Governance and compliance are the EA business processes
1.0 INTRODUCTIONGovernance and compliance processes are considered as the EA business processes which must be reengineered to integrate and streamline the process. Eenterprsie Architecture standards are established via the governance processes with the consensus from the stakeholders. Eenterprise Architecture design are established via the compliance review process. EA is not established by a group of architects lock behind the doors for couple year.
Using the EA to implement new projects provides a positive impact on the enterprise. If the EA is not successfully used, the entire development effort to this point is for naught. In this section, the emphasis shifts to integrating use of the EA across multiple activities and organizational groups. Success depends on active management, proactive architects, and receptive project personnel. It also depends on integrating the EA process with other enterprise life cycle processes, particularly the CPIC process
Read More → ^ TOP
Integrate compliance review
The Enterprise Architecture is evolved continuously via projects.
5.0 INTEGRATED GOVERNANCE PROCESS
Using the EA to implement new projects provides a positive impact on the enterprise. If the EA is not successfully used, the entire development effort to this point is for naught. In this section, the emphasis shifts to integrating use of the EA across multiple activities and organizational groups. Success depends on active management, proactive architects, and receptive project personnel. It also depends on integrating the EA process with other enterprise life cycle processes, particularly the CPIC process.
Establishing the EA captures the state of the enterprise and the plan for its future—literally a snapshot of the enterprise and its plans for improvement. For the EA to provide the strategic information asset base as intended, it should become a crucial tool for decision support and communication in the mainstream of daily business operations. Accepting and applying this asset in the Agency’s operational paradigm is a technical and cultural challenge.
The EA is managed as a program that facilitates systematic agency change by continuously aligning technology investments and projects with agency mission needs. The EA is updated continuously to reflect changes in operational and investment priorities that may arise due to legislation, budget constraints, or other business drivers. It is a primary tool for baseline control of complex, interdependent enterprise decisions and communication of those decisions to agency stakeholders. The sequencing plan provides a strong guide for agency decision-makers to use as they consider proposed projects. If a project is not represented in the sequencing plan, it should either be denied funding, since it is not aligned with the agency strategy as embodied in the EA, or it should be granted a waiver if it is a legitimate deviation driven by valid changes in the agency’s environment which have not yet been reflected in the EA. It should be noted that it is crucial that the EA represent the current agency strategies and imperatives as closely as possible, since any lag in the EA may constrain the agency’s ability to effectively execute its mission until a waiver is issued or the EA is adapted. In cases where a waiver is granted, the cause of the waiver should be examined and appropriate changes to the EA considered if the cause represents a valid and ongoing gap in the EA.
5.1 Integrate the EA with CPIC and SLC Processes
Investment management and systems development/acquisition are closely linked with the EA processes. The agency should only make investments that move the agency toward the target architecture and these investment decisions should comply with the sequencing plan. The EA, CPIC, and SLC (systems life cycle) processes are integrated to best suit the agency’s particular organization, culture, and internal management practices. Certain basic relationships exist between these functions and they have a common focus: the effective and efficient management of IT investments. The dialogue across CPIC, SLC, and EA processes is continuous, cooperative, and facilitated by agency commitment to an integrated process. Details of this relationship between management processes and the capital planning and investment control process are discussed in the Architecture Alignment and Assessment Guide and the Smart Practices in Capital Planning document. GAO’s Information Technology Investment Management Framework provides a structured approach to IT investment management that is consistent and integrated with the principles of good EA and system life cycle practices.
Each agency designs its own CPIC process for structuring budget formulation and execution to ensure that investments consistently support strategic goals. All IT projects should align with the agency mission and support agency business needs while minimizing risks and maximizing returns throughout the investment’s life cycle. The target architecture and the sequencing plan provide information for the three phases of the CPIC process. In the Select Phase, the agency determines if the proposed investment meets business decision criteria. To assess the business alignment of the proposed investment, decision makers use, for example, the business case, acquisition plan, and the project plan to determine whether the proposed investment aligns with the sequencing plan and target architecture. In the Control Phase, decision makers monitor business and technical compliance as demonstrated in, for example, the updated business case, system architecture, systems design, and test program. In addition, the investment should be monitored to ensure continuing alignment with the agency’s strategic and business goals, which may shift over time. In the Evaluate Phase, the decision makers perform a final assessment to determine technical and strategic compliance with the EA. The results, including findings of noncompliance, should influence strategic planning for new business and IT projects, which could then lead to changes in the EA.
Figures 14 and 15 illustrate one example of a CPIC and architecture management process developed by the U.S. Customs Service (Customs)—the Investment Management Process (IMP). There is a detailed discussion of their IMP in the U.S. Customs Service Enterprise Architecture Blueprint (August 1999). This framework enables compliance with the EA and the necessary governance for application to the Enterprise Life Cycle Management activities.
Projects are managed and executed through the agency’s systems development/acquisition life cycle. Each agency may have its own unique approach to the systems development/acquisition cycle, but certain fundamental elements such as requirements, systems and software architecture, design, and test are common.
a.
Figure 14. IMP/Architecture Project Assessment Framework
5.1.1 Establish Enforcement Processes and Procedures
The processes and procedures that enforce the application of EA guidance and those that ensure its consistency with the “reality” of the enterprise are critical components in EA institutionalization. The EA processes and procedures implement the Executive EA Policy (see Section 3.1.2). The Enforcement Policy defines the standards and process for determining the compliance of systems or projects with the EA and procedures for resolving the issues of non-compliance. A project’s technical and schedule compliance is typically assessed in terms of how it conforms to the content, intent, and direction set by the EA.
The processes and procedures should answer the following questions:
1. How and when will projects submit project plans to be reviewed for EA compliance?
2. Who will be responsible for compliance assessment and/or justification of waivers?
3. How will compliance and non-compliance be documented and reported?
4. How will outstanding issues of non-compliance be resolved and/or waivers be processed and approved?
5. Who will be responsible for processing, authorizing, and reassessing waivers?
6. What will be the content and format of waiver submissions?
7. If a waiver is granted, how will projects achieve compliance in the future?
8. What are the ramifications if a non-compliant project is not granted a waiver (e.g., funding and/or deployment restrictions)?
The processes and procedures should, of necessity, allow exceptions. In many cases, existing systems in the operations and maintenance phase should be granted exceptions or waivers from the technical standards and constraints of the EA. Alignment of some legacy systems with new standards could be unreasonably costly and introduce additional risk to the business users. Also, it is likely that certain initiatives and innovations, such as investigative efforts and proofs-of-concept, will not comply with the EA.
5.1.1.1 Define Compliance Criteria and Consequences
Requirements for EA assessments include criteria for compliance, waivers, and corresponding submission requirements. In the event of a non-compliant proposal a request for waiver should be prepared and formally submitted to the Technology Review Committee (TRC). The waiver provides analytical and defendable justification of design changes, budget deviations, and impacts. The waiver request includes identification of the operational, economic, and productivity impacts of any waiver. The corresponding impacts of the waiver not being approved should also be provided to the TRC. The TRC recommends to the CIC approval or denial of requests for waivers. The CIC approves or denies requests for waivers based on this information.
The TRC approves waivers according to the agency’s enforcement process. Each waiver that is approved presents an opportunity for feedback on the EA and the EA process. For example, the need for a waiver may indicate that the target architecture, the transition analysis, and/or the sequencing plan are too constraining or too rigidly defined. In addition, rapidly evolving requirements may necessitate revisiting existing plans outside the normal EA process, since waivers may indicate that the defined target environment does not reflect agency needs. Also the need for reworking proposals may indicate problems in training for compliance.
The CPIC process should respect the integrity of the sequencing plan while considering the strategic and tactical value of all proposals that pass through CPIC checkpoints. Project critical success factors continue to be met. This double check on project proposals ensures that all funded projects meet the conditions necessary for success. These conditions include, but are not limited to:
1. Consistency with the EA
2. Satisfaction of project baseline cost, schedule, capability, and business value commitments
3. Compliance with agency-published investment management policies and guidance
4. Explicit support by executive management.
5.1.1.2 Set Up Integrated Reviews
The CPIC Select, Control, and Evaluate Phases require reviews of proposals and project performance whenever significant change is contemplated or at logical milestones or key decision points (KDPs) in the systems life cycle. KDPs are points where management should take action regarding project scope, approach, funding, etc. EA enforcement should be applied at KDPs, when possible, since it is at those points that senior management will convene to consider investment decisions. Reviews may also occur periodically, for example as part of an integrated capital planning/budget cycle. Since the EA is a major management tool for monitoring and guiding change within the agency, the important outcome is to schedule reviews to ensure that planned investments stay on schedule, within budget, and achieve defined goals. In addition, these reviews provide the opportunity for the EA team to communicate changes in the target architecture and sequencing plan to the agency as a whole, as well as to the specific projects that will be affected. Deviations from compliance may be addressed by implementing changes to the project or by a waiver request.
^ TOP