Demonstrate compliance using architecture control frameworks

by | May 24, 2018 | Blog |

These days many organisations have to deal with stringent regulatory oversight, or assessments and audits from industry-standard bodies. It’s not unusual for these agencies to have redundant and conflicting content in their audits. Indeed, often these audits are an arbitrarily attribute-based process.

As a consequence, organisations are forced to allocate substantial budgets and highly-skilled resources in order to build relationships with these oversight bodies, to thoroughly understand their specifications and standards and to produce complex compliance reports.

All these elements to conforming with government and industry requirements lead to an extremely high cost of compliance for organisations.  In the US, the annual cost of federal regulation in 2016, is estimated at 2.885 trillion USD. Regulatory Compliance continues to be a complex business challenge, is considered to be increasingly burdensome and annual costs are extremely high.

Nevertheless, this overly complex regulatory landscape is still growing exponentially: increased accountability and potential exposure to liability means organisations need to ensure that corporate governance standards are adhered to and robust compliance management systems are in place. No wonder that in many organisations these external oversight agencies are viewed as adversaries.

So how can organisations approach this problem more efficiently and holistically?

Architecture Framework with a dedicated Governance, Risk and Compliance Domain Category

Modelling an architecture framework to support regulatory compliance activities as well as internal controls might help reducing the administrative burden and facilitate reporting requirements imposed by regulators and industry-standard bodies.

Broadly, the following compliance and control frameworks can be integrated into a single architecture framework:

  • Regulatory Compliance Framework

A compliance framework is a structured set of guidelines that details an organisation’s processes for maintaining accordance with established regulations, specifications or legislation.

  • Management Control Framework

This type of framework includes structured sets of information such as risks and controls like the COBIT framework for the governance and management of enterprise IT, or the ISAE 3402 control framework (International Standard on Assurance Engagements which is about controls at a Service Organisation.

Obviously, both frameworks should be able to manage variations of country or region-specific controls within the architecture framework.  Typically, an architecture framework is decomposed in the following architecture domains:

  • Business: describes how the enterprise’s strategy and goals are to be realised. Typically, this domain includes business capabilities, products & services, the organisation structure(s) and the business processes.
  • Data: describes how the enterprise’s Information is organised and managed. Typically, this domain includes conceptual, logical and physical data models.
  • Application: describes how the enterprise’s systems are developed and managed. Typically, this domain includes the corporate application portfolio and roadmaps.
  • Technology: describes how the enterprise’s technology enables the logical and physical application and data components.

Typical Enterprise Architecture Framework with specific GRC domain

Within the GRC Architecture domain, a compliance and control framework can be developed to provide businesses with a coherent and comprehensive understanding of Internal Control and Risk Management processes, procedures and assessments.

Using such Governance Risk Compliance framework (GRC) organisations are able to communicate these processes, procedures and assessments more efficiently across the organisation.

The next figure presents typical components of such Governance Risk Compliance framework:

Example of Governance Risk Compliance Framework Landing Page

Typically, oversight bodies require a reporting system demonstrating a line-of-sight or an implication mapping between business processes, controls, and risks.  Additionally, industry standard bodies need a proof of adherence to their external control standards.

How can a consistent and robust architecture & modelling approach help you integrating such a reporting system?

First, you need to connect the process architecture elements with the enterprise’s risk and internal control (IC) framework. Then, these internal controls should be mapped against the external control framework(s) as illustrated in a basic meta-model below.

Example of a Processes-Controls Line-of-Sight Meta-model

Each of the external control frameworks should to be set-up in the architecture repository in order to create the appropriate inter-relationships.

Once these associations between internal and external controls, between processes and internal controls and between the controls and their mitigating risks are completed, you are able to design and generate the required compliance reports.

Regulatory Reporting

A basic, but effective reporting format is a two-dimensional matrix presenting the direct relationship between two architectural concepts.

The matrix below illustrates the direct link between an internal control and an external control from ISAE 3402 control framework.  It shows clearly the adherence between both controls.

Example of a mapping between internal vs external controls

Another example of a regulatory report, extracted from an architecture repository, is an implication mapping report to align both internal vs external controls against their corresponding IT processes.

Example of regulatory report to proof compliance to an external control framework

Ideally, more information about internal controls could be captured to generate more detailed reports from an architecture repository e.g. governance and version control information, corresponding control maturity levels, assigned control ownership and stewardship, etc.

A third type of assessment report is a radar chart depicting the current, interim and/or target state of the respective assessment criteria over a certain time period.

Example of a radar chart depicting industry-standard based assessment criteria against different time periods


Integrating a specific GRC architecture domain category to an architecture repository allows you to (re)produce and deliver more consistent reports to both regulatory and industry standards bodies.

It also helps reducing the administrative burden for an organisation.  Reports produced from an architecture repository can easily be tailored and re-used to comply with a regulator’s or industry-standard body’s reporting standards.

Want to know more about our Architecture offerings? Read more

About the author:

About the author:

Bart Nijs

Bart is an international professional with 10+ years of experience of business change using a variety of business modelling techniques to produce coherent architectural models.Bart gained a wealth of enterprise modelling experience working in many organisations and sectors across Europe and the EMEA region assisting in tool implementation and modelling.

About Kipstor

Kipstor provides architecture consulting and managed modelling services and helps organisations develop quality, trusted and structured information that can be easily shared and disseminated to support better decision making and consistent communication.

Share This