Enterprise Architecture Risk Management Framework EA 2 Terry

Enterprise Architecture & Risk Management Framework (EA) 2 Terry Merriman www. OADConsulting. com tm@OADConsulting. com Copyright 2013 OAD Consulting, Inc. . All Rights 1

(EA) 2 Enterprise Architecture & Risk Management Framework (EA) 2 is an add-in extension to Enterprise Architect, Sparx Systems’ UML design tool. (EA) 2 is the result of over 10 years of experience applying various architectural standards (RM-ODP, RUP, TOGAF, Archimate, COSO) on real projects. It provides the tools needed to model your Enterprise Architecture and to use it for tactical and strategic planning purposes. (EA) 2 provides tools to ensure that your architectural models are created consistently across your architectural teams and the reporting environment to extract information from the repository to enhance all phases of your strategic planning. (EA) 2 has been developed using OAD’s Model Guardian framework & model management system. Therefore, it is completely customizable. For a limited time, (EA) 2 is being bundled with Model Guardian free of charge. To find out more about Model Guardian go to: www. OADConsulting. com Copyright 2013 OAD Consulting, Inc. . All Rights 2

(EA) 2 Enterprise Architecture & Risk Management Framework Viewing This Presentation This presentation provides an overview of (EA) 2. The presentation is driven by the table of contents on the next slide. You may jump directly to each topic and automatically return to the table of contents when the topic has completed. You may return at any time by pressing the ESC key. Some slides represent sub table of contents and work in the same manner. The presentation contains a lot of animation to help illustrate many of the points. A slide’s animation may pause to let you view the slide before going on. You will see a small “Continue” in the bottom right corner when this happens. When you are ready, you can continue the animation by clicking on the slide, or by pressing the keys that advance the presentation. If you have reached the end of a section, you will see “Back” rather than “Continue”. Press the ESC key to return to Table of Contents or the last sub Table of Contents slide. Pressing the Page. Down key will skip past the animations on the current slide. Copyright 2013 OAD Consulting, Inc. . All Rights Continu 3

(EA) 2 Enterprise Architecture & Risk Management Framework Table of Contents Ø Ø Ø Ø Ø Introduction to EA/RM (High Level Concepts) Architecture Details Business Process Realizations Roadmaps and Projects Enterprise Risk Management Iterative, Incremental Approach Model Guardianship Upcoming Features Summation Copyright 2013 OAD Consulting, Inc. . All Rights 4

An Integrated Approach to EA/RM (EA) 2 builds on and integrates numerous standards to provide a framework designed to speed you through the process of modeling your Enterprise Architecture and Enterprise Risk Management. Based on Numerous Standards RM-ODP RUP TOGAF Archimate COSO Models the Different Architectural Views Business Information Systems Infrastructure GRC Integrated Framework Continuous Monitoring ERM / Key Risks Business Processes, Organization, People Business Process Realizations Future State Roadmaps Project Portfolio Management Objectives Risks & Opportunities Risk Responses Manual & Automated Controls Transactional and Analytical Data KPIs / Key Metrics Business Architecture Provides Information for Strategic Planning Integrates with Risk Management Financial, Business and IT Controls Application Architecture Data Architecture Services Data Information Technology Architecture Hardware, Software, Network Copyright 2013 OAD Consulting, Inc. . All Rights Continu 5

Modeling Enterprise Architecture Imagine your architecture Architectural as Assets a 3 -dimensional space What’s in the Box? Copyright 2013 OAD Consulting, Inc. . All Rights Continu e 6

Modeling Enterprise Architecture nt e em g na te c ts a M s hi rc ior How Do We Address Who is Interested? All of Their Needs? IT M ana ger s ch ite cts Ar ss Bu sin e ness l Busi ne Oper ation s. S on ers taff AP Ap pl Q/ ica ts ec hit c Ar tio n. A Sen ta Se Audit & Compliance Personnel Da r o i n s e n si Bu Architectural Stakeholders Expe rts Copyright 2013 OAD Consulting, Inc. . All Rights Infrastructure Architects D pers o l e v e nt e m e g a an t. M jec o r P Continu e 7

Modeling Enterprise Architecture Service Driven Multi-dimensional Set of Architectural Views Through a Separation of Concerns Ø To address the needs of: • • • Copyright 2013 OAD Consulting, Inc. . All Rights The Stakeholders The Business Processes The Future Continu e 8

Modeling Enterprise Architecture Service Driven Multi-dimensional Set of Architectural Views Horizontal Slices Through a Separation of Concerns Business Architecture Application Architecture Information Systems Architecture Data Architecture Infrastructure Architecture Horizontal Slices provide an inventory of architectural assets and their relationships within each view (layer) Copyright 2013 OAD Consulting, Inc. . All Rights Continu e 9

Modeling Enterprise Architectural Views Horizontal Slices Service Driven Multi-dimensional Set of Architectural Views Business Architecture EA Services “Glue” the Layers Together Information Systems Architecture Using an Enterprise Level Service Taxonomy Infrastructure Architecture EA Services provide Different stable layers specifications have differentoflife-cycles architectural needs and a categorization of architectural elements Copyright 2013 OAD Consulting, Inc. . All Rights Continu 10 e

Modeling Enterprise Architectural Views Horizontal Slices Service Driven Multi-dimensional Set of Architectural Views Business Architecture Service Requirements Information Systems Architecture Service Specializations Infrastructure Architecture For example, a Business App requires an Execution Environment Tomorrow it may Today it runs in an run in an. System App Operating Server container Lower Architectural level Higher elements level elements provide implement require specific thegeneric serviceservices specializations Copyright 2013 OAD Consulting, Inc. . All Rights Continu 11 e

Modeling Enterprise Architecture Service Driven Multi-dimensional Set of Architectural Views Vertical Slices Architectural Views Horizontal Slices s Bu si n Re es al s P iz r at oc io e n s si Bu ss e oc Pr ion ss zat e in ali s e Bu R n Re es al s P iz ro at io ce n ss Business Process Realization Architectural Requirements Business Architecture Service Requirements Information Systems Architecture Service Specializations Infrastructure Architecture Vertical Slices show IT is aligned with the business and provide a means to discover architectural requirements Copyright 2013 OAD Consulting, Inc. . All Rights Continu 12 e

Future State Roadmap a dm l Sl ap ice s s Infrastructure Architecture Service Specializations oa Information Systems Architecture Current State Service Requirements Future State s Bu si n Re es al s P iz r at oc io e n s si Bu Business Architecture Te mp or R Architectural Views Horizontal Slices ss e oc Pr ion ss zat e in ali s e Bu R n Re es al s P iz ro at io ce n ss Business Process Realization Architectural Requirements Future State Roadmap Vertical Slices Future State Roadmap Service Driven Multi-dimensional Set of Architectural Views Future State Roadmap Modeling Enterprise Architecture Roadmaps show the architecture is to change over time Projects align with the Roadmaps to affect the change Copyright 2013 OAD Consulting, Inc. . All Rights Continu 13 e

Enterprise Risk Management Service Requirements Information Systems Architecture Service Specializations Current State Business Architecture Future State s Bu si n Re es al s P iz r at oc io e n s n Re es al s P iz ro at io ce n ss si Bu ss e oc Pr ion ss zat e in ali s e Bu R Execution Project Portfolio Management Planning Infrastructure Architecture Risk Mediation Copyright 2013 OAD Consulting, Inc. . All Rights Continu 14 e

Driving the Project Portfolio Copyright 2013 OAD Consulting, Inc. . All Rights Continu 15 e

Architectural Over view Copyright 2013 OAD Consulting, Inc. . All Rights Continu 16 e

Architectural Over view Ø Frameworks vs. frameworks • Frameworks – industry-based standards § Frameworks § Taxonomies § Methodologies • Framework – enterprise-level standards § Can be based on one or more industry-based standards § Can be an interpretation of one or more industry-based standards § Include extensions created by the enterprise model guardians to ensure all of the models are complete, concise, consistent, and comprehensible Copyright 2013 OAD Consulting, Inc. . All Rights Continu 17 e

Architectural Details Service Requirements Information Systems Architecture Service Specializations Future State Business Architecture Current State Bu s si n Re es al s P iz ro at io ce n ss B Bu ss e oc Pr ion ss zat e in ali s u Re in Re es al s P iz r at oc io e n ss Click on the labels below to see more information about each topic. Infrastructure Architecture Enterprise Risk Management Copyright 2013 OAD Consulting, Inc. . All Rights Back 18

Modeling Enterprise Architecture Service Requirements Information Systems Architecture Service Specializations Current State Business Architecture Future State in Re es al s P iz r at oc io e n ss Bu s B Bu ss e oc Pr ion ss zat e in ali s u Re si n Re es al s P iz ro at io ce n ss Business Architecture Infrastructure Architecture Copyright 2013 OAD Consulting, Inc. . All Rights Continu 19

Business Architecture Ø Allows You to Capture the Relationships Between • • • Business Objectives Business Needs (High Level Requirements) Business Activities Quality Attributes Use Case Realizations Copyright 2013 OAD Consulting, Inc. . All Rights Continu 20

Business Architecture Ø Allows You to Capture the Relationships Copyright 2013 OAD Consulting, Inc. . All Rights Continu 21

Business Architecture Ø Organizational Roles and Assigned Resources Copyright 2013 OAD Consulting, Inc. . All Rights Continu 22

Business Architecture Ø Business Process Model with Drill-downs Copyright 2013 OAD Consulting, Inc. . All Rights Continu 23

Business Architecture Ø Business Information Model with Drill-downs Copyright 2013 OAD Consulting, Inc. . All Rights Continu 24

Business Architecture Ø Business Policies and Rules Copyright 2013 OAD Consulting, Inc. . All Rights Continu 25

Business Architecture Ø Business Objectives Mapped to High Level Requirements Copyright 2013 OAD Consulting, Inc. . All Rights Continu 26

Business Architecture Ø Sample Report – Tracing Objectives to Use Cases Copyright 2013 OAD Consulting, Inc. . All Rights Back 27

Modeling Enterprise Architecture Service Requirements Information Systems Architecture Service Specializations Current State Business Architecture Future State in Re es al s P iz r at oc io e n ss Bu s B Bu ss e oc Pr ion ss zat e in ali s u Re si n Re es al s P iz ro at io ce n ss Application Architecture Infrastructure Architecture Copyright 2013 OAD Consulting, Inc. . All Rights Continu 28

Modeling Enterprise Architecture Ø Application Architecture Toolbox Provides… • • Roles and actors Logical components Interface definitions Exposed Interfaces § Implementation of interfaces (Provided Interface) § Requirement for an interface (Required Interfaces) § Integration styles to be employed Ø Application Architecture Also Includes… • All standard UML tools • Quicklinks to ensure proper connectors • Various SQL reports on the state of the architecture (Reporting Editions only) Copyright 2013 OAD Consulting, Inc. . All Rights Continu 29

Application Architecture Business System Components Copyright 2013 OAD Consulting, Inc. . All Rights Continu 30

Application Architecture Ø Application Context Diagram • Shows the Business Applications, Services, DB Schemas and their interactions through interfaces for a given scenario Interface stereotypes represent the integration style to be used. For example, <<ESB>> indicates that the communication will go through an Enterprise Service Bus. Copyright 2013 OAD Consulting, Inc. . All Rights Continu 31

Application Architecture Ø Application Component Context Diagram • Shows a detailed view of the application components • Used when building vs. buying These are the components of the Player Rating Front End Application from the previous slide Copyright 2013 OAD Consulting, Inc. . All Rights Continu 32

Application Architecture Ø Integration Styles • Details the integration styles represented on the context diagrams • The <<ESB>> stereotype on the previous slide is detailed with the Enterprise Service Bus design in the diagram below Copyright 2013 OAD Consulting, Inc. . All Rights Continu 33

Application Architecture Ø Behavioral View – Sequence Diagram Copyright 2013 OAD Consulting, Inc. . All Rights Continu 34

Application Architecture Sample Report – Logical Dependencies Copyright 2013 OAD Consulting, Inc. . All Rights Continu 35

Application Architecture Sample Report – Locate Where Data is Being Passed Copyright 2013 OAD Consulting, Inc. . All Rights Continu 36

Application Architecture Sample Report – Data Flow through a Scenario Copyright 2013 OAD Consulting, Inc. . All Rights Continu 37

Modeling Enterprise Architecture Service Requirements Information Systems Architecture Service Specializations Current State Business Architecture Future State in Re es al s P iz r at oc io e n ss Bu s B Bu ss e oc Pr ion ss zat e in ali s u Re si n Re es al s P iz ro at io ce n ss Informations Systems / Data Architecture Infrastructure Architecture Copyright 2013 OAD Consulting, Inc. . All Rights Continu 38

Data Architecture Ø Data Architecture Toolbox Provides… • Local and enterprise level DB Schemas • Interface definitions § § § DB Schema access, e. g. <<R/W>> vs. <<R/O>> ETL Jobs with scheduling information Stored Procedures XML documents Definition of “Enterprise Level Data” that you want to track as it moves through the system Ø Data Architecture Also Includes… • All standard UML tools • Quicklinks to ensure proper connectors • Various SQL reports on the state of the architecture (Reporting Editions only) Copyright 2013 OAD Consulting, Inc. . All Rights Continu 39

Data Architecture DB Schemas and their Access Paths Copyright 2013 OAD Consulting, Inc. . All Rights Continu 40

Data Architecture Logical/Physical Design Copyright 2013 OAD Consulting, Inc. . All Rights Continu 41

Data Architecture XML Documents Copyright 2013 OAD Consulting, Inc. . All Rights Continu 42

Data Architecture ETL Jobs Copyright 2013 OAD Consulting, Inc. . All Rights Back 43

Modeling Enterprise Architecture Service Requirements Information Systems Architecture Service Specializations Current State Business Architecture Future State in Re es al s P iz r at oc io e n ss Bu s B Bu ss e oc Pr ion ss zat e in ali s u Re si n Re es al s P iz ro at io ce n ss Infrastructure Architecture Copyright 2013 OAD Consulting, Inc. . All Rights Continu 44

Infrastructure Architecture Ø Infrastructure Architecture Toolbox Provides • • • Various Roles, Actors, and Vendors Network and Site information IT Software and Services Hardware Model Configurations Deployed Hardware Base on the Models Executions Environments Ø Infrastructure Architecture Also Includes… • All standard UML tools • Quicklinks to ensure proper connectors • Various SQL reports on the state of the architecture (Reporting Editions only) Copyright 2013 OAD Consulting, Inc. . All Rights Continu 45

Infrastructure Architecture Network Topology Copyright 2013 OAD Consulting, Inc. . All Rights Continu 46

Infrastructure Architecture Server Deployments Copyright 2013 OAD Consulting, Inc. . All Rights Continu 47

Infrastructure Architecture Sample Report – Server Deployments Copyright 2013 OAD Consulting, Inc. . All Rights Back 48

Modeling Enterprise Architecture Service Requirements Information Systems Architecture Service Specializations Current State Business Architecture Future State in Re es al s P iz r at oc io e n ss Bu s B Bu ss e oc Pr ion ss zat e in ali s u Re si n Re es al s P iz ro at io ce n ss EA Service Taxonomy Infrastructure Architecture Copyright 2013 OAD Consulting, Inc. . All Rights Continu 49

EA Service Taxonomy Ø EA Service Taxonomy Provides… • A way to create stable architectural requirements while tracking the underlying changes in the elements realizing the requirements • A way to categorize the functionality provided by architectural elements and a way to eliminate redundant implementations • A way to plan the introduction and elimination of entire technologies with minimal effort Copyright 2013 OAD Consulting, Inc. . All Rights Continu 50

EA Service Taxonomy TOGAF provides a starter taxonomy of applications, interfaces, and The categories contain similar services than can be modified to fit but distinct services. your environment Software Data Management Engineering Services • • • • • Data dictionary/repository Programming language services Object code Database management linking services system (DBMS) services Computer Aided Software Object Oriented Database Engineering (CASE) environment Management System services and tools services Graphical File management User Interface services (GUI) building services functions Query processing Scripting language functions services Screen generation Language binding services Report generation functions Run Time Environment access services Networking/concurrent functions Application Binary Interface services Warehousing functions This was the hardest part! Combination of callable (SOA) and non-callable services - a superset of an SOA service taxonomy Copyright 2013 OAD Consulting, Inc. . All Rights Continu 51

EA Service Taxonomy Service Category Services are Service Layer includes: - EA Business Service groups similar required by - EA App Service - EA IT Services architectural elements This slide shows a few IT Services Copyright 2013 OAD Consulting, Inc. . All Rights Service Specializations provide technology and/or standards based methods for implementing Services. Infrastructure elements provide implementations of the Service Specializations. Continu 52

Service-Driven Enterprise Architecture Example Provides Service Implementation <<Requires IT Service>> Phased Approach to Service Introduction Requires Service <<Requires IT Service>> Provides Service Implementation Copyright 2013 OAD Consulting, Inc. . All Rights Continu 53

Service-Driven Enterprise Architecture Example Copyright 2013 OAD Consulting, Inc. . All Rights Continu 54

Service-Driven Enterprise Architecture Example Copyright 2013 OAD Consulting, Inc. . All Rights Continu 55

Service-Driven Enterprise Architecture Example Copyright 2013 OAD Consulting, Inc. . All Rights Continu 56

Extended Service Taxonomy EA Business Services - Capabilities required by external constituents - Implemented by Business Processes’ Activities EA Information System Services - Capabilities required by Business Activities - Implemented by Business Applications and enterprise level DB Schemas EA Infrastructure (IT) Services - Capabilities required by Business Applications - Infrastructure supplies service specializations - Implemented by IT Software Copyright 2013 OAD Consulting, Inc. . All Rights Continu 57

Extended Service Taxonomy Sample Report – EA Service Taxonomy (IT Service Layer) Copyright 2013 OAD Consulting, Inc. . All Rights Continu 58

Modeling Enterprise Architecture Service Requirements Information Systems Architecture Service Specializations Current State Business Architecture Future State in Re es al s P iz r at oc io e n ss Bu s B Bu ss e oc Pr ion ss zat e in ali s u Re si n Re es al s P iz ro at io ce n ss Business Process Realizations Infrastructure Architecture Copyright 2013 OAD Consulting, Inc. . All Rights Continu 59

Business Process Realizations Copyright 2013 OAD Consulting, Inc. . All Rights Continu 60

Business Process Realizations Copyright 2013 OAD Consulting, Inc. . All Rights Continu 61

Business Process Realizations Copyright 2013 OAD Consulting, Inc. . All Rights Continu 62

UI Driven Design Copyright 2013 OAD Consulting, Inc. . All Rights 63

UI Driven Design Copyright 2013 OAD Consulting, Inc. . All Rights 64

UI Driven Design Copyright 2013 OAD Consulting, Inc. . All Rights 65

BP Realization Sample Report Ø This shows each layer’s required services and the configuration items that provide the services within the context of the Business Process Copyright 2013 OAD Consulting, Inc. . All Rights Continu 66

BP Realization Sample Report Ø This shows each layer’s required services and the configuration items that provide the services within the context of the Business Process Copyright 2013 OAD Consulting, Inc. . All Rights Continu 67

BP Realization Sample Report Copyright 2013 OAD Consulting, Inc. . All Rights Continu 68

BP Realization Sample Report Copyright 2013 OAD Consulting, Inc. . All Rights Continu 69

Modeling Enterprise Architecture Service Requirements Information Systems Architecture Service Specializations Current State Business Architecture Future State in Re es al s P iz r at oc io e n ss Bu s B Bu ss e oc Pr ion ss zat e in ali s u Re si n Re es al s P iz ro at io ce n ss Roadmaps and Projects Infrastructure Architecture Copyright 2013 OAD Consulting, Inc. . All Rights Continu 70

Roadmaps and Projects Ø Roadmaps • Define the future state representation of the architecture Ø Roadmap Phases • Provide an iterative/incremental implementation Ø Projects • Align to Roadmap Phases and implement the architectural vision Copyright 2013 OAD Consulting, Inc. . All Rights Continu 71

Roadmaps & Business Process Realizations Copyright 2013 OAD Consulting, Inc. . All Rights Continu 72

Roadmaps & Business Process Realizations Copyright 2013 OAD Consulting, Inc. . All Rights Continu 73

Life-Cycle Information Ø Items with Life-cycles • Service Specializations § When technology and/or standards will be introduced and retired • Configuration Items (CI) § When CIs are approved or no longer approved for purchase or development, e. g. when a particular server model may be purchased • Inventory Items (II) § When IIs have been purchased/built and retired, e. g. when a particular server has been put into service and then retired (retiring a CI doesn’t mean that all of the CI’s deployed II’s have to be retired at the same time they have their own retirement date) • One CI supplying a Service to another CI • Service Provisions in the context of a given Business Process Copyright 2013 OAD Consulting, Inc. . All Rights Continu 74

CMDB Style Sample Report Ø This report shows the deployment status of configuration items for a five year period. It organizes them by the IT Service they provide. The report can also show configuration items that provide Business and IS services. Copyright 2013 OAD Consulting, Inc. . All Rights Continu 75

CMDB Style Sample Report Copyright 2013 OAD Consulting, Inc. . All Rights Continu 76

Project Scope Ø Linking a Project to all Impacted Architectural Elements • Business Objectives Business Needs Use Case Realizations Copyright 2013 OAD Consulting, Inc. . All Rights Continu 77

Project Scope Ø Linking a Project to all Impacted Architectural Elements • Business Objectives Business Needs Use Case Realizations Copyright 2013 OAD Consulting, Inc. . All Rights Continu 78

Project Scope Sample report showing all architectural elements impacted by a project, including elements from all Use Case Realization diagrams Copyright 2013 OAD Consulting, Inc. . All Rights Continu 79

Project Scope Ø Project Context Report Copyright 2013 OAD Consulting, Inc. . All Rights Continu 80

Project Scope Copyright 2013 OAD Consulting, Inc. . All Rights Continu 81

Enterprise Risk Management Ø Concepts • • Objectives Risk Responses Controls § Implementation § Validation § Remediation Copyright 2013 OAD Consulting, Inc. . All Rights Slide 82

Enterprise Risk Management Ø Goals of an ERM Framework • Determine objectives, their associated risks, and the candidate and selected risk responses • To discover and validate the existing controls • To discover missing controls • To determine the level of support required • To design the optimal control solution • To provide continuous monitoring of the effectiveness of the controls • To provide input into the project portfolio Copyright 2013 OAD Consulting, Inc. . All Rights Slide 83

Enterprise Risk Management Ø Key Objectives of an ERM Framework • Not to automate as much of the process as is possible… • But rather to balance the cost of the impact against the cost of avoidance • To continuously monitor the effectiveness of their controls to ensure that objectives are met within their level of approved tolerance • The focus of this presentation is been on risk mitigation, but the same framework can be used for performance optimization Copyright 2013 OAD Consulting, Inc. . All Rights Slide 84

Enterprise Risk Management Key Elements of an ERM Framework • Objective Categories • Strategic Objectives • Risks • Risk Responses • Controls Copyright 2013 OAD Consulting, Inc. . All Rights Slide 85

Enterprise Risk Management Objective Categories and Strategic Objectives Ø Key Elements of an ERM Framework • Objective Categories § Provide a way of organizing the objectives § Ex: Hazardous Waste Risk Management • Strategic Objectives § Address different concerns within the category § Are top level objectives § Ex: Maintain a Safe, Productive Workplace, Complying with all Regulations Copyright 2013 OAD Consulting, Inc. . All Rights Slide 86

Enterprise Risk Management Objectives Ø Key Elements of an ERM Framework • (Tactical) Objectives detail the strategic objectives § Objective types – Operational – Reporting – Compliance § Objective data points – Measure: Indicates how the objective is measured – Target: What the desired measure is – Tolerance: The permitted deviation from the target § Ex: Ensure No Environmental Damage is Incurred Along with any Subsequent Fines § Ex: Report All Incidents in a Timely and Transparent Manner Copyright 2013 OAD Consulting, Inc. . All Rights Slide 87

Enterprise Risk Management Risks Ø Key Elements of an ERM Framework • Risks may adversely impact the objectives § Ex: Corrosion on Barrels Causes Material to Leak • Risk data points § Event Level – Indicates the scope of the risk – Industry, Entity, Business Unit, Process § Leading indicator – Predicts future likelihood of the risk § Escalation trigger – The measure of the leading indicator that triggers the need for action § Likelihood – The likelihood that the risk will occur within the time horizon § Time horizon – The time period during which the risk may occur § Impact – Quantitative cost should the risk occur – May be a financial cost, a hit to the company’s reputation, etc Copyright 2013 OAD Consulting, Inc. . All Rights Slide 88

Enterprise Risk Management Risk Responses Ø Key Elements of an ERM Framework • Risk Responses provide possible solutions to mitigate the risks § § § Risk one or more risk responses Trade off between the potential impact vs. mitigation cost Designed to avoid, reduce, share, or accept the risk Ex: Accept Barrel Leakage Ex: Proactive Barrel Replacement • Risk Response Data Points (Residual Risk) § Estimated cost of implementation § Residual impact § Residual likelihood Copyright 2013 OAD Consulting, Inc. . All Rights Slide 89

Enterprise Risk Management Controls Ø Key Elements of an ERM Framework • Controls provide a means to mitigate risk § Ex: Manual Barrel Inspection Activity § Ex: Automated Barrel Age Monitoring • Controls relate to actions that are taken § Following policies – manual check lists § Performing business activities – Manual activities described in the business process model § Invoking IT solutions – IT services that represent the automation of activities from the business process model § Charting compilations – Typically, spreadsheets containing 10’s to 100’s of controls at a fine grained level – For example, the dozens of controls within SAP regarding the month-end closing process Copyright 2013 OAD Consulting, Inc. . All Rights Slide 90

Enterprise Risk Management Controls Ø Key Elements of an ERM Framework • Controls should be verified by… § Reports showing the results of the control’s actions • Controls can be… § Detective § Preventive • Control results should be continuously monitored by… § People § Automated systems • Controls may have remedial actions should objectives not be met § Manual activities § Automated systems • Control results should be reviewed to determine whether adjustments must be made Copyright 2013 OAD Consulting, Inc. . All Rights Slide 91

Enterprise Risk Management Ø Phases of ERM • Planning Copyright 2013 OAD Consulting, Inc. . All Rights Slide 92

Copyright 2013 OAD Consulting, Inc. . All Rights Slide 93

Enterprise Risk Management Phases of ERM Planning Execution Copyright 2013 OAD Consulting, Inc. . All Rights Continu 94

Enterprise Risk Management Phases of ERM Planning Execution Risk Mediation Implementation Continuous Monitoring Copyright 2013 OAD Consulting, Inc. . All Rights Continu 95

Copyright 2013 OAD Consulting, Inc. . All Rights 96

Enterprise Risk Management Example Ensure Proper Handling of Personal Health Information Copyright 2013 OAD Consulting, Inc. . All Rights Continu 97

Enterprise Risk Management Example: Hazardous Waste Risk Management Copyright 2013 OAD Consulting, Inc. . All Rights Slide 98

Enterprise Risk Management Example Risk Responses 1 st Candidate Response Copyright 2013 OAD Consulting, Inc. . All Rights Slide 99

Enterprise Risk Management Example 2 nd Candidate Response Copyright 2013 OAD Consulting, Inc. . All Rights Slide 100

Enterprise Risk Management Example Selected Response Copyright 2013 OAD Consulting, Inc. . All Rights Slide 101

Enterprise Risk Management Example Healthcare Example Copyright 2013 OAD Consulting, Inc. . All Rights Slide 102

Healthcare Example Copyright 2013 OAD Consulting, Inc. . All Rights Slide 103

Enterprise Risk Management Example Candidate Response This Response provides a Policy to be followed by hospital admissions staff and two manual activities. These are detective Controls that are inexpensive to implement but are neither preventive nor automatic. Copyright 2013 OAD Consulting, Inc. . All Rights Continu 104

Enterprise Risk Management Example Selected Response The response was selected after weighing the risk’s impact and likelihood over its time horizon against the cost of implementing and maintaining the Response’s Controls along with the residual risk still in place after implementing the Response. Copyright 2013 OAD Consulting, Inc. . All Rights This Response specifies an automated, preventive Control in the form of an IT Service to be realized by a system component. Continu 105

Enterprise Risk Management Example Tying Automated Controls to the Architecture Plan The IT Service representing the Control is included in the Business Process Realization along with the system component that realizes the Control within the timeframe of the Roadmap. Copyright 2013 OAD Consulting, Inc. . All Rights Continu 106

Enterprise Risk Management UI Driven Design Copyright 2013 OAD Consulting, Inc. . All Rights Slide 107

Enterprise Risk Management UI Driven Design Copyright 2013 OAD Consulting, Inc. . All Rights Slide 108

Enterprise Risk Management A More Friendly View Copyright 2013 OAD Consulting, Inc. . All Rights Slide 109

Enterprise Risk Management UI Driven Design Copyright 2013 OAD Consulting, Inc. . All Rights Slide 110

Enterprise Risk Management A More Friendly View Copyright 2013 OAD Consulting, Inc. . All Rights Slide 111

Enterprise Risk Management Example Copyright 2013 OAD Consulting, Inc. . All Rights Slide 112

Enterprise Risk Management Example Copyright 2013 OAD Consulting, Inc. . All Rights Slide 113

Modeling Enterprise Architecture How Do You Go About Modeling Your Enterprise Architecture? Build Incrementally Copyright 2013 OAD Consulting, Inc. . All Rights Continu 114

Modeling Enterprise Architectural Views Horizontal Slices How Do You Go About Modeling Your Enterprise Architecture? Business Architecture Information Systems Architecture Infrastructure Architecture Model Some Key Architectural Elements to Build your Inventory Copyright 2013 OAD Consulting, Inc. . All Rights Continu 115

Modeling Enterprise Architectural Views Horizontal Slices How Do You Go About Modeling Your Enterprise Architecture? Business Architecture Generic Services Information Systems Architecture Service Specializations Infrastructure Architecture Add Services as You Learn About Them Copyright 2013 OAD Consulting, Inc. . All Rights Continu 116

Modeling Enterprise Architecture How Do You Go About Modeling Your Enterprise Architecture? Vertical Slices Business Process Realization Architectural Requirements Architectural Views Horizontal Slices ss e oc Pr ion ss zat e in ali s e Bu R Business Architecture Generic Services Information Systems Architecture Service Specializations Infrastructure Architecture Pick a Business Process to Model Its Realization Copyright 2013 OAD Consulting, Inc. . All Rights Continu 117

Modeling Enterprise Architecture How Do You Go About Modeling Your Enterprise Architecture? Vertical Slices a dm l Sl ap ice s s Infrastructure Architecture Service Specializations oa Generic Services Information Systems Architecture Current State Business Architecture Te mp or R Architectural Views Horizontal Slices ss e oc Pr ion ss zat e in ali s e Bu R Future State Business Process Realization Architectural Requirements Add the Future State in Conjunction with a Development Project Copyright 2013 OAD Consulting, Inc. . All Rights Continu 118

Modeling Enterprise Architecture How Do You Go About Modeling Your Enterprise Architecture? Vertical Slices s s Sli ps ce ad ma Ro Infrastructure Architecture Current State Service Specializations or al Generic Services Information Systems Architecture Future State Bu si n Re es al s P iz r at oc io e n s si Bu Business Architecture Te mp Architectural Views Horizontal Slices ss e oc Pr ion ss zat e in ali s e Bu R n Re es al s P iz ro at io ce n ss Business Process Realization Architectural Requirements Continue to Build Iteratively & Incrementally Copyright 2013 OAD Consulting, Inc. . All Rights Continu 119

Modeling Enterprise Architecture How Do You Go About Proselytizing Your Architecture? Vertical Slices Generic Services Information Systems Architecture Service Specializations Future State s Bu si n Re es al s P iz r at oc io e n s si Bu Business Architecture Current State Architectural Views Horizontal Slices ss e oc Pr ion ss zat e in ali s e Bu R n Re es al s P iz ro at io ce n ss Business Process Realization Architectural Requirements Infrastructure Architecture 2 provides numerous SQL reports and the tools to create your (EA) Finally, The Sparx Enterprise resulting Systems building Architect EAprovides the model perfect allows isa readily free architecture youread-only toavailable publish means version your to allnothing models stakeholders! of Enterprise unless… in RTF 2 metamodel Architect to allow reports everyone and to your to view intranet your web model site in native form own reports built on the (EA) and toolsets Copyright 2013 OAD Consulting, Inc. . All Rights Continu 120

Modeling Enterprise Architecture Service Requirements Information Systems Architecture Service Specializations Current State Business Architecture Future State in Re es al s P iz r at oc io e n ss Bu s B Bu ss e oc Pr ion ss zat e in ali s u Re si n Re es al s P iz ro at io ce n ss Sample Reports Infrastructure Architecture Copyright 2013 OAD Consulting, Inc. . All Rights Continu 121

Sample Reports Copyright 2013 OAD Consulting, Inc. . All Rights Continu 125

Sample Reports Copyright 2013 OAD Consulting, Inc. . All Rights Continu 126

(EA) 2 Features Copyright 2013 OAD Consulting, Inc. . All Rights Continu 127

A Few Upcoming Features Ø Framework Import • Current model’s stereotypes, tagged values, and links • Current model’s hierarchy of object and connector types • Technology files Ø SQL View Generation • Auto-generated views from the metamodel • Auto-generated user-defined views modeled in EA Ø User Interface for Merging New Releases Ø Design by Interface • Dialogs for creating model elements with the tags and relationships defined in the metamodel • Dialogs for handling complex tasks (like the Service Provisioning) Ø Domain Specific Frameworks • Embed the design of domain specific, including attributes, operations, and relationships in the framework • Create domain specific elements from the framework and track any changes against the metamodel definition Ø Framework and Model Compliance Reports Copyright 2013 OAD Consulting, Inc. . All Rights 128

A Few Upcoming Features Ø New Frameworks • • • Business Model Canvas TOGAF Archimate COBIT (Control Objectives for Information and Related Technology (EA)2 Ø New Automation • Framework Specific UI Design § Generic forms that read the framework § Model elements, connectors, and relationships built via the UI Ø Your Suggestions! Copyright 2013 OAD Consulting, Inc. . All Rights 129

Model Guardianship Ø Objectives • To coordinate all modeling activities in order to produce complete, consistent, concise, and comprehensible designs across the enterprise • To ensure that models meet the needs of the various stakeholders with views that are understandable by them • To provide tools that make conforming to your standards the easiest path with an appropriate level of governance • To ensure that models do not become obsolete causing expensive rework • To automate the more complex tasks as an alternative to drawing diagrams Ø Implementation • Model Guardian Framework & Model Management System Copyright 2013 OAD Consulting, Inc. . All Rights 130

Framework Maintenance Ø Lifecycle Control to Eliminate Obsolescence • Start with commercially available frameworks or create your own § Import stereotypes, tags, and relationships from existing models § Import from MDG XML files • Merge changes from commercially available frameworks into your own customized version of those frameworks Copyright 2013 OAD Consulting, Inc. . All Rights 131

Framework Maintenance Ø Lifecycle Control to Eliminate Obsolescence • Build your framework in a Work-in-Progress area with test models • Publish to a deployment area to work with production models Copyright 2013 OAD Consulting, Inc. . All Rights 132

Framework Maintenance Ø Domain Specific Standardized Set of Modeling Tools • • Object Types Connector Types Tag Definitions Relationships Toolboxes and Toolbox Sections Diagram Types Domain Roles Copyright 2013 OAD Consulting, Inc. . All Rights 133

Framework Editor Ø Object Types Copyright 2013 OAD Consulting, Inc. . All Rights 134

Framework Editor Ø Connector Types Copyright 2013 OAD Consulting, Inc. . All Rights 135

Framework Editor Ø Tag Definitions Copyright 2013 OAD Consulting, Inc. . All Rights 136

Framework Editor Ø Relationships Copyright 2013 OAD Consulting, Inc. . All Rights 137

Framework Editor Ø Toolbox Sections Copyright 2013 OAD Consulting, Inc. . All Rights 138

Framework Editor Ø Toolboxes Copyright 2013 OAD Consulting, Inc. . All Rights 139

Framework Editor Ø Framework Editor Copyright 2013 OAD Consulting, Inc. . All Rights 140

Framework Editor Ø Framework Archival & Retrieval Copyright 2013 OAD Consulting, Inc. . All Rights 141

Framework Editor Ø Framework Archive Management Copyright 2013 OAD Consulting, Inc. . All Rights 142

Model Editor Ø Model Editor Copyright 2013 OAD Consulting, Inc. . All Rights 143

Model Editor Ø Change Stereotypes Copyright 2013 OAD Consulting, Inc. . All Rights 144

Model Editor Ø Change Tag Names Copyright 2013 OAD Consulting, Inc. . All Rights 145

Model Editor Ø Synchronize Individual Elements Copyright 2013 OAD Consulting, Inc. . All Rights 146

Model Editor Ø Model Element Usage Copyright 2013 OAD Consulting, Inc. . All Rights 147

Model Editor Ø Model Element Usage Copyright 2013 OAD Consulting, Inc. . All Rights 148

Model Editor Ø Relocate Elements in the Project Browser Copyright 2013 OAD Consulting, Inc. . All Rights 149

Model Governance Ø Three Levels + Reporting • Suggest • Warn • Enforce Ø Subject Areas • Object/Connector Types § Tag cardinalities § Tag population • Relationships § Appropriate end points § Endpoint cardinalities Copyright 2013 OAD Consulting, Inc. . All Rights 150

Model Reporting Ø Built-in Enterprise Architect Capabilities Ø Ø Framework SQL Views • Inventory style reporting • Types of views § § Base views Framework metatype views Composite views Complex views • Usage § With SQL report writers § With Enterprise Architect model searches and model views § Custom Applications Copyright 2013 OAD Consulting, Inc. . All Rights 151

Model Reporting Ø SQL View Generation • Framework generated views § § Metatype view Metatype + Subtypes view Diagram Elements Diagram Connectors • User-defined views § Modeled in Enterprise Architect § Generated with the framework views Copyright 2013 OAD Consulting, Inc. . All Rights 152

Model Reporting Ø SQL Views and SQL Report Writers • Framework Element Views Copyright 2013 OAD Consulting, Inc. . All Rights 153

Model Reporting Ø SQL Views and SQL Report Writers • Composite Element Views Copyright 2013 OAD Consulting, Inc. . All Rights 154

Model Reporting Ø SQL Views and SQL Report Writers • Complex views leveraging the relationships among the elements Copyright 2013 OAD Consulting, Inc. . All Rights 155

Model Guardian Help Ø About Model Guardian Copyright 2013 OAD Consulting, Inc. . All Rights 156

Model Guardian Help Ø About Model Guardian Copyright 2013 OAD Consulting, Inc. . All Rights 157

SQL Reports Copyright 2013 OAD Consulting, Inc. . All Rights 158

Summation Ø Captured each architectural view along with life-cycle information Ø Shown how the applications and database schemas interact to realize key scenarios Ø Shown the key architectural elements involved in the business process realizations Ø Added roadmaps and projects to tie portfolio management to the elements of the architecture Ø Integrated risk management with the business policies, activities, and services of the architectural views Ø Provided a visible path from the objectives to how successfully they are being met Copyright 2013 OAD Consulting, Inc. . All Rights Slide 159

nt e em g na Audit & Compliance Personnel ior IT M ana ger s ts te c Expe rts Copyright 2013 OAD Consulting, Inc. . All Rights Infrastructure Architects ers lop e v e D oje ness Pr Busi ct Ma n ag em en t l Oper at ne on ions S ers AP taff Q/ Ap pl ica ts tio ec hit n. A rc c Ar hi ta Se Sen Da r o i n s e n si Bu a M s Going From Chaos Slide 160

To Strategic Planning Vertical Slices si n Re es al s P iz at roc io e n ss s lic es ap l. S Infrastructure Architecture dm Service Specializations Current State Information Systems Architecture Ro ora a Service Requirements mp Business Architecture Te Architectural Views Horizontal Slices s es c o Pr ion ss izat e in eal s Bu R Bu s es c o Pr on i ss zat e in eali s Bu R Future State Business Process Realization Architectural Requirements Continuous Monitoring Objectives – Risk Responses Controls –Verification – Mitigation Copyright 2013 OAD Consulting, Inc. . All Rights Slide 161

Enterprise Architecture & Risk Management Framework (EA) 2 Terry Merriman www. OADConsulting. co m tm@OADConsulting. com Give (EA) 2 a try. Download the free 45 -day evaluation copy of Model Guardian with (EA) 2 today. And remember, you are not alone! OAD Consulting provides architectural consulting services to ensure the success of your EA practice and the adoption of your modeling frameworks. Copyright 2013 OAD Consulting, Inc. . All Rights Back 162