Thursday, November 5, 2009

GRC Reference Architecture: Enterprise Data Architecture & Framework

GRC – Governance, Risk, & Compliance. Whether you use this specific acronym or not the fact is your organization does GRC. There is not a single executive that will tell you that they lack corporate governance, do not manage risk, and completely ignore compliance. The truth of the matter: GRC has been a part of business since the dawn of business.

GRC is akin to CRM (Customer/Client Relationship Management) in the 1980’s. Before CRM systems and processes entered the organization client information and relationships were still being managed. The challenge was that they were being managed in scattered silos that ended up with inconsistent and redundant data with no view into the entire profile of the client and its interaction with the business. CRM systems entered the picture to create a single view of customer information and interactions across business processes and roles. GRC systems and processes aim to achieve the same thing – to provide an integrated picture of governance, risk, and compliance information and processes across the business. To accomplish an integrated view of GRC requires the establishment of a GRC business process and technology architecture.

In the next several newsletters I am focusing on the communication of Corporate Integrity’s GRC Reference Architecture. This GRC Reference Architecture is party of my broader GRC EcoSystem of technology, consultants, and information providers (over 1300 firms cataloged to date). It is also the foundation of the revisions going into OCEG’s GRC IT Blueprint.

The GRC Reference Architecture is comprised of: a data architecture/framework, enterprise core GRC application(s), role/business function specific applications, as well as industry and geographic/jurisdiction specific applications.

This week we look at the information foundation (from a high-level) in the Enterprise GRC Data Architecture & Framework. A firm foundation is necessary to build extensible and agile GRC system and processes.

Intricate relationships between different information the heart of a successful GRC technology strategy. When I was in grade school I loved it when the teacher had us draw points around a circle and draw lines connected to every other point resulting in a beautiful geometric pattern that captivated the eye. The same visual represents the many to many relationships of GRC information. If you think about it – policies, risks, controls, events, requirements, enterprise assets/processes, responsibilities, and objectives all map to each other. Organizations need to know what policies set management thresholds for specific risks; what events happened that violated specific policies, materialized risk, and caused an infraction of a regulatory requirement; what controls are established in specific policies and defined to control what risks; which business objectives are risks related to and how do we monitor controls to stay within acceptable tolerance levels of risk while aiming for that objective.

The core of a GRC Data Architecture and Framework integrates the following libraries of information within the organization:

  • Objective library. This is often the missing piece of GRC. Most GRC strategies are focused on meeting requirements and putting out fires of risk. However, governance starts with understanding corporate performance, business strategy, and objective management. A good GRC system will define business objectives and cross-reference those to risks, requirements, and other areas of GRC.
  • Risk library. The problem with risk management is that it often happens in silos and there is no aggregate view of risk. Organizations need a consistent data framework to define, manage, and monitor risks. This requires that risks be mapped to objectives but also to other elements such as controls implemented to treat risks, events that show where risk has materialized, responsibilities to define risk owners, as well as policies used to establish and set thresholds of risk.
  • Control library. Controls establish the fundamental building blocks of a GRC program. They aim to make sure the organization is staying within boundaries of risk and compliance while allowing the organization to pursue its objectives. Controls are in place to protect the organization. A good GRC system will allow for the cross referencing of controls to business objectives, risks, events (control failures/weaknesses), policies, regulatory requirements, as well as the business environment of processes and assets.
  • Event library. Whether called cases, events, incidents, issues, investigations . . . the organization aiming for an integrated and efficient GRC system will need a common repository of events and losses that have impacted the organization. This starts with the recording of an event, the documentation on investigation and response, to allocating loss information that feeds into risk models. Events document policies that were violated, actions took, control issues/weaknesses, responsible parties as well as what part of the organization was impacted.
  • Responsibility library. Every business objective, risk, policy, requirement, business asset has something in common – an owner. Businesses get into a world of hurt when they do not know who is responsible for what policy, risk, regulatory requirement, etc. Defining ownership of the components of GRC is essential to a successful risk and compliance strategy.
  • Policy and procedure library. Policies set the boundaries of the organization – they establish the expected/required behavior of individuals, systems, processes, and relationships within business. At the highest level they articulate values and code of conduct, at the detailed level they tell you exactly where boundaries lie. Policies map to risks to establish risk culture, tolerance, and appetite; they map to events where an organization can see where policies have been violated; they map to controls as specific statements within policies often are the control statements themselves; they map to requirements to meet specific boundaries set forth by regulators; and they also map to the enterprise as policies govern everything from the entire business (e.g., code of conduct) to specific business operations/processes.
  • Requirement library. The focus of GRC is to stay within boundaries while achieving business objectives. A central store of requirements from regulators, laws, code of conduct, ethics, values, social responsibility, contracts . . . allows the organization to document what it has to be compliant to. This enables the mapping of requirements to policies, risks, controls, business objectives, enterprise assets/processes, as well as events that identify where a requirement has been missed.
  • Enterprise library. No matter what area of GRC information you are looking at it applies to something in the organization. It can apply to the whole organization such as a code of conduct, or a specific business unit, process, entity, business relationship, employee/role, or event information category itself. Organizations that successfully approach GRC have established enterprise modeling to relate objectives, risks, controls, events, policies, responsibilities, and requirements to the business.

Illustration: last week I was discussing the role of GRC applications and information and how they integrate with a global professional services firm looking to implement a GRC strategy and solution to govern their internal operations. They asked – “We have been using Sharepoint for policy management, does this need to be part of the GRC system?” My reaction was that this the approach many organizations take but challenged them to consider the intricacies of this approach which would handicap their GRC strategy. These included challenging them if they have a central and authoritative repository of all policies? Do they have a way to manage the lifecycle of policies from authorship, approval, communication, regular/periodic maintenance, training, attestation, and archiving of policies? Do they have a way to track exceptions to policies? More specifically to the relationship of policy information – can they map policies back to regulatory requirements, risks, controls, business objectives, as well as the events/investigations in which policies were violated? It was at this point they saw the picture of why an integrated GRC system adds value across the business silos of risk and compliance that have gone in different directions in the past.

This is just a high-level view of the core data components of a GRC architecture. Next week I will publish the core enterprise GRC applications that leverage this data. Detailed training on the GRC Reference Architecture can be found in Corporate Integrity & OCEG's GRC Strategy & Technology Bootcamps.

Posted by Corporate Integrity at 2:56 PM

Labels: GRC, Governance, Risk, Compliance , ,

20 comments:

Chris said...

I like this model. There's a strong linkage to information govenance here with all the data/information/reports that need to be managed.

One area that would be interesting to explore is the mix of machine readable vs. human readable parts in each library. In each of these I can see the guidelines and documentation that people would use to define the business rules and controls that need to be in place.

November 6, 2009 6:16 PM
Richard Pike said...

Michael
I would suggest two additions to your libraries: control tests (used by compliance or audit) and indicators (used mainly in risk, but a very useful way to ascertain change over time)

November 10, 2009 3:59 AM
Corporate Integrity said...

Richard,

Your recommendations are sound - but are part of what I am defining in the control library as well as the objective and risk libraries. Properly documented controls will have associated control tests in the library. Properly documented objectives will have key performance indicators. Properly documented risks will have key risk indicators.

This also will be spelled out further when I release the next post on the Enterprise GRC Core.

November 10, 2009 6:00 AM
Martijn said...

Michael,

I like the model and the data architecture and I am very interested in the next newsletters about how the framework is used. I also very much like the picture as it depicts the relationship between all different concepts; something I am trying to proper visualize for some time now.

What I did with your current framework is applying it on a global description of how I approach business processes with regards to GRC. For this purpose I took the liberty to adjust your figure a little bit. Since I cannot find I way to incorporate in this message: http://www.mzsystems.nl/logreacties/Adopted_Figure_M_Rasmussen_2009.jpg

Currently I am looking at / working on a GRC approach with business processes as the central point. This also means that with regards to the “enterprise library” I consider business processes as the centre and from this viewpoint I look at related other parts of the organization like employees / actors, business units.

From my view this is how the framework could support business process execution:

[1] The execution of a business process (or its individual tasks) can result to the manifestation of an event / case / issues (event library). [2] To prevent the manifestation or mitigate it control mechanisms (control library) are implemented on the entire processes or the individual tasks executed. [3] These controls are based on business rules, which depending on the level they are stated come in many different forms (policy and procedure library). [4] From my perspective business rules can be derived from internal and external policies (requirements library); [5] which, among others, are based on ‘commonly’ known risk (risk library). From my perspective the ‘objective library’ is embedded in the business process approach since the business processes are formulated to achieve business objectives which are based on the business strategy etc.

With regards to responsibility library this is something I did not yet included into my findings. But it would not be that hard to incorporate since I have all the ‘elements’ only the ‘connections’ are missing.

November 11, 2009 1:01 AM
Michael Versace said...

LinkedIn Groups

Group: Corporate Integrity
Subject: New comment (1) on "GRC Reference Architecture: Data Architecture & Framework"
Nice work, and interesting read. But again, this is not a data architecture or framework. Simply put, it's a set of content that can be managed by any content management system (Sharepoint, for instance) or filing system.
Posted by Michael Versace

November 11, 2009 3:15 PM
Corporate Integrity said...

Michael Versace,

I appreciate your input - but disagree. This is a high-level architecture (which is a very broad term with a lot of meanings - it shows structure and relationship) of how the data interacts. The illustration I used in the blog posting specifically has more detail and show the issue with Sharepoint specifically.

November 11, 2009 3:19 PM
Jim Routh said...

LinkedIn Groups

Group: Archer Community
Subject: New comment (1) on "GRC Reference Architecture: Data Architecture & Framework"
The responsibility library is essential for effective governance and often overlooked so I'm glad you identify it. How about control test results or compliance library?
Posted by Jim Routh

November 11, 2009 3:24 PM
Corporate Integrity said...

Jim,

Thank you for your response. I define control tests as part of the control library as each control has associated tests. The library can have many components and sub-libraries/components.

As for the compliance library - this is what I defined as the requirements library. The full blog posting on my website has more detail.

November 11, 2009 3:41 PM
Anandasubramanian Codangudi said...

LinkedIn Groups

Group: Risk, Regulation & Reporting
Subject: New comment (2) on "GRC Reference Architecture: Data Architecture & Framework"
WOW.
Thank you very much.
Guess this can be adapted to reduce Operational Risk for a bank pretty quickly.
Posted by Anandasubramanian Codangudi

November 11, 2009 3:42 PM
Ramesh Ramaswamy said...

LinkedIn
Ramesh Ramaswamy FCA CISA PMP has sent you a message.
Date: 11/11/2009
Subject: RE: GRC Reference Architecture: Data Architecture & Framework
Michael,
Very interesting presentation.
The " Survey and Questions" ,the processes with the details of the owners - this is important from the workflow perspective -are some of the other artifacts.
Library of survey and questions enhances the reusability,besides being an easy reference.I have found a centralized library of question and surveys very effective.
Often i observe people searching for work flow receipients for remedial action,exceptions.This is especially so where the organization structure and the reporting structure are not properly defined and expressed in hierarchical terms.
My 2 cents.
Regards
Ramesh

November 11, 2009 3:44 PM
Ingo Janßen said...

LinkedIn Groups

Group: Enterprise Risk Management Association
Subject: New comment (1) on "GRC Reference Architecture: Data Architecture & Framework"
That seems to be a very well-organized and complete list of task but with one problem left: It can cause a complete bureaucratic overkill and lead to an organization described in Franz Kafka's book "Der Prozess". At the end it can lead to the so-called "Lenin problem" which is a vicious cycle: Who controls the controller of the controller of the controller .... From my point of view the challenge is to find a balance between rules and controls and entrepreneurship within a company which most often is combined with the breaking of rules to a certain extend. This entrepreneural rule breaking must be possible with awards on behalf of the rule breaker instead of sanctions if the outcome is in the end beneficial for a company. Otherwise all innovations from inside would come to a standstill and the company would disappear in an competitive environment.

(P.S. Here in Europe we really have made very bad experiences with over-bureaucracy during the last centuries and we were happy that the United States were an example of economic wealth by individual freedom.)
Posted by Ingo Janßen

November 11, 2009 3:46 PM
Corporate Integrity said...

Ingo,

Thank you for the feedback. The goal is to provide a system that many roles can work within - my blog posting that the above discussion has a link to has more detail - and relates back to the early days of CRM. The goals of a good GRC system is to provide balance between strategy/objectives, risk, compliance, and control.

November 11, 2009 3:48 PM
Liz Taylor said...

LinkedIn Groups

Group: Enterprise Risk Management Association
Subject: New comment (2) on "GRC Reference Architecture: Data Architecture & Framework"
I agree with you both, but I am not sitting on the fence.

What is needed is the principle of "tough love" - ie creating clear and published boundaries which are wide enough to enable people to embrace innovation and take risk in a managed way and providing fair and consistent sanctions for breaking those boundaries - including a review mechanism for those rules and the systems behind them.

For example, I once managed a cheque guarantee operation where the sales people were remunerated on volume alone (see the pitfall?). We built a model with those sales people which enabled them to see the profitability of the sale and worked with them to create a new remuneration system based on volume AND profitability. This system had to be easy to use, so we incorporated it onto their PDA's. The business profitability went up, volumes increased and everyone was happy.

Then one sales person sold a deal not based on the system. We called a meeting and asked their peers to consider what had gone wrong and what the sanction should be for their colleague. They said that the system updates did not always function well on their PDA's, so we gave them laptops instead and did not punish the miscreant. All laptops updated automatically and there were no further problems.
Posted by Liz Taylor

November 11, 2009 3:49 PM
Nick Mottershead said...

LinkedIn
Nick Mottershead has sent you a message.
Date: 11/11/2009
Subject: GRC Reference Architecture
Hi Michael

I liked your article on the architecture. Just a couple of thoughts which may be of interest:
1) If financial reporting is enhanced so that it includes identification of the underlying causes of both success and failure, it can assist with your events library and also in validating the whole risk and controls librabry on a regular basis. There are some cultural challenges to this in respect of the impact of increasing visibility and accuracy of the causes of success and failure...etc.
2) Policy management is normally pretty badly done. Rarely is there a clear architecture for policies that shows how they all link together, ensures the organisational completeness etc and they normally start from exec level down rather than with what shareholders want and dont want. I think a formal policy architecture can assist and this means defining in policies what outcomes are expected and what cant be done starting from the board room down ie
- board defined outcome policies
- board defined limitation polcies
- exec defined outcome policies
- exec defined limitation policies
such that, for example, the exec defined limitation policies can only sit within limits already set by the board, which have been set by the board in response to the agreed strategy as communicated to and agreed with the shareholders.

Happy to discuss more if of interest
Nick

November 11, 2009 3:51 PM
Nick Bleech said...

LinkedIn Groups

Group: Cloud Security Alliance
Subject: New comment (1) on "GRC Reference Architecture: Data Architecture & Framework"
This is good, and raises lots of issues. Firstly that any architecture has to have a purpose, a set of issues it is defined to tackle. Why are we specifying it, who's the audience, what benefit does it give them? Maybe the purpose is to establish where a current tool set needs to evolve, to give a frame for requirements formulation; maybe it's to provide a top down view of totally new requirements to be implemented from scratch (e.g. your example); maybe it's to help discover/derive interfaces and interoperability standards that vendors will need to develop; maybe it's just a pedagogical tool for practitioners. There may be several 'architecture views' that correspond to each stakeholder's frame of reference.

So we need to say why the architecture is needed, who's it for as well as what's in the architecture. When there are several possible purposes, perhaps one can pick one to start with, to anchor the specification effort. So we start to get a sense of the stakeholders' needs, where the priorities may lie to develop the architecture further, and to help derive implementation roadmaps (assuming the architecture can't be built in one shot, which is a reasonable assumption here).

Secondly that organizations will have many architectures: enterprise, business process, security, tech. infrastructure, middleware, systems... So is a 'GRCarch' a subset of one of these, a particular 'view' of a pre-existing architecture, an 'overlay' across one or several 'wider' architectures, or what? I think the answer is that it could take a number of forms, but it won't stand alone and so it will have to fit within a wider architecture framework whatever form it takes and provide linkages, e.g. a linkage to KPIs as noted in a comment on your blog. To say all this, makes the thing look even more daunting! But help is at hand in the 'architecture community' where standards like TOGAF (Open Group) explicitly allow for specialized architectures to be developed in a federated and manageable way, and accommodate architecture views, architecture development, and more.

The final point I would like to make is that any enterprise data architecture has to tackle the time value and the depth of information in scope, and of course there is never going to be a one size answer. So here we can see that events can lead to incidents, incidents can lead to material impacts, and material impacts can lead to the consequences our risk analyses and policies predict; but equally any of these can lead nowhere at all, and we won't always know in 'real time' how significant the lowest level event is. What to keep, what to track, what to correlate, what to throw?

Sometimes we are forced to capture every tiny detail that could mean something later on (e.g. trading and traders' activities in a dealing room) and sometimes all we need to do is build something that lets us run periodic compliance audits and clean ups, and make sure we can cross index and correlate derived data now and again on demand, but we don't need to maintain live indexes 24/7. In the latter case the GRCarch that we actually build out might focus on equipping the organization to execute those audits and build the indexing on demand plus after the event forensics to mitigate material impacts, rather than constructing a whole set of live indexes that together give you a map of the universe to spot the black holes before they form. This isn't necessarily a binary choice - for example Autonomy's IDOL platform ambitiously seeks to give you the best of both worlds, provided you buy into its fundamental approach to cluster related information together.

I suspect you'll be addressing these themes in your forthcoming architecture document - but thanks for the opportunity to comment in advance.

- Nick
Posted by Nick Bleech

November 11, 2009 3:53 PM
Corporate Integrity said...

Nick,

Thanks for the detailed feedback. In response to your discussion . . . I see the GRC architecture as a specific slice/view that cuts across and is part of the enterprise, business process, and other architectures.

November 11, 2009 3:56 PM
Sumanth Cheedella said...

LinkedIn Groups

Group: Financial Intelligence
Subject: New comment (1) on "GRC Reference Architecture: Data Architecture & Framework"
Hi Michael, I am a novice in GRC space and this post has given me a bird's eye view on what GRC is. It is really impressive. Thank you!
Posted by Sumanth Cheedella

November 12, 2009 1:50 PM
Dorian Cougias said...

LinkedIn Groups
Group: Unified Compliance
I think you are close, but no definite cigar. Let me noodle on all of the elements that you've listed here and see which of them we can actually find as requirements within the authority documents we've mapped.
Dorian Cougias

November 24, 2009 6:48 AM
Corporate Integrity said...

Dorian, keep in mind that the authority documents you have mapped largely pertain to the IT/information governance, risk, compliance, and control world. What we are aiming for in this particularly piece is the foundational elements of enterprise GRC while realizing there are more data and application elements in specific niches of GRC such as IT, or EH&S, CSR, Quality . . .

November 24, 2009 6:49 AM
Adrian Wiesmann said...

OK, I get the point, of both of you. But let me rephrase it to see if I really get the point. GRC is the umbrella term for all the different efforts around ethics, risks, regulations, whatever.

But then, where is the difference between ethics and regulations. Between risks and opportunities. These are all rules we decide to follow. In the beginning, a company decides on what goals they want (or have to achieve). In risk this is usually called risk appetite. But actually this is something we also apply to ethics (what do we allow, what not), to regulations (well, actually others decide here :) ), etc.

So we should use the word appetite in general to describe that step of choosing the right rules for the current situation: definition of appetite. Based on that appetite definition we will then choose the content from the UCF or whatever source we have. And once we have chosen the content from the UCF we can use the exact same meta model: we have a set of assets, we have a set of players, we also chose a set of rules (UCF). And we can then do the magic on that set of data. We worked on such a data model as well, we not only shared it, but we also freely share the tool to work on it :)
Posted by Adrian Wiesmann

December 12, 2009 7:04 PM

Post a Comment

Subscribe to: Post Comments (Atom)