to perform their duties in terms of analysis and regulatory
reporting where any data transferred outside of the
organization and outside of the country of operation
required closer scrutiny.
Data and Information Insights had to be developed to
ensure compliance was not only met but shown to be met
down to data objects in physical databases.
Technology Services
Most Technology Services i.e., the enablers will require semi-
analysis as there may be a need to analyze how the information
flows are orchestrated, both in and out of these domains,
Hygiene Services
• Disaster Recover System
•Security
One of the requirements of GDPR is the production of Data
Protection Impact Assessments or DPIAs – One can argue
UK Government Security Officers produce similar information
in the form of Risk Management & Accreditation Document
Set (RMADS) for secure accredited systems.

29. Regulatory Change – EU GDPR Contd..
Business Operating Model (BOM)
The key driver for change from the regulation was the
potential fines for non-compliance which influenced
changes to the BOM.
The appointment or nomination of an Organization Data
Protection Officer (DPO), whilst a standard function in
many government agencies and departments is now
replicated in the non-government sectors.
Consideration needed to need to be given to methods
and techniques for presenting, pulling, consuming, and
pushing information in and out of the organization
Business processes
Many organizations adopted a modified BOM and modified core
business processes with a major impact on existing projects in
which required be recalibration to meet the requirements of GDPR.
Additional Management and Reporting of GDPR was inevitable and
organizations re-evaluated existing business and technical process
(triggers, execution methods, data sets) for reporting. This analysis
resulted in the introduction or refinement of additional processes
some of which, but not limited to, were processes to support;
• The Management of Subject Access Requests (SARs)
• Complaints receipt and handling
• Notifications (received and sent) to Data Subjects
• Information retention (audit/traceability)
• Governance of Data and associated controls
• The DPO in their duties.
Capabilities Services
The channels of data exchange between the enterprise and data
subjects required review and in many cases updating, as this is the
point at which the subject provided his/her data to the Enterprise
Applications
The channels of data exchange between the enterprise
and data Applications which interacted with Users and
captured information required evaluation to ensure that
“consent was freely given” for the use of this information.
In case of Commercial off-the-shelf packages then the
requirement could easily be pushed back to the
vendor/supplier. However, in-house or 3rd party
developed custom development may have required
refactoring.
Applications which extract, transform, and push or pull
subject data to any 3rd party System internal or external
to the Organization would require analysis and, in many
cases, flagged for recalibration to ensure they remained
compliant with GDPR.
Data and Information
GDPR is a data-centric policy and therefore impacted the
way information was collected, transformed, shared, and
persisted both internally and externally of the organization.
Analysis of existing stores and custodians of the stores
required analysis, especially as full transparency must be
shown on who has access rights to the data and how those
access rights were controlled
DPOs required new Reporting Data Stores to enable them
to perform their duties in terms of analysis and regulatory
reporting where any data transferred outside of the
organization and outside of the country of operation
required closer scrutiny.
Data and Information Insights had to be developed to
ensure compliance was not only met but shown to be met
down to data objects in physical databases.
Technology Services
Most Technology Services i.e., the enablers will require semi-
analysis as there may be a need to analyze how the information
flows are orchestrated, both in and out of these domains,
Hygiene Services
• Disaster Recover System
•Security
One of the requirements of GDPR is the production of Data
Protection Impact Assessments or DPIAs – One can argue
UK Government Security Officers produce similar information
in the form of Risk Management & Accreditation Document
Set (RMADS) for secure accredited systems.

30. Value Creation
Value Preservation
Summary
Change is the only constant in life. - Heraclitus
Control
Inform
Direct

31. Final Thought

32. Questions &
Answers

33. Thank You
20% coupon DALBOOK20 is redeemable until July 29, 2023, for
use on ISBN 978-1-4842-8646-3 on link https://link.springer.com/