Managing government, industry, or internal compliance is a tough job. Many organizations have dedicated teams to field, communicate and track new mandates. Requirements are often tracked in spreadsheets or repositories that have limited access. If organizations integrate compliance data within an enterprise architecture (EA) repository, they will unlock a powerful analysis and management tool that can be used when planning, executing, and evaluating change. In this post, I will introduce how organizations can supercharge compliance awareness, participation, and improvement by leveraging an enterprise architecture repository.

What is Enterprise Architecture?

Enterprise architecture refers to an information repository that describes the relationships between performance objectives, business processes, data, applications, and supporting technologies. EA also refers to the disciplines that establish, maintain, and leverage EA information to support strategy execution, change management, and business efficiency.

An EA repository consists of several catalogs. Items in different catalogs are associated with one another to characterize a relationship between them. For example, one catalog might consist of all of the names of every process implemented within the business. Another, all the data used or created by the organization. By associating data with the processes that use or create the data, an analyst can understand which processes are impacted by changes to data availability, quality, or compliance requirements. 

In most organizations, the EA is managed by the information technology team. EA has traditionally been a resource for people to: 

• use technology catalogs to plan and optimize IT investments,

• understand how technology supports business processes,

• explore opportunities for business process improvements through technology, 

• understand the impacts of software obsolescence or disruption, and 

• describe the future technology environment.

An EA is a powerful tool to gain a better understanding of your current and future business and technology environment. By adding compliance-related catalogs to an existing EA, organizations can quickly enable powerful new risk planning, assessment, and analysis tools. 

How to Supercharge Compliance through EA

By taking just a few steps, you can implement powerful risk and compliance planning and analysis tools through your EA repository. Take these four steps to deliver new value from your EA.

1. Understand Your Compliance Responsibilities

Compliance requirements can originate from many different sources. Laws and regulations, Presidential directives and orders, policies, standards, and best practices are sources, just to name a few. Before you can map compliance requirements into your EA, you need to decide what you will map. Due to the technology emphasis found in EA repositories, mapping security controls may be a good start for many organizations. 

2. Create Compliance Catalogs

Several lists can be created to enumerate your compliance requirements. Drawing an association between two catalogs enables one to understand which requirements are included in a given publication. Two foundational catalogs to capture include:

• Compliance Publication - captures the documents from which compliance requirements are expressed.

• Compliance Requirement - captures the specific requirements expressed within a compliance publication.

It’s not uncommon for requirements to be expressed multiple times within a publication or across publications using different verbiage. One can capture the relationship between these requirements by creating a catalog of “normalized” or “foundational” compliance requirements. For example, if two or more publications express requirements to implement two-factor authentication controls but have differing scopes or implementation timing, generalizing the requirement as simply: implement two-factor authentication can establish the common requirement that is expressed across the publications. Using “normalized” requirements enables analysts and compliance professionals to reference an abbreviated list of requirements that maps to the expanded list of specific requirements.

3. Map Your Requirements

The next step is to associate compliance requirements with other EA catalogs. For example, you might have an internal directive to apply password rotation on public-facing systems. By mapping the compliance requirement to specific applications within the applications catalog, one can make the need to employ password rotation to these applications known to many other stakeholders. For example: 

• a developer will know to incorporate the feature, 

• a system tester will know to create a verification test, 

• a security analyst will know to verify the inclusion of the control, 

• an auditor will know that the requirement was recognized and can verify implementation, and 

• a change agent can know the impact of changing the password policy requirement.

That’s a lot of value from a simple mapping!

4. Educate Your Architects and Compliance Teams

While it is possible to draw powerful insights from an integrated compliance architecture, it is important to engage compliance and architecture stakeholders to ensure that they see the value, want to make the change, and can do the care and feeding necessary to maintain the capability. Stakeholder buy-in will drive compliance benefits.

By establishing training, documentation, and job aids to build awareness, know-how, and support, you can develop and sustain support for your new capabilities. Consider engaging communications and training subject matter experts to develop these resources. With an engaged and educated team, you will be ready to get the maximum value from your new EA-enabled compliance capability.

Conclusion

Organizations put a lot of energy into their EA repositories because there is a lot of value to be gained from understanding how IT contributes to the business. When compliance is managed outside of the EA, it’s more difficult to consider risk and compliance when planning business and technology change. By incorporating compliance information within your EA, you can develop a powerful understanding of how risk and compliance requirements apply to business processes, information, and technology.