With a growing regulatory environment, higher business complexity and increased focus on accountability, enterprises are forced to pursue a broad range of governance, risk and compliance initiatives across the organization. However, risks are interdependent and controls are shared which leads to uncoordinated and unmanaged initiatives or getting planned and managed in silos, potentially increasing the overall business risk for the organization. Additionally, duplication of efforts is present due to parallel compliance and risk initiatives causing costs to be uncontrolled. GRC is a discipline with the purpose of coordinating and integrating these initiatives across governance, risk management and compliance through control, definition, enforcement, and monitoring in order to create efficiency, enable more effective information sharing and reporting and avoid wasteful overlaps. The basic concepts of GRC can be explained by the following
- Governance – The overall management approach and oversight role and process to manage and mitigate business risks
- Risk management – The set of processes through which management identifies, analyzes and responds (if and where necessary) to risks that might affect the realization of business objectives, enabling the organization to evaluate all relevant business and regulatory risks and controls and monitor mitigation activities in a structured fashion
- Compliance – Conforming to stated requirements, laws and regulations
Note that the capability covered is regarding GRC from a business perspective as a whole. For in-depth knowledge for each of the elements with regards to Business Technology Strategy, consider reviewing the capabilities for each of these in the BTS section.
GRC and Architecture
Problems always have solutions and architects are no strangers to problems. Organizations face many complex challenges as they do business in an increasingly complicated global marketplace giving rise to many problems to solve. One of the many ways to solve this problem involves managing the business and developing an integrated approach to risks and maximizing opportunities throughout the enterprise by operational standards – and making sure they are met. This is performed by making the corporation’s governance, risk management and compliance activities more efficient and effective by integrating activities that are usually siloed, duplicative or contradictory to enhance the value. Multiple systems cause confusion due to duplicative and contradictory processes and documentation. Additionally, the redundancy of work and sheer expense of maintaining multiple point software causes the cost of compliance to become unmanageable.
The Governance, Risk and Compliance process
The interrelationship of management, the Board of Directors and key stakeholders provides organizational balance of power, which depends on mutual accountabilities and unfettered exchange of information. The interrelationship needs to work well in order for the organization to obtain maximum value, i.e. clearly articulating an enterprise’s objectives, be it financial or nonfinancial, and defining methods by which it establishes and stays within the boundaries that will likely occur when driving towards the objectives. In other words, creating and protecting value by doing the “right” things the “right” way, also called Principled Performance. This is performed by a number of key business processes being subjected to an integrated approach through GRC activities, which are fundamentally interconnected and dependent on similar people, processes and technology. Note that this does not necessarily mean a consolidation effort but applying a common vocabulary, approach and technology infrastructure to GRC processes and coordinating activities. This ensures consistent information flow throughout the organization and enhances efficient resource management. However, GRC usually focus on one area in order to replicate improvements. Here is where architects come in – we provide a holistic view of the entire GRC process throughout the organization by integrating activities across all functions.
There are eight universal outcomes by applying these GRC functions and capability elements
- Achieve business objectives
- Enhance organizational culture
- Increase stakeholder confidence
- Prepare and protect the organization
- Prevent, detect and reduce adversity
- Motivate and inspire desired conduct
- Improve responsiveness and efficiency
- Optimize economic and social value
According to best practice principles, GRC can be broken down into eight functions and capability elements:
- Organize and oversee – The ability to define outcomes, commitment, roles and responsibilities as well as approach and accountability
- Assess and align – The ability to identify, analyze and optimize risk mitigation
- Prevent and promote – The ability to define code of conduct, policies, preventative controls, awareness and education, human capital incentives, stakeholder relations and requirements and risk financing/insuring
- Detect and discern – The ability to define hotline and notification, inquiry and survey and detective controls.
- Respond and resolve – The ability to perform internal review and investigation, third-party inquiries and investigations, corrective controls, crisis response and recovery as well as remediation and discipline
- Monitor and measure – The ability to define context monitoring, performance monitoring and evaluation, systematic improvement and assurance
- Inform and integrate – The ability to define and perform information management and documentation, internal and external communication, technology and infrastructure
- Context and culture – The ability to define and incorporate external and internal business context, culture, values and objectives
The GRC capabilities
By working with architects who own or share a specific GRC sub-capability element, enterprise architects should manage all GRC concerns associated with sub-architect capabilities, such as GRC capabilities regarding control environment in terms of laws, regulations and business requirements. The enterprise architects have a holistic view of how the enterprise operates with integrated GRC capabilities. The enterprise risk management is linked to performance management, where the architect uses the enterprise view to help the organization meet its strategic plans and objectives while staying within mandatory and voluntary boundaries.
The enterprise architect will interact at the highest levels of GRC management to ensure management has appropriately handled GRC concerns supporting prioritization and impacting key enterprise business and technical decision-making processes.
Solution architects will most commonly manage GRC concerns while working with the PMO, project manager, project sponsor and different stakeholders for each initiative and function (legal, finance, risk management, compliance etc.).
With an added focus on business focused GRC concerns impacted by technical change, business architects model and analyze GRC issues. They will understand, model and assist in integrating GRC initiatives associated with legal, finance, capital, compliance and operations to understand where governance, risk and compliance exposure impacts strategic planning and portfolio management. Business architect will oftentimes work with their associated business leadership or function at the director and VP levels to analyze critical governance, risk and compliance factors for each of function. The business architecture will contain details required in addressing governance, risk and compliance exposure and impacted areas towards business goals, processes and capabilities.
Information architects address the risk of information exposure and poor information security planning in terms of usage, information storage and retrieval, transformation and transmission. They are concerned with understanding and analyzing risks which impact the overall use of information in the enterprise.
The infrastructure architect will analyze data center, network, storage and IT operational risks such as device security. They will develop risk models with the risk management office to offset technology capital risk exposure as well as network security.
The software architect is responsible for addressing software development and deployment related risk exposure and analysis. Software risks include the security and use of software intensive systems. These include software hacks (security) but also business critical risk associated with software function and use.