More Related Content Similar to MEGA Webinar - PwC - Baker/Tong - EA & GRC, Separated at Birth Similar to MEGA Webinar - PwC - Baker/Tong - EA & GRC, Separated at Birth (20) MEGA Webinar - PwC - Baker/Tong - EA & GRC, Separated at Birth2. Speaking today
David Baker Colin Tong
Principal, PwC Advisory Manager, PwC Advisory
Enterprise Architecture Center of Excellence Information Risk Management
PricewaterhouseCoopers LLP PricewaterhouseCoopers LLP
david.c.baker@us.pwc.com colin.d.tong@us.pwc.com
+1.512.554.9035 (mobile) +1.415.412.9723
01/31/2013
© 2013 PricewaterhouseCoopers LLP 2
3. Learning objectives
• Understand key complexities facing the implementation of
governance, risk, and compliance (GRC) solutions
• See the similarities in how Enterprise Architecture (EA) and GRC
consider the enterprise
• Learn about EA techniques that may reduce the complexity
sometimes associated with GRC
• Understand how enterprise architecture models can support GRC
activities
• Learn the roles that EA and GRC play together in breaking down
GRC silos
01/31/2013
© 2013 PricewaterhouseCoopers LLP 3
4. Companies continue to face increasing change combined
with increasing need for oversight and transparency
Increasing stakeholder
demands Share- The Comm- Industry
Others
holder Board unity Regulators
+
Expansion of Risk and
IT Legal Finance Risk Mgmt Compliance Internal Audit
Control Oversight Functions
+
Expanding Risks, Laws
SOX Anti-Fraud Privacy AML Credit FCPA BCP Info Sec. Op Risk FSG
and Regulations
=
• Business Fatigue
• Lack of coordination
• Duplicate efforts
• Risks falling through
the cracks
• Competition for attention Business Unit
01/31/2013
© 2013 PricewaterhouseCoopers LLP 4
5. The current governance, risk and compliance (GRC)
environment faces many complications
1. The multifaceted risk environment presents multiple, fragmented views of
risk management
2. GRC work tends to be performed in silos such as IT, Legal, Operations,
Finance
3. Compliance involves enterprise alignment and control to stay within
mandated and voluntary boundaries
4. Compliance is often based on checklists of requirements
Adapted from “Foundations of GRC: Establishing an Enterprise View of Risk & Compliance, Michael Rasmussen, 2009
01/31/2013
© 2013 PricewaterhouseCoopers LLP 5
7. The solutions to these complications all involve use of a
holistic enterprise operating model
v
CORPORATE STRATEGY 2. Holistic view of
1. Link enterprise how the
risk Ambition Business Model Strategic Agenda
enterprise
management to
enterprise
u Strategic Foundation
operates with
performance
management
w integrated GRC
capabilities
CUSTOMER OFFERING
Products, Services Alliance
Customers Channels Intermediaries Brands
& Solutions Partners
3. Use the
enterprise view BUSINESS CAPABILITIES
to help the
PROCESS ORGANISATION
organization 4. GRC should be
Processes Policies
meet strategic Organisation
Structure
Roles &
Accountabilities
Physical
Environment managed by
plans and TECHNOLOGY specific
objectives while Application Integration Infrastructure
Networks &
Interdependencies
Governance
Arrangements
Suppliers
outcomes
staying within (principled
INFORMATION PEOPLE CAPABILITIES
mandatory and Reports & Workforce Culture & performance)
voluntary Analytics
Semantics Data Competencies
& Talent
Reward
Behaviours
rather than
boundaries checklists.
CORPORATE STRUCTURE
Tax Structure & Legal & Regulatory Cash, Banking &
Capital Structure
Arrangements Structure Treasury Structure
ENTERPRISE PERFORMANCE
MANAGEMENT METRICS
x
PwC’s Operating Model Framework
01/31/2013
© 2013 PricewaterhouseCoopers LLP 7
8. That same holistic enterprise operating model has also been
the holy grail of the Enterprise Architecture (EA) discipline
Business Managers
wants to know CORPORATE STRATEGY
want to know
How can I innovate? CUSTOMER OFFERING Is my portfolio of activities aligned
How quickly can I get it? with the strategy?
How much does it cost / save?
BUSINESS CAPABILITIES Have we done this before?
What are the risks? How do we get it done?
CORPORATE STRUCTURE
What’s possible? How do I make sure it’s
ENTERPRISE PERFORMANCE done correctly?
MANAGEMENT METRICS
What’s possible?
Am I meeting expectations
efficiently?
Staff What risks am I taking?
wants to know
What do I change?
What do I build it with?
When do I change it?
How well am I aligning with our EA?
What things should I NOT be changing?
01/31/2013
© 2013 PricewaterhouseCoopers LLP 8
9. Like twins separated at birth, GRC and EA work toward the
same outcomes
PWC EA CAPABILITY MODEL
Strategic
Planning
Portfolio Architecture
Mgmt Governance
Reference
Architecture Innovation
Standards
Definition
Let’s return to the GRC complications and see how to apply EA
solutions to each
Includes material copied from or derived from the OCEG Red Book GRC Capability Model, Version 2.1, page 3, http://www.oceg.org/RedBook
01/31/2013
© 2013 PricewaterhouseCoopers LLP 9
10. u Issue: The multifaceted risk environment presents
multiple, fragmented views of risk management
Departments or functions that serve on the compliance committee
Source: PwC State of Compliance: 2012 Study, June 2012
01/31/2013
© 2013 PricewaterhouseCoopers LLP 10
11. u EA Answer: Link enterprise risk management to corporate
performance management
• Understand the factors that motivate the
Internal & External Drivers
business
Makes
operative
Vision Mission • Extract and drive additional detail into
Statement Statement
elements of the business model
Amplifies A component
of • Clearly articulate the Ambition – things that
Channels
the business wishes to achieve
Effort
Goals
• Clearly articulate the decisions – things that
the business will employ to achieve the
Quantifies Strategies Ambition
Channels
Objectives Effort
& Metrics In this way, the business model becomes
a common foundation for identifying
Ambition Business Model
risks to the business intent
Decisions
Some terms and relationships adapted from the Object Management Group’s Business Motivation Model, Release 1.3
01/31/2013
© 2013 PricewaterhouseCoopers LLP 11
12. v Issue: GRC work tends to be performed in silos such as IT,
Legal, Operations, Finance
GRC functions sharing a common GRC-specific tool, technology or platform with
other functions
Source: PwC State of Compliance: 2012 Study, June 2012
01/31/2013
© 2013 PricewaterhouseCoopers LLP 12
13. v EA Answer: Holistic view of how the enterprise operates
with integrated GRC capabilities
Corporate Ambition Business Model Enterprise Operating
Model
Goals CORPORATE STRATEGY
Strategies CUSTOMER OFFERING
BUSINESS CAPABILITIES
Objectives &
Metrics CORPORATE STRUCTURE
ENTERPRISE PERFORMANCE
MANAGEMENT METRICS
Business Operating
Ambition
Model Model
Impact
Desired GRC Capabilities Impact Impact
Organize Impact A Impact B Impact C
Assess Impact D Impact E Impact F
Proact Impact G Impact H Impact I
Detect Impact J Impact K Impact L
Respond Impact M Impact N Impact O
Measure Impact P Impact Q Impact R
Includes material copied from or derived from the OCEG Red Book GRC Capability Model, 01/31/2013
© 2013 PricewaterhouseCoopers LLP Version 2.1, page 3, http://www.oceg.org/RedBook 13
14. Poll Question
01/31/2013
© 2013 PricewaterhouseCoopers LLP 14
15. w Issue: Compliance involves enterprise alignment and
control to stay within mandated and voluntary boundaries
Includes material copied from or derived from “Making the Business Case: Integrating Governance, Risk and Compliance to Drive Principled Performance”,
page 6, http://www.oceg.org/view/IllusBigPictureBusinessCase
01/31/2013
© 2013 PricewaterhouseCoopers LLP 15
16. w EA Answer: Use the enterprise view to help the
organization meet strategic plans and objectives while
staying within mandatory and voluntary boundaries
• Strategic Roadmaps: Modernization plans
for business areas. Typically 3-5 year view.
• Reference Architectures: reusable patterns
for technical and operations solutions
• Guiding Principles: statements used as filters
for decision making
• Standards: a library of stable technologies
and processes for consistency
Image courtesy of Wikimedia Commons
01/31/2013
© 2013 PricewaterhouseCoopers LLP 16
17. x Issue: Compliance is often based on checklists of
requirements
Checklists are like looking in a rearview mirror
How do you q Do A
ensure the Have you asked
checklists are q Check B all the right
complete, questions?
accurate, and up
q Redo C
to date? q Do D
Checklists can lead to a false sense of security
Image courtesy of Wikimedia Commons
01/31/2013
© 2013 PricewaterhouseCoopers LLP 17
18. x EA Answer: GRC should be managed by specific outcomes
(principled performance) rather than checklists
Principled Performance
“Reliable achievement of objectives while addressing uncertainty and acting with integrity”
Current Target
State State
Operating Operating
Model Model
The EA constitution, in combination with an EA roadmap, enable the
EA governance process to assist you in getting where you are going,
while maintaining alignment with corporate goals and objectives
Includes material copied from or derived from “Increase Principled Performance and Reduce the Cost (and Hassle) of Risk Management and Compliance”, http://www.oceg.org/event/
increase-principled-performance-and-reduce-cost-and-hassle-risk-management-and-compliance
Image courtesy of Stock.xchng
01/31/2013
© 2013 PricewaterhouseCoopers LLP 18
19. Poll Question
01/31/2013
© 2013 PricewaterhouseCoopers LLP 19
20. We’ve discussed 4 EA techniques that can help implement
your GRC program
Unify your multifaceted GRC environment by linking your risk and
compliance measures to the corporate strategy. (EA modeling)
Bridge your GRC silos by designing a common set of GRC
capabilities and assess the impact by using a holistic operating
model of your enterprise. (GRC capability mapping and impact
analysis)
Help your efforts stay within voluntary and mandatory boundaries
by creating an EA constitution (strategic planning, reference
architectures, standards and guiding principles)
Avoid the pitfalls associated with management by checklist by
leveraging the EA constitution (EA governance)
01/31/2013
© 2013 PricewaterhouseCoopers LLP 20
21. Thank you
© 2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its
member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for
further details. This content is for general information purposes only, and should not be used as
a substitute for consultation with professional advisors. PwC helps organizations and individuals
create the value they’re looking for. We’re a network of firms in 158 countries with more than
180,000 people who are committed to delivering quality in assurance, tax and advisory
services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
Includes material copied from or derived from OCEG at http://www.oceg.org
23. Separated at Birth: EA and GRC ...to be
continu
in Part ed
Putting II
GRC A
method rchitec
s into p ture
ractice
MEGA is revolutionizing the approach to
operational governance
Imagine your business united...
Imagine your business
www.mega.com - @mega_int -