Business Architecture’s Role in Crisis, Risk, and Compliance Management

You are here

Business Architecture’s Role in Crisis, Risk, and Compliance Management

Executive Update
Posted May 17, 2017 in Business & Enterprise Architecture

Every business must deal with crisis, risk, and compliance challenges. Teams chartered with addressing these challenges are often split across business units and regions, which fragments crisis, risk, and compliance management efforts. Business unit silos and related complexities obscure ecosystem transparency, which in turn constrain an organization’s ability to identify risks, assure compliance, and prevent and disarm crises. Business architecture delivers business ecosystem transparency as a basis for improving a business’s ability to collectively address challenges related to crisis, risk, and compliance. This Executive Update outlines the role of business architecture in crisis, risk, and compliance management.1

Defining Crisis, Risk, and Compliance

Establishing a shared understanding of crisis, risk, and compliance management is the first step toward understanding business architecture’s role in improving how organizations deliver on each of these disciplines. Consider the following definitions:2

  • Crisis — an unstable or crucial time, or state of affairs, in which a decisive change is impending; especially one with the distinct possibility of a highly undesirable outcome
  • Crisis management — the ability to proactively plan for and respond to disruptive and unexpected events that threaten to harm the organization, its stakeholders, or the public
  • Risk — a situation involving exposure to danger
  • Risk management — the ability to identify, assess, control, avoid, minimize, and eliminate unacceptable risks
  • Compliance — confirmation that the doer of an action or supplier of a product conforms to accepted practices, legislation, rules, regulations, specified standards, and contract terms
  • Compliance management — the ability to identify, assess, and assure that a business conforms to accepted practices, legislation, rules, regulations, specified standards, and contract terms

While many businesses tend to have unique business teams dealing with each of these disciplines, the overall ability of a business to identify and manage compliance and risks, and to prevent and respond to crises, have a great deal in common. In other words, crisis, risk, and compliance management are highly intertwined disciplines.

For example, organizations identify weaknesses, threats, and related impacts as a basis for mitigating risks and future crises. They also seek to achieve compliance to avoid legislative, audit, and oversight violations and related disruptions that could stem from these violations. Each of these disciplines relies on varying degrees of business transparency as a basis for prevention and remediation, with a focus on nullifying customer, partner, public, employee, and general business impacts.

Crisis management is a good starting point for examining common ways to improve a business’s collective ability to exercise these disciplines because avoiding and responding to crises requires highlighting and mitigating risks and assuring overall compliance.

Crisis Management in the News

In 2016, Wells Fargo discovered that as many as 2.1 million people were the subject of problematic sales practices where unauthorized accounts were created for these individuals. The following series of headlines, which ran from September 2016 through March 2017, help illustrate this story:

Wells Fargo’s CEO indicated in an article dated 17 March 2017 that the company “is looking as far back as 2009 to figure out how many unauthorized accounts were created.” The CEO was further cited as saying, “I will describe it as much more complicated than anyone could have imagined. But that’s not an excuse. It’s going to take a few months to figure out. But I will assure we will remediate all those customers.”

When crisis hits, it hits hard, and if an organization lacks certain levels of business transparency, recovery from that crisis can be a long, painful, and even very public process. Heading off crises requires identifying and mitigating risks and ensuring compliance, creating a triumvirate of interrelated disciplines that demand total ecosystem transparency.

Total Ecosystem Transparency: Managing Crisis, Risk, and Compliance

In a crisis, executives require rapid cause-and-effect analysis. Unfortunately, this type of analysis is often cobbled together in haphazard ways across disparate, uncoordinated business units. Within this context, no one area can see the whole picture, which means, for example, that upstream impacts are shrouded from downstream business units. In some cases, the actions or impacts of a business partner further complicate cause-and-effect analysis. And in almost all cases, the lack of a defined business vocabulary across business units means that tracing the evolution, location, and state of a contract, customer, product, asset, investment, account, or other critical business perspective is at best fleeting for any given area and fully shrouded from the business as a whole.

Business ecosystem transparency facilitates risk identification and avoidance, regulatory and related policy compliance, and rapid cause-and-effect analysis in a crisis. The business ecosystem is an important concept here because it establishes the scope and boundaries of a business that is not fully reliant on business unit silos. As defined in A Guide to the Business Architecture Body of Knowledge® (BIZBOK® Guide), a business ecosystem is “one or more legal entities, in whole or in part, that exist as an integrated community of individuals and assets, or aggregations thereof, interacting as a cohesive whole toward a common mission or purpose.”

The above ecosystem definition helps when defining business boundaries, which seldom begin and end with a single legal entity. Consider, for example, a company that outsources certain capabilities, such as Legal Proceedings Management, Asset Definition, Shipment Management, Feedback Management, Payment Determination, and Human Resource Management, all of which are key to the company’s success. Whether insourced or outsourced, these capabilities, which define “what” a business does, are part of the business ecosystem because they are essential to ensuring that a given business is a viable, functioning entity.

Lack of Business Transparency Fosters Crises, Risks, and Noncompliance

Crisis scenarios tend to trigger reactive, versus proactive, responses. Underlying these reactive response tendencies are piecemeal, siloed approaches to compliance and risk management. For example, risk management at large, multidivisional companies can lack holistic perspectives of risk-related impacts across customers, partners, products, markets, and related focal points. There is no concept of ecosystem-wide risk aggregation across these business perspectives or related business units. As a result, what appears to be in compliance within a given business unit may receive a failing score in aggregate across multiple business units.

Consider a financial services firm with multiple divisions and multiple business units within each of those divisions. Each division and related business unit would be responsible for managing multiple accounts, products, funds, and, depending on its business model, policies for insuring wealth. Individual business units would have instances of common capabilities, such as account management, fund management, customer management, product management, transaction management, and payment management. Figure 1 illustrates an example of such a business scenario.

Figure 1 — Complexity and redundancy across business units creates crisis “blind spots.”

Figure 1 highlights that each business unit has a siloed view of its accounts, customers, products, and other focal points. In this scenario, each business unit would work under the assumption that it is in full compliance with policies and regulations and that it has adequately identified and mitigated risks. Each business unit has its own crisis management plan. On a case-by-case basis, each business unit would score very well in terms of crisis prevention, risk management, and compliance. In all likelihood, however, the exact opposite is true.

Cross-business-unit complexities, redundancies, and fragmented business views have blinded the business as a whole to potential risks, overall compliance, and, most important, the ability to plan for and mitigate risk. Figure 1 highlights the fact that each business unit sees the customer as its own customer, without understanding that a given customer may have multiple accounts, funds, and policies with the business as a whole. The customer sees one company, but the business collectively sees that customer as many entities.

Consider a scenario where a customer defaults on a mortgage. That same customer holds many other accounts, investments, and policies. In addition, that same customer comes back to the institution to get another loan from an unrelated business unit, despite the fact that the originating business unit marked that customer as a credit risk. Now multiply this scenario by millions of customers, accounts, business partners, products, payments, decisions, and a host of other business perspectives.

The institution’s ability to perform aggregated risk analysis, ensure compliance, and prepare for and react to crises, is dramatically impaired by these siloed business perspectives; silos that include functionally and regionally aligned business units. Executives can stress cross-business cooperation, but this is a piecemeal approach that veers more toward wishful thinking than aggregated crisis, risk, and compliance management.

Business fragmentation is not uncommon. In fact, it is the norm across numerous industries worldwide. Businesses have historically pushed crisis, risk, and compliance management to individual business units. In many cases, a centralized risk management team is in place along with corporate audit and crisis management teams. But these teams have no more visibility across a fragmented ecosystem than would any other business unit, which means that they can establish and push out policies, but there is no way to verify compliance in an opaque ecosystem.

How can multibillion-dollar, multidivisional corporations take these risks? Why would oversight agencies, auditors, and executive governance structures ignore these risks? Are executives aware of the risks related to this lack of transparency and the impacts on the business? If a business is not familiar with the benefits of and the capacity to establish ecosystem transparency, then perhaps there is simply a sense that there is nothing that can be done. But this is not the case.

Business Architecture: Delivering Business Ecosystem Transparency

Business architecture provides the transparency needed to proactively avoid crises through risk and compliance management — and to respond in kind when crises do arise. This means, for example, that a business will view a customer just as the customer views the business: through a single lens with multiple accounts, policies, and investments. Customer risk and account risk management become shared capabilities that consider the customer in totality and not through many business unit silos. Figure 2 highlights this single-view perspective on customer and related interests.

Figure 2 — Business-viewing customer: shared interests through a common lens.

A well-articulated business architecture provides rapid insight into which customers are aligned to certain accounts and agreements, how customers are linked to other customers and third parties, associations among accounts and agreements, and related business unit impacts. Business architecture highlights where blind spots exist, pinpoints impacts on the business from an ecosystem-wide perspective, and provides insights into resolving risk, compliance, and related factors.

Business architecture delivers the business transparency to deliver these insights by articulating a common set of rationalized, cross-business perspectives on capabilities, stakeholders, value delivery, and infor­mation. Leveraging this baseline business architecture perspective, planning and execution teams can selectively view the business from a variety of business unit, business policy, strategic planning, initiative investment, and product perspectives. These perspectives, in turn, are applied to assess and manage crises, risks, and compliance for the business as a whole.

Consider, for example, the policy and regulatory compliance perspective shown in Figure 3. A well-articulated business architecture would have business-wide capability definitions mapped out along with the business units that have or exercise those capabilities. When viewed through a policy compliance lens, regulatory, audit, and compliance teams can quickly assess policy impacts, points of risk, and related focal points for crisis management. A business may choose to drill down to a product, initiative, investment, or numerous other perspectives.

Figure 3 — Business policy and compliance impacts on business units and capabilities.

If a business has this level of policy compliance understanding and insight, crisis and risk management becomes a matter of providing this information to any team that requires it, and this could extend well beyond a given crisis management or audit team, ensuring that policy compliance is built into the fabric of the business from planning through deployment.

Consider the value of having the transparency shown in Figures 2 and 3 in reference to the challenges faced by Wells Fargo as outlined at the outset of this Update. The business would be able to trace an account to a customer and a customer back to all accounts and related impacts. This could also include customer relationships to policies, investments, partners, assets, or even other customers. The insights become second nature, not multiyear investments across many dozens of business units.

Business-Driven Crisis, Risk, and Compliance Solutions for IT Architecture

At this point, one would presuppose that any degree of crisis, risk, and compliance management would certainly target or at least touch upon information systems as well as drive investments in those systems. The multidimensional transparency delivered by business architecture extends into the IT architecture domain. Capabilities, value delivery, information, and business unit perspectives may be associated with the information systems and wealth of other technologies that automate capabilities and related aspects of business architecture. As such, an investment in those systems should be viewed through the business architecture lens to assess general business impacts as well as ideal options for furthering crisis, risk, and compliance management.

The top portion of Figure 4 depicts how most businesses pursue crisis, risk, and compliance management. A given business unit receives a request from a compliance, risk, or audit group and invests in siloed, redundant information systems to address the issue(s) at hand. The previous challenges associated with siloed views of a business and related constraints they place on aggregated crisis, risk, and compliance management spill over to IT investments.

Figure 4 — Business architecture drives IT investments.

The ideal approach is shown across the bottom portion of Figure 4, where crisis, risk, and compliance strategies are viewed through the lens of business architecture, which in turn is used to articulate updates to existing information systems or specifications for a more applicable set of systems. The key aspect of business architecture that focuses IT planning and deployment is the capability.

Capability-based planning offers a shared perspective for focusing IT investments on stakeholder value delivery, information alignment, and business unit synchronization. When capability-based planning is engaged, the many tens or hundreds of millions of dollars in IT investments may be redirected from a siloed, piecemeal, and highly limited solution deployment approach to a more holistic planning and investment perspective to enabling crisis, risk, and compliance management.

Leveraging Business Architecture for Crisis, Risk and Compliance: Call to Action

How should organizations move forward to leverage business architecture for crisis, risk, and compliance management? Here are some steps to pursue:

  1. Determine your organization’s business architecture maturity using a standard approach to business architecture maturity analysis.
  2. Establish business architecture outside of a given business unit or IT group. This will provide transparency across siloed business perspectives that are in place today.
  3. Educate relevant teams and executives on using business architecture for crisis, risk, and compliance management.
  4. Outline steps for articulating your business architecture, with a focus on establishing a high-level, cross-business baseline, coupled with policy and stakeholder perspectives.
  5. As the business architecture is established, begin to link it to the IT architecture as a basis for business-driven/IT transformation planning and investment.

Hopefully these steps will help your organization move forward with using business architecture for crisis, risk, and compliance management. One added element of this is that business architecture provides the basis to rethink how a business delivers stakeholder value. The transparency business architecture provides not only enables innovation teams to rethink how they address crisis, risk, and compliance management, but generally enables a business overall to envision and realize innovative thinking through perspectives that were previously hidden from line of sight.


1 Author’s note: “governance, risk, and compliance” (GRC) is a common industry term but we do not use it here because the topic aligns crisis, risk, and compliance, whereas governance is a unique subject.

2 Sourced primarily from

Share This

About The Author

William M. Ulrich is a Fellow of Cutter Consortium's Business & Enterprise Architecture practice and President of TSG, Inc. Specializing in business and IT planning and transformation strategies, he has more than 35 years’ experience in the business-IT management consulting field. Mr. Ulrich serves as strategic advisor and mentor on business-IT... Read More

Leave a reply

Your email address will not be published. Required fields are marked*

Philip O'Reilly

Beyond Fintech: New Frontiers — Opening Statement

by Philip OReilly

This issue focuses on key topics of interest for financial services organizations, namely equity crowdfunding, legacy systems migration, robo-advisors, test outsourcing, and refining the reconciliation process.

Bhardwaj Velamakanni

Implementing Design Thinking in Agile

by Bhardwaj Velamakanni

This Advisor presents an overview of improving Agile techniques and practices by using design thinking within the Agile space and describes three techniques from design thinking methodologies that tend to yield benefits to Agile practitioners.

Gustav Toppenberg
Executive Update

Data’s Story: An Enterprise Asset in the Digital Backbone

by Gustav Toppenberg

The existence of a digital backbone in an organization means that anyone aspiring and planning to transform different parts of the enterprise can leverage the digital backbone in a consistent and sustainable way, ensuring that each transformation effort connects and leverages a common platform. Digital transformation leaders are starting to realize that a powerful digital services backbone to facilitate rapid innovation and responsiveness is key to successfully executing on a digital strategy.

Effort score and priority rank for requirements in our sample project.
Executive Summary

Can We Measure Agile Performance with an Evolving Scope? An EVM Framework (Executive Summary)

by Alexandre Rodrigues

Can a method like EVM, developed to control projects with well-defined objectives, be applied to control product development initiatives that evolve continuously toward a “moving target”? In an Agile environment, we are faced with the dynamic evolution of a finite boundary of integrated scope, cost, time, and resources; this finiteness — essential for business management and decisions — is the cradle for project management techniques, tools, methods, and frameworks. The EVM method was first developed to help with managing complex R&D projects mostly characterized by an unstable, volatile, and evolving scope. It is therefore no surprise that EVM applies to Agile projects.


The Frontier of Fintech Innovation — Opening Statement

by Philip OReilly

It’s a pleasure for me to introduce the first of two special issues of Cutter Business Technology Journal (CBTJ) showcasing the thought leadership and cutting-edge research and development (R&D) being done in State Street Corporation’s Advanced Technology Centres in Europe, the Middle East, and Africa (EMEA) and Asia Pacific (APAC), in partnership with University College Cork (UCC) and Zhejiang University (ZJU), respectively. The articles in this issue represent a small sample of the output from the R&D undertaken in these centers, which combine academic excellence with real industry impact.

Executive Update

Business Architecture’s Role in Crisis, Risk, and Compliance Management

by William Ulrich

Every business must deal with crisis, risk, and compliance challenges. Teams chartered with addressing these challenges are often split across business units and regions, which fragments crisis, risk, and compliance management efforts. Business unit silos and related complexities obscure ecosystem transparency, which in turn constrain an organization’s ability to identify risks, assure compliance, and prevent and disarm crises. Business architecture delivers business ecosystem transparency as a basis for improving a business’s ability to collectively address challenges related to crisis, risk, and compliance. 

Curt Hall

Building New Business Models with Blockchain

by Curt Hall

Organizations are using blockchain to create new business models — exploiting its capabilities for optimizing contract management, financial transaction management, and identity management.

Nine Policy Recommendations for Managing Technical Debt
Executive Update

Managing Technical Debt: Nine Policy Recommendations

by Rick Brenner

For technology-dependent products, companies, institutions, and even societies, sustainability depends on learning how to manage technical debt. Like most transformations, incorporating new practices into our organizations will likely be an iterative process. We already recognize the problem, and researchers are making progress, albeit mostly on technical issues. This Executive Update proposes a policy-centered approach to the problem. It begins with a principle that can serve as a guide for constructing technical debt management policy, and then shows how to apply that principle to develop nine recommendations that enable organizations to manage technical debt effectively.

Bhardwaj Velamakanni

Emerging Agile Anti-Patterns

by Bhardwaj Velamakanni

Agile methodologies, however popular they are, bring their own sets of “smells” and anti-patterns to the table, sometimes causing irreparable damage to the team. While the sources of these smells are many, one of the primary culprits is the mindset that treats Agile as “yet another methodology,” totally ignoring the cultural aspect. This article throws light on some of the prominent smells that are emerging of late in the Agile world.

Jens Coldewey

Middle Management in Flux

by Jens Coldewey

If you start changing an organization toward an Agile mindset, there’s no real end. Agile is about creating an organization of continuous learning and the transformation is done when there is nothing new to learn, which will probably be never. This puts an enormous challenge on middle management.


Business Opportunities in the New Digital Age — Opening Statement

by San Murugesan

The articles in this issue present perspectives and ideas on business transformation in the digital age. We hope they will inspire and encourage you to visualize the likely future of business in your domain and to explore the opportunities it presents. Finally, we hope their insights will help you identify suitable transformation strategies and plans and, if needed, choose viable collaboration models for partnering with startups and other firms in your digital business efforts.


Unlocking Value from Digital Initiatives

by Joe Peppard, by John Thorp

Beyond buzzwords, what we are seeing is a seismic shift in the role of technology in organizations. Technology is more and more embedded in everything we do as we move into an increasingly hyper-connected digital world, a world in which technology is driving significant social, organizational, and industry change.

Digital Data Steams impact bottom line

Improve Customer Experience — Leverage Your Digital Data Streams

by Federico Pigni, by Gabriele Piccoli

In this on-demand webinar, you'll discover the strategic and tactical opportunities made possible by Digital Data Streams and the opportunities for improved customer experience made possible by DDS.

Lou Mazzucchelli

Why Are They Twittering? A Modest Proposal

by Lou Mazzucchelli

At the Cutter Digital Transformation & Innovation Bootcamp, Cutter Fellow and Harvard Business School Professor Karim Lakhani talked about digitally-driven disruption of traditional business models for value creation and capture, discussing platform models like Facebook and Twitter. To date, Twitter has clearly done a good job “creating value.” But unlike Facebook, it continues to struggle with the capture part of the equation.

social collaboration
Executive Update

Seven Ways to Gamify Social Collaboration

by Phaedra Boinodiris

Social collaboration is not about technology. It’s about connecting people, and it’s changing the way business is being conducted. Similarly, gamification is not about games. It’s about motivating the per­sonal and professional behaviors that drive business value. Together, social collaboration and gamifi­cation help companies reap great benefits — among them, the ability to deepen customer relationships, drive operational efficiencies, and optimize their workforce. 

Figure 1 — Tracing a roadmap to projects.

Using Roadmaps Strategically

by Roger Evernden

Roadmaps have two key functions in strategy planning. The first is to outline planned architectural changes that will deliver the required strategies; the second is to outline alternative ways to achieve the same results.


Technology Trends, Predictions, and Reflections 2017: Opening Statement

by Cutter Team

Just as recent global events have given us reason to pause and reflect, the pace of technology emergence and disruption is proving to be a source of inspiration and uncertainty. Transitioning to a digital world is front-of-mind for many business executives, yet finding the right path is an ongoing challenge. So we asked Cutter’s team of experts for their insights on some of the technologies, trends, and strategies that will be relevant in 2017 and beyond. In typical Cutter Business Technology Journal fashion, our call produced a wide range of opinions and reflections worthy of consideration as you chart your business technology journey for the new year.


AGI: A Threat, an Opportunity, or an Inevitable Unknown for 2017?

by Alexandre Rodrigues

Artificial general intelligence (AGI) is currently emerging as an area where recent developments are likely to have a major impact on the way organizations do business, societies organize themselves, and even on how we address values and ethics.

The fact is that AGI already exists in our daily life. A common example is the GPS systems present in many new cars manufactured today; and let’s not forget the drones being used to deliver pizzas and cars that drive themselves. While automatic pilots have been used in commercial planes for quite some time, what AGI is about to offer to general business and human activity is well beyond what most of us have seen so far.


The Tech-Driven Tech Backlash

by Carl Pritchard

2017 is going to be a year of strange winners, and perhaps the strangest of all will be a giant leap away from technology and back to solutions that don’t rely on 24/7 connectivity. With the onslaught of major hacks and Facebook embarrassment, the antitech crowd may have its best year in decades. 


Rapid Technology Innovation in Blockchain: Should You Be on the Front Lines?

by Nate OFarrell

One of the most prevalent blockchains in the world, Ethereum, is poised to switch from a proof-of-work (POW) algorithm to a proof-of-stake (POS) algorithm, likely in 2017, with the release of the Casper codebase. Why does this matter? Because blockchain technology is becoming increasingly relevant and prevalent in businesses across the globe. It holds great potential to disrupt how businesses perform basic transactions, from payments, to programmable, self-executing contracts, to identity verification.