Written by William Ulrich

Every business must deal with crisis, risk, and compliance challenges. Teams chartered with addressing these challenges are often split across business units and regions, which fragments crisis, risk, and compliance management efforts. Business unit silos and related complexities obscure ecosystem transparency, which in turn constrain an organization’s ability to identify risks, assure compliance, and prevent and disarm crises. Business architecture delivers business ecosystem transparency as a basis for improving a business’s ability to collectively address challenges related to crisis, risk, and compliance. This Executive Update outlines the role of business architecture in crisis, risk, and compliance management.
Every business must deal with crisis, risk, and compliance challenges. Teams chartered with addressing these challenges are often split across business units and regions, which fragments crisis, risk, and compliance management efforts. Business unit silos and related complexities obscure ecosystem transparency, which in turn constrain an organization’s ability to identify risks, assure compliance, and prevent and disarm crises. Business architecture delivers business ecosystem transparency as a basis for improving a business’s ability to collectively address challenges related to crisis, risk, and compliance. This Executive Update outlines the role of business architecture in crisis, risk, and compliance management.

Compliance

Establishing a shared understanding of crisis, risk, and compliance management is the first step toward understanding business architecture’s role in improving how organizations deliver on each of these disciplines. Consider the following definitions:2

  • Crisis — an unstable or crucial time, or state of affairs, in which a decisive change is impending; especially one with the distinct possibility of a highly undesirable outcome
     
  • Crisis management — the ability to proactively plan for and respond to disruptive and unexpected events that threaten to harm the organization, its stakeholders, or the public
     
  • Risk — a situation involving exposure to danger
     
  • Risk management — the ability to identify, assess, control, avoid, minimize, and eliminate unacceptable risks
     
  • Compliance — confirmation that the doer of an action or supplier of a product conforms to accepted practices, legislation, rules, regulations, specified standards, and contract terms
     
  • Compliance management — the ability to identify, assess, and assure that a business conforms to accepted practices, legislation, rules, regulations, specified standards, and contract terms
     

While many businesses tend to have unique business teams dealing with each of these disciplines, the overall ability of a business to identify and manage compliance and risks, and to prevent and respond to crises, have a great deal in common. In other words, crisis, risk, and compliance management are highly intertwined disciplines.

For example, organizations identify weaknesses, threats, and related impacts as a basis for mitigating risks and future crises. They also seek to achieve compliance to avoid legislative, audit, and oversight violations and related disruptions that could stem from these violations. Each of these disciplines relies on varying degrees of business transparency as a basis for prevention and remediation, with a focus on nullifying customer, partner, public, employee, and general business impacts.

Crisis management is a good starting point for examining common ways to improve a business’s collective ability to exercise these disciplines because avoiding and responding to crises requires highlighting and mitigating risks and assuring overall compliance.

Crisis Management in the News

In 2016, Wells Fargo discovered that as many as 2.1 million people were the subject of problematic sales practices where unauthorized accounts were created for these individuals. The following series of headlines, which ran from September 2016 through March 2017, help illustrate this story:

Wells Fargo’s CEO indicated in an article dated 17 March 2017 that the company “is looking as far back as 2009 to figure out how many unauthorized accounts were created.” The CEO was further cited as saying, “I will describe it as much more complicated than anyone could have imagined. But that’s not an excuse. It’s going to take a few months to figure out. But I will assure we will remediate all those customers.”

When crisis hits, it hits hard, and if an organization lacks certain levels of business transparency, recovery from that crisis can be a long, painful, and even very public process. Heading off crises requires identifying and mitigating risks and ensuring compliance, creating a triumvirate of interrelated disciplines that demand total ecosystem transparency.

Total Ecosystem Transparency: Managing Crisis, Risk, and Compliance

In a crisis, executives require rapid cause-and-effect analysis. Unfortunately, this type of analysis is often cobbled together in haphazard ways across disparate, uncoordinated business units. Within this context, no one area can see the whole picture, which means, for example, that upstream impacts are shrouded from downstream business units. In some cases, the actions or impacts of a business partner further complicate cause-and-effect analysis. And in almost all cases, the lack of a defined business vocabulary across business units means that tracing the evolution, location, and state of a contract, customer, product, asset, investment, account, or other critical business perspective is at best fleeting for any given area and fully shrouded from the business as a whole.

Business ecosystem transparency facilitates risk identification and avoidance, regulatory and related policy compliance, and rapid cause-and-effect analysis in a crisis. The business ecosystem is an important concept here because it establishes the scope and boundaries of a business that is not fully reliant on business unit silos. As defined in A Guide to the Business Architecture Body of Knowledge® (BIZBOK® Guide), a business ecosystem is “one or more legal entities, in whole or in part, that exist as an integrated community of individuals and assets, or aggregations thereof, interacting as a cohesive whole toward a common mission or purpose.”

The above ecosystem definition helps when defining business boundaries, which seldom begin and end with a single legal entity. Consider, for example, a company that outsources certain capabilities, such as Legal Proceedings Management, Asset Definition, Shipment Management, Feedback Management, Payment Determination, and Human Resource Management, all of which are key to the company’s success. Whether insourced or outsourced, these capabilities, which define “what” a business does, are part of the business ecosystem because they are essential to ensuring that a given business is a viable, functioning entity.

Lack of Business Transparency Fosters Crises, Risks, and Noncompliance

Crisis scenarios tend to trigger reactive, versus proactive, responses. Underlying these reactive response tendencies are piecemeal, siloed approaches to compliance and risk management. For example, risk management at large, multidivisional companies can lack holistic perspectives of risk-related impacts across customers, partners, products, markets, and related focal points. There is no concept of ecosystem-wide risk aggregation across these business perspectives or related business units. As a result, what appears to be in compliance within a given business unit may receive a failing score in aggregate across multiple business units.

Consider a financial services firm with multiple divisions and multiple business units within each of those divisions. Each division and related business unit would be responsible for managing multiple accounts, products, funds, and, depending on its business model, policies for insuring wealth. Individual business units would have instances of common capabilities, such as account management, fund management, customer management, product management, transaction management, and payment management. Figure 1 illustrates an example of such a business scenario.
 


Figure 1 — Complexity and redundancy across business units creates crisis “blind spots.”


Figure 1 highlights that each business unit has a siloed view of its accounts, customers, products, and other focal points. In this scenario, each business unit would work under the assumption that it is in full compliance with policies and regulations and that it has adequately identified and mitigated risks. Each business unit has its own crisis management plan. On a case-by-case basis, each business unit would score very well in terms of crisis prevention, risk management, and compliance. In all likelihood, however, the exact opposite is true.

Cross-business-unit complexities, redundancies, and fragmented business views have blinded the business as a whole to potential risks, overall compliance, and, most important, the ability to plan for and mitigate risk. Figure 1 highlights the fact that each business unit sees the customer as its own customer, without understanding that a given customer may have multiple accounts, funds, and policies with the business as a whole. The customer sees one company, but the business collectively sees that customer as many entities.

Consider a scenario where a customer defaults on a mortgage. That same customer holds many other accounts, investments, and policies. In addition, that same customer comes back to the institution to get another loan from an unrelated business unit, despite the fact that the originating business unit marked that customer as a credit risk. Now multiply this scenario by millions of customers, accounts, business partners, products, payments, decisions, and a host of other business perspectives.

The institution’s ability to perform aggregated risk analysis, ensure compliance, and prepare for and react to crises, is dramatically impaired by these siloed business perspectives; silos that include functionally and regionally aligned business units. Executives can stress cross-business cooperation, but this is a piecemeal approach that veers more toward wishful thinking than aggregated crisis, risk, and compliance management.

Business fragmentation is not uncommon. In fact, it is the norm across numerous industries worldwide. Businesses have historically pushed crisis, risk, and compliance management to individual business units. In many cases, a centralized risk management team is in place along with corporate audit and crisis management teams. But these teams have no more visibility across a fragmented ecosystem than would any other business unit, which means that they can establish and push out policies, but there is no way to verify compliance in an opaque ecosystem.

How can multibillion-dollar, multidivisional corporations take these risks? Why would oversight agencies, auditors, and executive governance structures ignore these risks? Are executives aware of the risks related to this lack of transparency and the impacts on the business? If a business is not familiar with the benefits of and the capacity to establish ecosystem transparency, then perhaps there is simply a sense that there is nothing that can be done. But this is not the case.

Business Architecture: Delivering Business Ecosystem Transparency

Business architecture provides the transparency needed to proactively avoid crises through risk and compliance management — and to respond in kind when crises do arise. This means, for example, that a business will view a customer just as the customer views the business: through a single lens with multiple accounts, policies, and investments. Customer risk and account risk management become shared capabilities that consider the customer in totality and not through many business unit silos. Figure 2 highlights this single-view perspective on customer and related interests.
 


Figure 2 — Business-viewing customer: shared interests through a common lens.


A well-articulated business architecture provides rapid insight into which customers are aligned to certain accounts and agreements, how customers are linked to other customers and third parties, associations among accounts and agreements, and related business unit impacts. Business architecture highlights where blind spots exist, pinpoints impacts on the business from an ecosystem-wide perspective, and provides insights into resolving risk, compliance, and related factors.

Business architecture delivers the business transparency to deliver these insights by articulating a common set of rationalized, cross-business perspectives on capabilities, stakeholders, value delivery, and infor­mation. Leveraging this baseline business architecture perspective, planning and execution teams can selectively view the business from a variety of business unit, business policy, strategic planning, initiative investment, and product perspectives. These perspectives, in turn, are applied to assess and manage crises, risks, and compliance for the business as a whole.

Consider, for example, the policy and regulatory compliance perspective shown in Figure 3. A well-articulated business architecture would have business-wide capability definitions mapped out along with the business units that have or exercise those capabilities. When viewed through a policy compliance lens, regulatory, audit, and compliance teams can quickly assess policy impacts, points of risk, and related focal points for crisis management. A business may choose to drill down to a product, initiative, investment, or numerous other perspectives.
 


Figure 3 — Business policy and compliance impacts on business units and capabilities.


If a business has this level of policy compliance understanding and insight, crisis and risk management becomes a matter of providing this information to any team that requires it, and this could extend well beyond a given crisis management or audit team, ensuring that policy compliance is built into the fabric of the business from planning through deployment.

Consider the value of having the transparency shown in Figures 2 and 3 in reference to the challenges faced by Wells Fargo as outlined at the outset of this Update. The business would be able to trace an account to a customer and a customer back to all accounts and related impacts. This could also include customer relationships to policies, investments, partners, assets, or even other customers. The insights become second nature, not multiyear investments across many dozens of business units.

Business-Driven Crisis, Risk, and Compliance Solutions for IT Architecture

At this point, one would presuppose that any degree of crisis, risk, and compliance management would certainly target or at least touch upon information systems as well as drive investments in those systems. The multidimensional transparency delivered by business architecture extends into the IT architecture domain. Capabilities, value delivery, information, and business unit perspectives may be associated with the information systems and wealth of other technologies that automate capabilities and related aspects of business architecture. As such, an investment in those systems should be viewed through the business architecture lens to assess general business impacts as well as ideal options for furthering crisis, risk, and compliance management.

The top portion of Figure 4 depicts how most businesses pursue crisis, risk, and compliance management. A given business unit receives a request from a compliance, risk, or audit group and invests in siloed, redundant information systems to address the issue(s) at hand. The previous challenges associated with siloed views of a business and related constraints they place on aggregated crisis, risk, and compliance management spill over to IT investments.
 


Figure 4 — Business architecture drives IT investments.


The ideal approach is shown across the bottom portion of Figure 4, where crisis, risk, and compliance strategies are viewed through the lens of business architecture, which in turn is used to articulate updates to existing information systems or specifications for a more applicable set of systems. The key aspect of business architecture that focuses IT planning and deployment is the capability.

Capability-based planning offers a shared perspective for focusing IT investments on stakeholder value delivery, information alignment, and business unit synchronization. When capability-based planning is engaged, the many tens or hundreds of millions of dollars in IT investments may be redirected from a siloed, piecemeal, and highly limited solution deployment approach to a more holistic planning and investment perspective to enabling crisis, risk, and compliance management.

Leveraging Business Architecture for Crisis, Risk and Compliance: Call to Action

How should organizations move forward to leverage business architecture for crisis, risk, and compliance management? Here are some steps to pursue:

  1. Determine your organization’s business architecture maturity using a standard approach to business architecture maturity analysis.
     
  2. Establish business architecture outside of a given business unit or IT group. This will provide transparency across siloed business perspectives that are in place today.
     
  3. Educate relevant teams and executives on using business architecture for crisis, risk, and compliance management.
     
  4. Outline steps for articulating your business architecture, with a focus on establishing a high-level, cross-business baseline, coupled with policy and stakeholder perspectives.
     
  5. As the business architecture is established, begin to link it to the IT architecture as a basis for business-driven/IT transformation planning and investment.
     

Hopefully these steps will help your organization move forward with using business architecture for crisis, risk, and compliance management. One added element of this is that business architecture provides the basis to rethink how a business delivers stakeholder value. The transparency business architecture provides not only enables innovation teams to rethink how they address crisis, risk, and compliance management, but generally enables a business overall to envision and realize innovative thinking through perspectives that were previously hidden from line of sight.

te a successful practice. 

Here are ten steps every business architecture team should take to ensure long-term success. 

Step 1 – Identify and refine your mission. You are not creating a business architecture practice to build business architecture. You are creating a practice to solve business problems. You should know what those problems are. Business architecture missions vary widely from facilitating organizational transformation to guiding technical architecture development. IT-centric business architects typically focus on business-IT alignment while business-centric business architects most often focus on improving business effectiveness. Whatever your mission is, it should be crystal clear for everyone involved.  

Step 2 – Create your vision. With a well-defined mission in hand you should develop your vision. Not the architecture-focused vision – the vision for the business architecture practice. Before thinking about where you want to take the enterprise, you should be clear about where the practice wants to go. A strong vision supports the practice’s potential to grow in effectiveness and impact over time. When you build the practice’s vision, you should also identify the big picture challenges you expect to face in realizing it.

Step 3 – Identify and assess stakeholders. Understanding the difference between stakeholder roles and who plays those roles is essential to success. This is often more difficult than it looks, as many people play multiple roles depending on the context. Most business architects can identify their investors – those who are focused on the overall outcome, and their consumers – those they actually provide services to. However, many miss partners, downstream beneficiaries, and competitors. Yes, competitors are stakeholders too. They care about your success – just not the same way you do.

Step 4 – Understand your context. If I had to name a single reason for architecture practice failure, it would be a lack of appreciation of how much culture, organizational structure, management style, and other contextual factors affect a business architecture practice’s chance for success. At the end of the day it isn’t about creating a great architecture – it’s about influencing people. And if you don’t have an appreciation for and understanding of the factors that drive their thinking and decision making, you don’t stand a chance.

Step 5 – Identify products and services. Every business architecture practice should have a well-defined set of products and services. This isn’t just for your clients; it’s for you too. Once you have defined discreet products and services, you can then move to detailed product design. For example, if one of your products is a business capability model you should have a documented process for developing the model, a structure for defining the details, a template for displaying it, a method for updating and refinement, and so on. Most importantly, with well-defined products and services, you now have a baseline you can begin improving on after each client engagement. 

Step 6 – Assess your team’s skills. Whether you are a small centralized group, a highly matrixed and distributed team, or a lone business architect practitioner, a critical evaluation of your skills is important to ensure a successful launch. A SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats) is a quick and easy way to understand what skills you can quickly leverage and which you need to grow. Or create a business architecture practice capability map with a skills-oriented heat map for a more robust view. The skills assessment will point you to both short-term wins (working on projects that fit your skills) and a longer-term development plan to gain the skills you need. 

Step 7 – Identify potential value network members. Take a good look around to identify where you can build partnerships that enhance the business architecture practice’s value. Who is working on strategy? Who has really strong business relationships? Who has the skills your team needs? Where are there opportunities to collaborate? What other “business architecture like” work has been done that you can leverage? Many business architecture teams miss big opportunities by failing to look for partnership and collaboration opportunities. 

Step 8 – Identify the top challenges. New business architecture teams invariably want to base their practice design on theory – what should work as opposed to what does work – and many consultants help them do just that. But successful business architects structure their practices to deal with their specific organizational contexts. They understand that overcoming challenges is an integral part of the role, not an afterthought to be dealt with later. For example, the lack of executive sponsorship is a challenge for many new business architecture efforts. Teams that acknowledge this at design time might choose to create a business architecture practice that doesn’t require sponsorship. Understanding challenges guides good decisions.

Step 9 – Build the business architecture practice’s business architecture. A business architecture team, just like any other business unit, needs to clarify its own architecture. This means developing a clear set of goals, strategies, capabilities, and processes, and then using these elements to clarify the practice’s operating model and identify where and when to invest in its success. If you can’t architect your own practice, how do you expect to architect others? 

Step 10 – Build an action plan. Now – with a well thought out design – you need to get busy. Develop a three-level plan. First, create a three- to five-year roadmap for the practice. How will it evolve over time? How will its influence grow? How will skills be developed? Second, create an 18-month roadmap that adds more specific details for these items and sets quarterly goals. And third, develop a 90-day action plan that lays out objectives for the next three months, the specific actions you need to take to attain those objectives, and the specific people who will take those actions.

Step 11 – GO!

In the business world, agility is defined as the ability of an organization to respond quickly and effectively to changes in market demands (Brown and Bessant, 2001). Agility is not something an organization has or does not have. Indeed, every organization has a certain speed and effectiveness in meeting changes to market demands. The performance and longevity of an organization, however, tends to increase with its degree of agility (Bazigos et al., 2015; Vázquez‐Bustelo et al., 2007; Worley et al., 2014). This is especially true for organizations that are more agile than their competitors.

Becoming more agile does not occur by happenstance or by merely telling employees to work in more agile ways. To become more agile, organizations must undertake initiatives specifically conceived for that purpose. These initiatives can take the form of internal transformation projects (e.g., change a process) or courses of actions designed to bring about changes in the external environment of the organization (e.g., get a law changed). While some of these initiatives may take just a few months to accomplish, others may be more important and require years of effort.

For these initiatives to be successful, organizations must first understand the nature of the four dimensions of business agility and decide which ones are most important for them to progress along in the next few years. Second, they must understand what the internal and external factors that determine their degree of agility along each of the four dimensions are. Third, they must understand upon which of these factors they can act to increase their agility as desired, and what types of initiatives are required to do so. This understanding is especially important since ill-conceived initiatives can appear to improve agility in the short-term but diminish it in the mid- to long-term.

The purpose of this article is to identify and clarify the nature of the four dimensions of business agility. This conceptualization is based on an extensive literature review and research on our part. It will serve as a foundation for a series of upcoming articles aimed at helping organizations become more agile.

The Importance of Agility

Agility is important for all organizations and especially so for those operating in rapidly evolving markets. There are three reasons for this. First, the more agile organizations are, the faster and the more effectively they can adapt themselves to deprive their competitors of any advantage they may have recently gained.

Second, being more agile than their competitors enables organizations to advance to the head of the pack by making strategic moves at a faster pace than their competitors can. When combined with an ability to continuously and successfully innovate, being more agile than their competitors enables organizations to go further than just responding to market changes. It allows them to regularly cause market demand changes that their competitors have to catch up to.

Third, in addition to being a tool used to counter the strategic moves of competitors or gain a competitive advantage, being more agile than competitors can, in some circumstances, be a competitive advantage in itself. Indeed, it can enable organizations to respond to market demands without having to complete lengthy transformation or R&D projects first. For example, a commuter train manufacturer with a proven platform, a flexible assembly plant, and an agile R&D capability may be able to deliver trains customized to its customers’ exact specifications in less time and at a lesser price than its competitors. 

The importance of being highly agile and more so than competitors is further heightened by the increasing number of organizations actively working to improve their agility. This growing interest has created a race towards greater agility in which the laggards may very well pay a bitter price.

Organizations that lack agility can easily put themselves in adverse situations. For example, their inability to maintain their products and services relevant to current market demands is likely to lead to a progressive loss of market share. Also, their inability to quickly scale-up production can force their customers to migrate to other suppliers. Finally, their inability to quickly reduce costs during bad times can lead to financial difficulties. A lack of agility can even be deadly. Indeed, the situation of organizations that lack agility can get untenable to the point that they force organizations to either get acquired, downsize until they become shadows of their former self, or go bankrupt. History is filled with once successful businesses that faded away because they failed to recognize and respond to market-demand changes in an effective and timely manner. What is more, globalization and the ever-increasing rate of innovation are continuously accelerating the pace of market-demand changes. The organizations that lack agility cannot keep up and get weeded out at an increasing rate. The fact that the life expectancy of companies in the Fortune 500 has fallen from 75 to 15 years over the last 50 years (Denning, 2011) is especially telling in that matter.

Sustainable Agility

As discussed above, organizations must be more agile than their competitors to survive and thrive in today’s market. However, for their agility to be sustainable, organizations must carefully choose the initiatives they undertake to improve their agility. Indeed, some initiatives may help respond quickly to current market demands but result in hard-to-remove hindrances that will restrict agility in the future. For example, to accelerate decision making, some organizations have eliminated the planning and control activities that were put in place in the past to ensure the long-term soundness of decisions. Without this guardrail, these organizations have quickly slipped into short-termism. In such a context, managers are quick to understand that to get promoted they have to demonstrate their ability to deliver quickly and as a result, start making shortsighted decisions that latter curtail their organization’s agility. The negative impacts of these short-signed decisions are the worst when they pertain to expensive assets such as information systems and production equipment. Opting for the cheapest and fastest way to make changes to these assets can very easily make future changes much longer and expensive to accomplish. In fact, we have come across many situations where changes that should have been relatively simple to do, had become so large and expensive that they were now economically unviable.

The Four Dimensions of Business Agility

The degree of agility of an organization can vary along each of the following dimensions (in alphabetical order): Operations, Research & Development, Transformation and Strategy. 

Operation agility is the ability to quickly increase or decrease the operations’ throughput or shift from manufacturing or supplying one set of products and services to another in a manner that has no significant penalty on time, cost, quality, and functionality.

Examples: 

  • The ability of a city to make rapid adjustments to the size of its workforce to cope with seasonal changes in the services demanded by its citizens.
  • The ability of a production line to manufacture multiple models of household appliances and to switch instantly from the production of one to that of another with no significant quality degradation or costs increase.
  • The ability of a manufacturing plant to produce a range of products, including new ones, with no or limited physical changes to its equipment.

Research & Development agility is the ability to quickly develop and market new or improved products and services that meet evolving customer demands in terms of price, quality and functionality. This includes the ability to quickly make changes to the R&D project portfolio in response to internal and external events, and to reallocate resources when needed.

Examples:

  • The ability of a manufacturer to leverage its proven platform to rapidly design new tramway cars to the specific requirements of a major city.
  • The ability of a business unit to quickly shift its R&D efforts from one product to another that utilizes new technologies to better meet customer demands.
  • The ability of a software company to deliver a small set of new customer-requested features every six months instead of providing only major upgrades every three years.  

Transformation agility is the ability to quickly and effectively make lasting changes to the functioning and assets of the organization and bring about changes in the external environment of the organization. It includes the ability to quickly make changes to the portfolio of transformation initiatives in response to internal and external events and to reallocate resources as needed.

Examples:

  • The ability of an organization to leverage business architecture and change management to accelerate the transformation of its culture, organizational structure, and processes.
  • The ability of a company to use its fine-tuned merger and acquisition capability to rapidly integrate a newly acquired firm.
  • The ability of an organization to use the Agile software development methodology to deliver the information systems it needs to improve its capabilities rapidly.
  • The ability of an organization to work with its suppliers to improve the quality of the  component parts it buys from them.

Strategy agility is the ability to quickly and effectively make changes to the strategy of the organization, at the corporate or business-unit level, in response to internal and external events.

Examples: 

  • The ability of a mortgage lending firm to identify a coming slowdown in the residential market and, quickly shift its strategic focus to the commercial market.
  • The ability of a manufacturer to quickly uncover opportunities in a geographic market it is trying to penetrate and, in response, adjust its product mix to properly serve that market.

Althou
Every business must deal with crisis, risk, and compliance challenges. Teams chartered with addressing these challenges are often split across business units and regions, which fragments crisis, risk, and compliance management efforts. Business unit silos and related complexities obscure ecosystem transparency, which in turn constrain an organization’s ability to identify risks, assure compliance, and prevent and disarm crises. Business architecture delivers business ecosystem transparency as a basis for improving a business’s ability to collectively address challenges related to crisis, risk, and compliance. This Executive Update outlines the role of business architecture in crisis, risk, and compliance management.

Original Post: https://www.cutter.com/article/business-architecture%E2%80%99s-role-crisis-risk-and-compliance-management-495596

Leave a Reply

Your email address will not be published. Required fields are marked *