Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MEGA Webinar - PwC - Baker/Tong - EA & GRC, Separated at Birth


Published on

Published in: Business

MEGA Webinar - PwC - Baker/Tong - EA & GRC, Separated at Birth

  1. 1. Separated at Birth –EA and GRCJanuary 31, 2013
  2. 2. Speaking today David Baker Colin Tong Principal, PwC Advisory Manager, PwC Advisory Enterprise Architecture Center of Excellence Information Risk Management PricewaterhouseCoopers LLP PricewaterhouseCoopers LLP +1.512.554.9035 (mobile) +1.415.412.9723 01/31/2013© 2013 PricewaterhouseCoopers LLP 2
  3. 3. Learning objectives•  Understand key complexities facing the implementation of governance, risk, and compliance (GRC) solutions•  See the similarities in how Enterprise Architecture (EA) and GRC consider the enterprise•  Learn about EA techniques that may reduce the complexity sometimes associated with GRC•  Understand how enterprise architecture models can support GRC activities•  Learn the roles that EA and GRC play together in breaking down GRC silos 01/31/2013© 2013 PricewaterhouseCoopers LLP 3
  4. 4. Companies continue to face increasing change combined with increasing need for oversight and transparency Increasing stakeholder demands Share- The Comm- Industry Others holder Board unity Regulators + Expansion of Risk and IT Legal Finance Risk Mgmt Compliance Internal Audit Control Oversight Functions + Expanding Risks, Laws SOX Anti-Fraud Privacy AML Credit FCPA BCP Info Sec. Op Risk FSG and Regulations =•  Business Fatigue•  Lack of coordination•  Duplicate efforts•  Risks falling through the cracks•  Competition for attention Business Unit 01/31/2013 © 2013 PricewaterhouseCoopers LLP 4
  5. 5. The current governance, risk and compliance (GRC)environment faces many complications1.  The multifaceted risk environment presents multiple, fragmented views of risk management2.  GRC work tends to be performed in silos such as IT, Legal, Operations, Finance3.  Compliance involves enterprise alignment and control to stay within mandated and voluntary boundaries4.  Compliance is often based on checklists of requirementsAdapted from “Foundations of GRC: Establishing an Enterprise View of Risk & Compliance, Michael Rasmussen, 2009 01/31/2013© 2013 PricewaterhouseCoopers LLP 5
  6. 6. Poll Question 01/31/2013© 2013 PricewaterhouseCoopers LLP 6
  7. 7. The solutions to these complications all involve use of a holistic enterprise operating model v CORPORATE STRATEGY 2. Holistic view of1. Link enterprise how the risk Ambition Business Model Strategic Agenda enterprise management to enterprise u Strategic Foundation operates with performance management w integrated GRC capabilities CUSTOMER OFFERING Products, Services Alliance Customers Channels Intermediaries Brands & Solutions Partners3. Use the enterprise view BUSINESS CAPABILITIES to help the PROCESS ORGANISATION organization 4. GRC should be Processes Policies meet strategic Organisation Structure Roles & Accountabilities Physical Environment managed by plans and TECHNOLOGY specific objectives while Application Integration Infrastructure Networks & Interdependencies Governance Arrangements Suppliers outcomes staying within (principled INFORMATION PEOPLE CAPABILITIES mandatory and Reports & Workforce Culture & performance) voluntary Analytics Semantics Data Competencies & Talent Reward Behaviours rather than boundaries checklists. CORPORATE STRUCTURE Tax Structure & Legal & Regulatory Cash, Banking & Capital Structure Arrangements Structure Treasury Structure ENTERPRISE PERFORMANCE MANAGEMENT METRICS x PwC’s Operating Model Framework 01/31/2013 © 2013 PricewaterhouseCoopers LLP 7
  8. 8. That same holistic enterprise operating model has also beenthe holy grail of the Enterprise Architecture (EA) discipline Business Managers wants to know CORPORATE STRATEGY want to know How can I innovate? CUSTOMER OFFERING Is my portfolio of activities aligned How quickly can I get it? with the strategy?How much does it cost / save? BUSINESS CAPABILITIES Have we done this before? What are the risks? How do we get it done? CORPORATE STRUCTURE What’s possible? How do I make sure it’s ENTERPRISE PERFORMANCE done correctly? MANAGEMENT METRICS What’s possible? Am I meeting expectations efficiently? Staff What risks am I taking? wants to know What do I change? What do I build it with? When do I change it? How well am I aligning with our EA? What things should I NOT be changing? 01/31/2013© 2013 PricewaterhouseCoopers LLP 8
  9. 9. Like twins separated at birth, GRC and EA work toward thesame outcomes PWC EA CAPABILITY MODEL Strategic Planning Portfolio Architecture Mgmt Governance Reference Architecture Innovation Standards Definition Let’s return to the GRC complications and see how to apply EA solutions to eachIncludes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, 01/31/2013© 2013 PricewaterhouseCoopers LLP 9
  10. 10. u Issue: The multifaceted risk environment presents multiple, fragmented views of risk managementDepartments or functions that serve on the compliance committee Source: PwC State of Compliance: 2012 Study, June 2012 01/31/2013 © 2013 PricewaterhouseCoopers LLP 10
  11. 11. u EA Answer: Link enterprise risk management to corporateperformance management •  Understand the factors that motivate the Internal & External Drivers business Makes operative Vision Mission •  Extract and drive additional detail into Statement Statement elements of the business model Amplifies A component of •  Clearly articulate the Ambition – things that Channels the business wishes to achieve Effort Goals •  Clearly articulate the decisions – things that the business will employ to achieve the Quantifies Strategies Ambition Channels Objectives Effort & Metrics In this way, the business model becomes a common foundation for identifying Ambition Business Model risks to the business intent DecisionsSome terms and relationships adapted from the Object Management Group’s Business Motivation Model, Release 1.3 01/31/2013© 2013 PricewaterhouseCoopers LLP 11
  12. 12. v Issue: GRC work tends to be performed in silos such as IT,Legal, Operations, FinanceGRC functions sharing a common GRC-specific tool, technology or platform with other functionsSource: PwC State of Compliance: 2012 Study, June 2012 01/31/2013© 2013 PricewaterhouseCoopers LLP 12
  13. 13. v EA Answer: Holistic view of how the enterprise operateswith integrated GRC capabilities Corporate Ambition Business Model Enterprise Operating Model Goals CORPORATE STRATEGY Strategies CUSTOMER OFFERING BUSINESS CAPABILITIES Objectives & Metrics CORPORATE STRUCTURE ENTERPRISE PERFORMANCE MANAGEMENT METRICS Business Operating Ambition Model Model ImpactDesired GRC Capabilities Impact Impact Organize Impact A Impact B Impact C Assess Impact D Impact E Impact F Proact Impact G Impact H Impact I Detect Impact J Impact K Impact L Respond Impact M Impact N Impact O Measure Impact P Impact Q Impact R Includes material copied from or derived from the OCEG Red Book GRC Capability Model, 01/31/2013 © 2013 PricewaterhouseCoopers LLP Version 2.1, page 3, 13
  14. 14. Poll Question 01/31/2013© 2013 PricewaterhouseCoopers LLP 14
  15. 15. w Issue: Compliance involves enterprise alignment andcontrol to stay within mandated and voluntary boundariesIncludes material copied from or derived from “Making the Business Case: Integrating Governance, Risk and Compliance to Drive Principled Performance”,page 6, 01/31/2013© 2013 PricewaterhouseCoopers LLP 15
  16. 16. w EA Answer: Use the enterprise view to help theorganization meet strategic plans and objectives whilestaying within mandatory and voluntary boundaries •  Strategic Roadmaps: Modernization plans for business areas. Typically 3-5 year view. •  Reference Architectures: reusable patterns for technical and operations solutions •  Guiding Principles: statements used as filters for decision making •  Standards: a library of stable technologies and processes for consistencyImage courtesy of Wikimedia Commons 01/31/2013© 2013 PricewaterhouseCoopers LLP 16
  17. 17. x Issue: Compliance is often based on checklists of requirements Checklists are like looking in a rearview mirror How do you q  Do A ensure the Have you asked checklists are q Check B all the right complete, questions?accurate, and up q Redo C to date? q Do D Checklists can lead to a false sense of security Image courtesy of Wikimedia Commons 01/31/2013 © 2013 PricewaterhouseCoopers LLP 17
  18. 18. x EA Answer: GRC should be managed by specific outcomes(principled performance) rather than checklists Principled Performance“Reliable achievement of objectives while addressing uncertainty and acting with integrity” Current Target State State Operating Operating Model Model The EA constitution, in combination with an EA roadmap, enable the EA governance process to assist you in getting where you are going, while maintaining alignment with corporate goals and objectivesIncludes material copied from or derived from “Increase Principled Performance and Reduce the Cost (and Hassle) of Risk Management and Compliance”, courtesy of Stock.xchng 01/31/2013© 2013 PricewaterhouseCoopers LLP 18
  19. 19. Poll Question 01/31/2013© 2013 PricewaterhouseCoopers LLP 19
  20. 20. We’ve discussed 4 EA techniques that can help implementyour GRC programUnify your multifaceted GRC environment by linking your risk andcompliance measures to the corporate strategy. (EA modeling)Bridge your GRC silos by designing a common set of GRCcapabilities and assess the impact by using a holistic operatingmodel of your enterprise. (GRC capability mapping and impactanalysis)Help your efforts stay within voluntary and mandatory boundariesby creating an EA constitution (strategic planning, referencearchitectures, standards and guiding principles)Avoid the pitfalls associated with management by checklist byleveraging the EA constitution (EA governance) 01/31/2013© 2013 PricewaterhouseCoopers LLP 20
  21. 21. Thank you© 2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of itsmember firms, each of which is a separate legal entity. Please see forfurther details. This content is for general information purposes only, and should not be used asa substitute for consultation with professional advisors. PwC helps organizations and individualscreate the value they’re looking for. We’re a network of firms in 158 countries with more than180,000 people who are committed to delivering quality in assurance, tax and advisoryservices. Tell us what matters to you and find out more by visiting us at material copied from or derived from OCEG at
  22. 22. Questions?
  23. 23. Separated at Birth: EA and GRC be continu in Part ed Putting II GRC A method rchitec s into p ture ractice MEGA is revolutionizing the approach to operational governance Imagine your business united... Imagine your business - @mega_int -