Risk is an unavoidable fact of human life, and nowhere is this more evident than in financial matters. Without risk there can be no trade or commerce, as all commercial ventures depend on a certain degree of risk: and very often the riskiest venture returns the greatest profit.
For any manager, the primary goal of risk management is to control the risk to which an organisation exposes itself. Various initiatives have arisen to help organisations address and control risk. Some of them are applied internally, others from without – such as Basel II, which seeks to control investor risk by identifying all risk factors before specifying capital adequacy levels for banks; Sarbanes-Oxley, which seeks to control systemic risk by improving the controls associated with the financial reporting and audit process; King II, which in a non-regulatory manner seeks to align corporate behaviour with commonly agreed best practices; and safety, health, environment, risk and quality (SHERQ) legislation. All of these best practices need to be understood, managed and incorporated into the business as a standard way of doing business.
Part of the problem with all of these approaches is that each requires its own set of control activities. It is quite impossible to deal with them all in a unified manner, which means separate committees and subcommittees, structures and processes to deal with each, along with the attendant cost. As an example, Sarbanes-Oxley compliance has been said to cost US organisations up to 1% of their annual revenues, and to consume 15% of IT budgets.
The consequence is that many organisations pay lip service to corporate governance initiatives such as King II, until they are fingered for this non-compliance by shareholder activists like Theo Botha. Enterprise architecture (EA), one of the world’s fastest growing organisational disciplines, helps address the issue of risk in a holistic manner.
Operational risk is determined by the way an organisation implements and manages its strategies and processes to achieve its objectives. It is practically impossible to manage any complex organisation efficiently unless it is properly documented. EA methodology documents and maintains traceability between the various components of an organisation, thereby simplifying operational risk management.
It is also important to remember that each time new legislation is passed, organisational change is required. Constant systemic change is disruptive to business. One of EA’s vital contributions in this scenario is that it makes it easier for organisations to find ways of absorbing that change without disrupting the business. Indeed, EA makes it possible for an organisation actually to understand the impact of such change before it even occurs. An enterprise architecture means any changes made by those with an overall picture of the organisation can be examined and followed through the organisation to determine possible impacts at different operational levels.
The converse also applies – changes made at the deeper levels, for instance IT applications, can be tracked back to determine their implications for the organisation as a whole. In this way, enterprise architecture provides the interface that enables business and IT to be aligned. Much of the pressure being brought to bear on organisations today comes in the form of external regulatory compliance, which brings about such a requirement for change that it spurs management to create a foundation for coping with change.
Harvard Business Press, in its seminal 2006 work, “Enterprise Architecture as Strategy”, spoke on the subject: “Regulatory compliance creates overhead, but new regulations will likely appear every year. A foundation for execution significantly reduces the marginal cost of meeting the next regulation by creating a reusable capability to access data and metrics.”
Let’s look briefly at three areas requiring detailed risk management:
The US federal government passed the Sarbanes-Oxley Act in 2002, assigning personal responsibility to senior management of public and non-public organisations for corporate governance and financial reporting. In the US, this can result in executives being sentenced to jail terms in the event of a breach of the legislation. Corporate governance of this nature is also being applied in various forms by other countries.
EA has an important role to play in supporting the needs of senior management for governance analysis, as required by legislation that makes it the responsibility of management to establish and maintain an adequate internal control structure and procedures for financial reporting.
Internal controls vary from company to company. They need to be tailored to the relevant industry within which the organisation operates; they are also typically unique for each organisation. They are determined by the company’s business activities and processes as well as its financial controls. They are closely related to the IT systems and databases that the enterprise uses for financial and other reporting.
Senior management needs to show that answers are available in relation to key resources such as: data; business activities and processes; locations; people and business units; and events. Answers should be available that also show how resources relate to strategic and tactical business plans that have been defined by management.
Basel II is aimed at producing uniformity in the way banks and banking regulators approach risk management across national borders. It is fundamentally about improving risk and asset management to avoid financial disasters. Operational risk is defined by the Basel Capital Accord as: “The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events.” It is not just about IT, as all companies are exposed to operational risk, and the integration of processes, systems and people has to be understood and continually monitored to mitigate that risk. Basel II acknowledges and includes operational risk as an element that must be assessed and managed along with credit risk and market risk. Risk assessment and management requires a systematic approach such as that enabled by EA, a discipline that documents the entire organisation, including its processes, strategies and systems.
South African companies have to meet external, corporate and legal requirements for corporate welfare and individual well-being as determined by SHERQ legislation. In 2006, the Department of Labour found that over 75% of businesses in Ekurhuleni were not aware of these legal requirements. It is fairly safe to assume that this is the case across many regions. With SHERQ legislation becoming more and more comprehensive, there are increasing penalties for non-compliance. This highlights once again the need for organisations to find ways of understanding and absorbing change without disruption to the business.
Enterprise architecture delivers three inter-related benefits: cutting costs, managing change and risk reduction. Risk is such a critical focus within enterprise architecture that it is almost always closely linked with governance. Almost every organisation in the world will have a requirement during the next 24 months to embrace some new form of risk mitigation. Enterprise architecture provides the ideal foundation for addressing and managing this in a manner that informs strategy and makes for sustainable operations.
Paul van der Merwe, BSc, BCom (Hons), Masters of Commerce is a certified TOGAF Practitioner, certified Internal Auditor and certified Information Systems Auditor and a consulting manager, Rael IRM.