In our StraightTalk three-part series, we examine how business architecture can be used to catalyze, embed and enforce key sustainability, legal and ethical considerations into an organization’s DNA. In this post, our second installment, we’ll explore how organizations can leverage business architecture to enable policy making and compliance.
First things, first. What’s a policy?
We’ll refer to a policy in an all-encompassing way as the BIZBOK® Guide does, which simplifies the discussion and raises it up a level. The BIZBOK® Guide defines a policy as “A course or principle of action adopted or proposed by a government, party, business, or individual.”
This means that policies may be external, such as laws, regulations, industry agreements, treaties, etc. Or, they may be internal, such as internal policies, procedures and so forth. What is considered external and internal in this case is framed from the perspective of a specific organization. Of course, organizations such as governmental bodies that make policy will have another perspective on this, but business architecture can help in each case.
So then, how can business architecture help?
Compliance and ethical thinking should be embedded into the DNA of an organization and will ultimately improve business performance from the bigger picture perspective. (Just like sustainable thinking should be embedded, as we looked at in Post No. 58.) As a Reuter’s article entitled, “Putting Policies Into Place: Seven Principles of Policymaking Practice,” (7 November 2018) points out:
If policies and procedures are to be an effective part of the governance, they have to be part of the DNA of the firm, part of what we hear referred to as ‘the culture of compliance’, or the ‘risk management culture.’ Culture has to come from the top; it has to radiate from the centre out.”
So, let’s revisit why business architecture – the one set of enterprise-wide blueprints an organization has which are agreed-upon across business units, truly business-focused and high-level-so-we-can-see-the-forest-from-the-trees – can be so useful for embedding policies and compliance thinking into an organization.
- First, business architecture is all about transparency. The entire point of it is to give everyone the same view of what the organization does. And, as part of that transparency, business architecture shows the traceability between everything, like which capabilities are affected by which policies, or which business units have which policies, or which processes and systems are currently supporting which policies. And much more.
- Second, business architecture brings people together. Effective policy management requires a shared responsibility across an organization – across reporting levels, across teams, across geographies. An organization’s business architecture transcends business units and helps everyone to coordinate by seeing what they do that is the same or similar, and where they intersect.
- And one more thing, business architecture is the great connector. That makes it super useful as a structure to ensure important things like policies are embedded and considered in the right places, at the right times, with the right people. With capabilities and value streams in particular, they provide one common, enterprise-wide framework (that everyone agreed to!) which we can hang everything off of. So for a capability like Customer Information Management, we can get a birds-eye view of everything related to it: like what policies apply, what business information is required, which business units and stakeholders are involved, what products are enabled, and what current strategies and initiatives are in play. (More on business architecture as a connector here in Post No. 53.)
P.S. If you’re new to business architecture, StraightTalk has you covered. Start with Posts No. 1 (what), No. 2 (why) and No. 3 (more on why). To learn a bit more about how it’s created, check out Posts No. 17, No. 18 and No. 51. And for a bit more on how to use it, see Posts No. 55 and 56.
Sounds great. Give me some examples.
Here are a few examples of how business architecture can help with policy making and compliance.
- Identifying Applicable Policies – Consulting the business architecture knowledgebase provides a methodical approach for identifying relevant policies and making sure there are no gaps in knowing what applies, to whom and where. For example, an organization’s capabilities can serve as a focal point for identifying policies such as information privacy or anti-spam policies for the Customer Information Management and Partner Information Management capabilities, or identifying policies related to the security of credit, debit and cash card transactions for the Payment Management capability. Other aspects of the business architecture can serve as a focal point for this type of policy identification and gap analysis as well, such as stakeholders, products, value streams and information.
- Developing Policies – Business architecture can be used to assess the impact of a proposed or finalized policy – comprehensively, quickly, with confidence. No more archeology exercises to gather the people and assess the systems in a lengthy and error-prone process to answer the question. Capabilities and value streams provide the focal point for the impact assessment and connect to every other aspect of the business and technology environment. Just think how useful this is when an organization is trying to assess the impact of a new law or regulation proposed by a governmental body in order to help inform and shape the final direction. Or, to assess the impact of a newly published regulation with which they need to comply. Or, to assess the impact of an internal policy, procedure or process before it’s created.
- Translating and Documenting Policies – Policies can be cataloged at a high level, in plain language in the business architecture knowledgebase and connected to any other aspect of the business and technology environment. This does not take the place of any repositories that house the policy details, but rather makes the bigger picture information accessible to everyone, and within a shared, relevant business context. In addition, as policies are translated, policy impact assessments may be performed as well as risk assessments, especially to identify the big-ticket items which require even more focus. An organization’s business architecture can be used for both, as described in the bullet above. Business architecture not only identifies the comprehensive set of impacts, but it can also provide a methodical way to assess the business impact and breadth of coverage associated with policies, based on the capabilities they are related to. This can be a very helpful input to risk assessment analysis and decision-making. (Check out Post No. 28 for more on business architecture metrics.)
- Implementing and Communicating Policies – As policies are implemented, business architecture can track the interrelationships among policies. For example, within the business architecture knowledgebase, external policies like regulations can be related to the internal policies that implement them. Or related policies across business units, regions, and so forth can be connected to ensure consistency in implementation and stakeholder communication as well as coordination on any changes later. And of course, business architecture is a shining star when it comes to translating policy-related changes into action in a coordinated way across an entire organization. Business architecture plays a critical role as a bridge between strategy and execution by ensuring that initiatives are scoped and sequenced holistically to implement policies and that they are coordinated with any existing initiatives. (More on business architecture’s role in strategy execution here in Posts No. 3, No. 50 and No. 9.)
- Following and Monitoring Policies – Business architecture may be used to demonstrate end-to-end traceability from policies to capabilities, business units and value streams – with the ability to drill down to the relevant processes and systems that implement them. This is invaluable for internal and external audits and to demonstrate compliance with policies. Not only is the information available for the entire enterprise-wide scope, but it has business context and exists at a high level so that the big picture can be assessed first and details like processes or system applications can be targeted when needed. (Much easier than the needle-in-a-haystack method.) An organization’s business architecture also acts like a fabric that weaves concepts together, so it ensures that policy consideration and compliance is always brought to the forefront in the right conversations – and without someone from the compliance team having to be involved to personally remind everyone. This ensures that the appropriate policies are identified anytime a capability (or value stream) is touched related to any initiative or change, within third party agreements, or even during due diligence for joint ventures or mergers and acquisitions.
Here’s a handy diagram to summarize all of that.
What next?
Seek out the people within your organization who are responsible for policy making and compliance. Anyone that has a role related to any of the aspects described in this post could benefit. We recommend that you consider targeting certain areas like legal, compliance or audit. Let them know how you can help make their jobs easier and you might find yourself with some new friends.
More Good Stuff…
Business Architecture In Action For Risk and Compliance Management — How Business Architecture Helps Organizations Identify and React to Risk and Compliance Challenges (StraightTalk): More straight talk on this topic.
Business Architecture Policy Mapping Content (BIZBOK® Guide): Check out Section 2.9 in the BIZBOK® Guide (Business Architecture Guild® membership required) for the official word on the how-to map policies and cross-map them to other business architecture perspectives.
Business Architecture Policy Mapping: Little Understood, But Highly Critical (Business Architecture Guild® webinar): A webinar that summarizes policy mapping and its usage. (Business Architecture Guild® membership required.)
Risk and Compliance Transparency With Business Architecture (Guild Council of Executive Advisors): The deck from a talk and panel by the GCEA during the 2019 Guild Business Architecture Innovation Summit.
Compliance Week website: A goldmine of resources related to compliance topics.
OCEG website: OCEG is a non-profit think tank that is dedicated to achieving a world where every organization and every person strives to achieve objectives, address uncertainty and act with integrity. They call this approach to business, and to life, Principled Performance. Another goldmine of resources related to governance, risk and compliance (GRC).
Building World-Class Ethics and Compliance Programs (Deloitte): A useful report on the topic.
What Really Motivates People To Be Honest In Business (TED Talk): An interesting and important TED talk by Economist Alexander Wagner on why large corporations commit fraud and a look at the economics, ethics and psychology of doing the right thing.