|
Issue No: 26
GOVERNANCE ANALYSIS USING ENTERPRISE ARCHITECTURE
Printable PDF Version
CONTENTS
PERTH, AUSTRALIA
– July 5, 2004. As fallout of the financial failures of
Enron, WorldCom and Tyco, the USA Federal Government passed the
Sarbanes-Oxley Act of 2002 (also called “Sar-Ox” or “SOX”). This legislation
assigns personal responsibility to senior management of public and non-public
organizations for corporate governance and financial reporting. In the USA it
can result in senior managers (CEOs, CFOs, COOs and others) being sentenced to
jail terms, as we have recently seen in the news. Corporate Governance is also
being applied in various forms by other countries throughout the world. Of
particular concern is Section 404 of the Act, which relates to “Management
Assessment of Internal Controls”.
Earlier issues of TEN have separately addressed concepts of
Enterprise Architecture or Enterprise Integration. In this issue we will discuss
the important role that Enterprise Architecture takes in supporting the needs of
senior management for Governance Analysis, as required by Sarbanes-Oxley in the
USA and also as required by other countries throughout the world.
Clive Finkelstein
TEN - The Enterprise Newsletter
Back
to Contents.
FEATURE
The Sarbanes-Oxley Act of 2002
assigns personal responsibility to senior management of public and non-public
organizations in the USA, and is being applied in various forms also by other
countries throughout the world. Of
particular concern is Section 404 of the Act, which relates to “Management
Assessment of Internal Controls”. This requires Internal Control Reporting
and states “the responsibility of management for
establishing and maintaining an adequate internal control structure and
procedures for financial reporting.”
A summary of links to key resources on the Sarbanes-Oxley Act
of 2002 is located at
http://www.aicpa.org/sarbanes/index.asp. The full text of the Act is
available from these resource links as “Sarbanes-Oxley Act 072302.pdf”. A
Summary of key sections of the Act is available from
http://www.aicpa.org/info/sarbanes_oxley_summary.htm.
Internal Controls will vary
from enterprise to enterprise. They need to be tailored to the relevant industry
(or industries) that the organization operates within; they are also typically
unique for each enterprise. They are determined by its business activities and
processes as well as its financial controls. They are closely related to the IT
systems and databases that the enterprise uses for financial and other
reporting.
Senior management need to show
that answers are available in relation to key resources such as: data; business
activities and processes; locations; people and business units; and events.
Answers should be available that also show how resources relate to strategic and
tactical business plans that have been defined by management. These are internal
control questions that address: “What”; “How”; “Where”; “Who”; “When”; and
“Why”.
These six questions are shown
as columns in a matrix, where different perspectives of “Planner”, “Owner”,
“Designer”, “Builder” and “Subcontractor” are also shown as rows. This is
provided by the Zachman Framework for Enterprise Architecture. While
Enterprise Architecture has previously been considered to be an IT
responsibility, when it is also used by senior management it enables precise
Governance Analysis. It also provides a Business Transformation
Enablement capability.
With the legal implications of
Sarbanes-Oxley non-compliance, an inability to answer internal control reporting
audit questions takes on a new personal meaning for senior managers. A
Governance Analysis Framework is needed – that is both easy to create, and easy
to use – to obtain answers for relevant internal control reporting questions.
An example is discussed in the
White Paper of a Governance Analysis Framework (GAF) that uses matrices to create and
maintain relationships between aspects of an enterprise that enable each of
these questions to be answered. Some of these matrices, from the Project
Management Organization Unit of a typical enterprise, are illustrated in Figures 1 –
3.
-
§Matrix
relates Business Plans to People
-
§Indicates
“Who” is responsible for Plans
-
§Shows
Planning Statements as Rows
-
§Shows
Organization Units as Columns
-
§Reading
down a column gives Subset of Planning Statements for that Unit
-
§Reading
across a row shows Units that should work together for that
Statement
|
Figure 1: Example of
Matrix Relating Business Plans to Organization Units
§
- Matrix relates Business Plans to
Data
-
§Indicates “What” is
required by Plans
-
§Shows Planning
Statements as Rows
-
§Shows Data as Columns
-
§Reading across a row
shows Data that is required for that Statement
-
§Reading down a column
gives Subset of Planning Statements for that Data
|
Figure 2: Example of
Matrix Relating Business Plans to the Data Supporting those Plans
- Matrix relates Activities to
Plans
- Indicates “Why” Activity exists
- Each Activity is shown as a Row
- Each Planning Statement is a
Column
- Reading across a row shows
Planning Statements for that Activity, or “Why”
- Reading down a column shows all
Activities for that Statement
|
Figure 3: Example of
Matrix Relating Business Activities to Business Plans
The sample GAF matrices in
Figures 1 – 3 clearly show the answers to each question by reading across
relevant rows, or down particular columns. These matrices, plus many others, are
tailored to each enterprise. They can be created in a 25 day Strategic Modeling
project within an elapsed duration of 3 months, based on the Strategic Business
Plans for the enterprise. This uses an initial facilitated session over two days
with active participation of senior management and their direct reports, where a
Strategic Map is developed.
A Strategic Map is a “picture
of the business”, similar in concept to the layout of a city. A city map clearly
shows the layout of streets (“where”) and the access routes that define “how” to
get there. It also indicates “what” is located in parts of the city. Given a
reason (“why”) to take a given route at a certain time (“when”), people (“who”)
can use the map to navigate through any city.
What is missing in most
enterprises is a similar “map (or picture) of the business”. A city map can be
bought from newsagents in that city, but no newsagent sells Strategic Maps for
enterprises. In the absence of a Strategic Map for an enterprise, it is hard to
answer these questions. As a result, Internal Control Reporting is difficult.
A Strategic Map that is
developed and tailored to an enterprise enables senior managers, as well as
middle managers, expert business staff and IT staff to see the data, activities
and processes, locations, business units and people, the business events and the
business plans that all need to be managed effectively for internal control
reporting. From the Strategic Map and underlying Strategic Model, the Governance
Analysis Framework matrices become dynamic. They are automatically generated.
Given the Strategic Map input
from the senior management team and their reports, more detailed analysis by the
facilitator in the 25-day Strategic Modeling project period identifies key data,
business activities, locations, business units, and business events for the
business plans that were used as catalysts. The result of this analysis is
documented in a Governance Analysis Framework (GAF) Report, which is the main
deliverable from the Strategic Modeling project.
The GAF Report and its contents
provide a documented view of tailored Internal Control Reporting from the
strategic perspective for use by senior management. These dynamically-tailored matrices
must be then completed by relevant business experts. The strategic GAF matrices
are populated by more detailed matrices from key business units. These Tactical
Modeling projects – each similar to the Strategic Modeling project – can in turn
be undertaken for key business units.
Strategic Modeling projects and
Tactical Modeling projects have been completed for large and medium Commercial
enterprises throughout the world. Similar Strategic Modeling and Tactical
Modeling projects for Government and Defense Departments have also been
completed in the USA, Canada, Australia and NZ.
The methods discussed in the
White Paper can be applied rapidly in 25 days, within an elapsed 3 month period, in a
step-by-step approach as follows:
- Establish Plan for Strategic Modeling Project
- Capture Initial Business Planning Input as Catalyst
- Conduct Strategic Modeling Facilitated Session
- Carry out Strategic Model Analysis
- Derive Governance Analysis Framework (GAF) Documentation
- Review of GAF Matrices and Governance Implementation Plan
- Progressive Enterprise Completion of GAF Matrices
- Implementation of the Governance Implementation Portfolio
The GAF Reports produced from
Strategic Modeling and Tactical Modeling projects provide the documentation and
modeling tool capabilities that are needed for Internal Control Reporting for
Sarbanes-Oxley. As an added by-product of the Governance Analysis Framework
methods described in the paper, similar methods and tools can be also used to
implement transformed business activities and processes for Business
Transformation Enablement.
Back
to Contents.
Download the
PDF White Paper titled:
"Governance Analysis using Enterprise Architecture - A Practical Approach for
Rapid Enterprise Compliance with Sarbanes-Oxley Driven IT and Business
Governance Requirements" and also the PDF
Executive Summary that
is the source for this issue of TEN from the IES Web Site.
Back
to Contents.
Modeling tools are used to
develop the dynamically-defined Governance Analysis matrices discussed in this
issue of TEN. The matrices in Figures 1 - 3 of this
Executive Summary and in the
White Paper are based on the use of Visible
Advantage. Further details about Visible Advantage Enterprise Architecture
Edition and also Visible Analyst Enterprise Framework Edition are
available from http://www.visible.com or
http://www.visible.com.au. A version of
the White Paper is also available for
download from these two web sites.
Back
to Contents.
|