Capturing Organization Policy and Compliance - ECP-2

Post Reply
jonathan.carter

To understand what might be need to provide a capability for capturing and modelling Organisational Policies and Compliance that has as wide a coverage as possible, this Essential Community Process, ECP-2, has been created.

Initial requirements to date:
  • Associate compliance with WHAT and HOW across Business, Application, Information and Technology
  • Capture compliance and policy documentation
Please contribute your requirements for this capability.

Jonathan
peter.fuzi

Jonathan,

Audit profession worldwide should be a strong audience to this topic. Each auditor (internal and IT auditor) should be unconditionally interested in it. For them modeling external and internal controls with their hierarchical interdependencies is in mainstream to their work. E.g. it is an important step in each audit assignment when the analysis get to conclusion: whether the internal control system (policies procedures, organizational structure, roles, responsibility, etc.) of a company complies with the relevant external requirements (set by laws e.g.). I guess this is a fairly complex field, and there may be wide variations from region by region in the way the parties involved interpret the details ... What I mean, we should preferably consult at not just an abstract level about the potential requirements; sometimes, from time to time we should provide illustrative mini models that can test the correctness of the requirements against real-world governance structure and practice.

Another useful point would be for us, beginners to have highlighting intros as what our current capabilities in Essential V3 are for modeling policies and procedures.

I hope the points above help us to start up a nice discussion ahead ...

Regards with thanks, Peter

PS: as soon as I can find a good case that can be illustrative for us to p&p capturing, I deliver it for further discussion
peter.fuzi

Re: my idea we should study real world examples too
Let us look into the background of the 30th Olympic Games, London 2012. We can find and review laws, policies, organizations, etc. As a starting point I propose to gain an insight and walking through
a) the London Olympic Games and Paralympic Games Act 2006
b) the organization ODA (Olympic Delivery Authority)
in the extent we have published and authentic sources to them.

Once I already reviewed more pages of them (it was very interesting), on the other hand I reviewed our Forum Rules too. I have not found any principle or rule that would be compromised with such a study type discussion or analysis. I think we can deal with such a discussion at this forum. Still I ask the masters of the Forum for a confirmation of this proposal.

Upon having their agreement I suppose we can enter and start the discussion.

Outcome of such discussion hopefully include a better understanding on
- the nature of external and internal controls we need to model during our engagements
- how we can currently build such models with Essential V3
- what improvement to the metamodel can be enough to accomodate our requirements concluded

With regards,
Peter

Links referred:
a) Wikipedia entry: http://en.wikipedia.org/wiki/London_Oly ... s_Act_2006
b) the Act: http://www.legislation.gov.uk/ukpga/200 ... on/enacted
c) ODA: http://www.london2012.com/about-us/the- ... games/oda/
d) for background reading: COSO Internal Controls http://www.coso.org/IC.htm
jason.powell

Peter,

the use of real-world use cases is something that we always prefer when defining requirements for extensions to the meta-model and so we would welcome a discussion on the forum of the nature that you describe.

We look forward to your future postings on this subject.

Jason
peter.fuzi

Now, after a fair delay I can return. I could find your hint for the post installation next steps (http://enterprise-architecture.org/comp ... positories).
Unfortunately ECP-2 is not among them.

Please, direct me to ECP-2.

Thank you,
Peter
jonathan.carter

Hi Peter,

These aspects are now part of the core meta model (version 4.x) and so there is no sample repository. Unless this is lacking features that you require, we should close ECP-2.

Policies of any kind can be captured in the Governance section of the EA_Support part of the meta model. This enables us to define policies about the business, information, application and technology aspects (to help manage the set of policies). Within the Governance area, we can define Controls that we are using to ensure that the policies are being followed.

In terms of compliance, we added a new area to EA Support called Obligation Management where we can capture the Compliance Obligations that the organisation has (e.g. from regulations / law etc.) and the Contractual Obligations that we have with our customers / contract parties.
Regulations are also captured as first-class objects within Obligation Management so that we can capture the relevant regulations, e.g. with references to external information and then capture how they relate to our compliance obligations.

Let us know how these are supporting (or not!) your requirements

Jonathan
peter.fuzi

Dear Jonathan,

thank you for the fast reply. It sounds more than suitable for a first overview. In a couple of days I make some study sketches to walk through and understand the opportunities of these features, and then I return with the experience.

Kind regards,
Peter
Last edited by peter.fuzi on 17 May 2014, 15:34, edited 1 time in total.
jonathan.carter

Thanks Peter.

Look forward to your thoughts.
We have a number of organisations that are successfully using these meta model features with some interesting custom views.

Jonathan
Post Reply