Abstract
Governance, Risk Management, and Control (GRC) protect investments, provide transparency of decisions, and create accountability among government decision makers. The Collaborative Enterprise Architecture Framework (CEAF) requires an additional factor: making decisions based on government directions, and reducing the duplication of functionality among various government departments. These investments provide significantly higher value when they are protected by GRC, aligning investment with strategic direction. In the context of disruptive technologies, it is vital that these risks be identified quickly and handled effectively, as new technologies provide a wide gamut of options and expose the organisation to a suite of uncertainties, in terms of business and technology strategies and their execution. GRC brings together corporate governance, controls and reporting, and Enterprise Risk Management (ERM), in order to ensure compliance with rules and regulations. The components of GRC are defined as: 1) Governance, the overall management approach, and Controls to direct the organisation; 2) Risk management that supports governance, through which management identifies, analyses, and (where necessary) responds appropriately to risks; and 3) Compliance, conforming to stated Requirements, Standards, and Regulations.
TopGovernance And Risks: A Balancing Act
The starting point for good governance is that it must be pragmatic. This means it should not only consider various organisational risks, but also balance them with the opportunities that accompany the project being assessed. Furthermore, risks need to be managed in such a way that they do not negatively impact quality, cost, and operational efficiency of the organisation. Accordingly, governance and risks are a balancing act to ensure achieving business objectives without sacrificing quality. Understanding business capabilities and limitations enhances GRC effectiveness and efficiency. This requires a good understanding of organisation-wide accepted business and technology strategies, and the way in which the organisation views opportunities and risks. Below are the key characteristics of a GRC framework:
- •
Discipline: Consistent criteria are used to assess multiple projects across an organisation, in terms of their business impact and outcomes. In the absence of an organisation-wide discipline, assessment of projects tends to be subjective and influenced by individual decision makers’ personalities.
- •
Transparency and Fairness: Projects are assessed based on enterprise-wide principles and standards that are made part of the organisational framework. Here, current technologies create a need for extreme transparency, as the impact of technologies remains unknown for most business decision makers.
- •
Independence: Enterprise Architects (EA) must have independence so they can provide a range of realistic solutions based on organisational demands, and ensure that the organisation has the capabilities to incorporate and absorb the new technologies.
- •
Accountability: Architects and project managers are made accountable and responsible for documenting any deviations and exceptions in the architectural principles. This comes from the compliance aspect of GRC.
The above characteristics enable the GRC framework to provide stability to government-wide projects. Changes to GRC itself are permitted only when there is a change to the overall organisation, the responsibility and reporting model of the business, or the makeup of operating facilities. GRC is thus independent of management. It maintains the accountability and authority of managers, and defines their decisions and actions.
GRC protects business investments. By carefully mapping GRC to the CEAF, an organisation can ensure that projects get higher and more secure returns from investments, because GRC not only ensures compliance; it also is geared to ensuring value-for-money. Governance processes enhance common services, which, in turn, help identify risks up front. Once the risks are visible, effective controls to ameliorate those risks can be implemented. The purpose of the governance framework should be to support the fragmented and overlapping communities of interest within departments and agencies, to work toward a common goal of serving citizens in a cost-effective manner. The governance bodies also must validate the recommended tools and services, to provide optimal balance of internal and external information exchanges and services to constituents. The CEAF can enable and empower government employees and local communities by providing secured and contextualised information. The CEAF can assist in aggregating information across multiple agencies, jurisdictions, and information, to be available in a secure and personalised manner. The CEAF should assist in integrating a multi-departmental information exchange, and governance should make sure the information has not been accessed illegally or inappropriately. The CEAF adoption will need several governance forums or bodies with authority to make decisions for the development of services across the government. The following decision forums will be required for seamless adoption of CEAF across government departments and agencies: