Continue in 2 seconds

Zachman, Basel II and Sarbanes-Oxley

By
  • William Dinner, Allan B. Kolber
Published
  • October 01 2005, 1:00am EDT

The Sarbanes-Oxley Act (SOX) and the Basel II Accord have generated requirements that deeply affect a wide range of IT-related activity within large financial institutions. This article places some of these requirements within the Zachman Framework and discusses how the Zachman Framework can serve as an effective means to help identify and classify these requirements.1 It provides a method for business and IT to obtain a perspective on what it will take to fulfill these regulations. It also demonstrates how the Zachman Framework can be practically employed to better manage complex tasks.

Table 1: Architecture Framework

The Problem

Over the last several years, many regulatory activities have resulted in wholesale changes to corporate governance, accounting and, not surprisingly, the IT workplace. Regulatory acts such as Sarbanes-Oxley, The United States Patriot Act and regulations from oversight bodies such as the Bank for International Settlement (BIS) - responsible for the Basel II Accord - and The Organisation for Economic Co-operation and Development (OECD) - responsible for well thought-out papers and guidance on corporate and public governance - have contributed to tens of thousands of pages of densely packed documents that require attention.2-6

In some cases, these are detailed instructions on how tasks should be accomplished: Sarbanes-Oxley mandates personal accountability for CFOs and CEOs. Their signatures on the appropriate documents accomplish the accountability. In other cases, the regulations are more obtuse.

In most cases the internal IT group must insure that these regulations are met. Many of these regulations go beyond what have been considered normal IT practices, especially within many financial institutions. Although often discussed, most of the large U.S. financial institutions pay only lip service to developing IT systems using a formal system development life cycle (SDLC) methodology.

The amount of regulations, policies and procedures that now have to be examined, integrated, transformed, maintained, audited and retained has grown exponentially. This requires improvement in understanding what these demands are, how they affect the day-to-day operations of the business, how they affect management and how they will affect the supervisory aspects of the corporation.

Many of the articles on SOX focus on the requirement for CEO and CFO sign-off. Though critical, this is really the tip of the iceberg. The requirements behind these regulations reach into all aspects of the corporation. For both SOX and Basel II, their focus is to greatly improve transparency, governance, accuracy, accountability and integrity of financial accounting and reporting. Basel II goes further for large financial institutions and requires an in-depth analysis of the risks associated with customer credit transactions to determine an appropriate level of economic capital that institutions must maintain. Therefore, corporations are required to maintain effective and demonstrable internal controls, governance standards and procedures, and they must develop and use metrics to measure their effectiveness.

From an IT perspective, even a cursory reading of any of these acts reveals that these regulations paint a broad brush across the corporation and will require IT assistance. For instance, one of the demands of both SOX and Basel II is the requirement for effective governance. This translates into the need for effective data stewardship and requires establishment of stewardship processes.

In the February 2004 issue of DM Review, Irina Yugay and Victor Klimchenkopr esented an outstanding analysis of the implications of SOX to IT requirements. Based on their finding, we analyzed the requirements for Basel II and reexamined the SOX requirements. We mapped both to the Zachman Framework to provide a better picture for management of how to attack the problem.

About the Zachman Framework

One of the standard methods for analyzing complex structures is to segment them into smaller chunks that are more easily examined. The Zachman Framework exemplifies one of best ways to accomplish this classification.

John Zachman developed his framework in the late 1980s.8 He recognized that different players in the information systems development process have different perspectives. Anyone with experience in this field knows how complex the conversation can get when individuals try to discuss something and are bringing completely different sets of premises and points of view to the table. Zachman not only recognized this phenomenon, but also identified the points of view that appear to dominate the industry:

  • The planner's view (scope or contextual): The perspective of the CEO and others who are looking at the enterprise as a whole.
  • The business owner's view (conceptual): From one who works in the organization.
  • The architect's view (logical): Designs and creates the systems without referring to any particular technology.
  • The designer's view (physical): Uses technology to address the concerns of the organization and chooses the platform types.
  • The builder's view (out of context): Employs specific technologies to implement the designer's designs.
  • The functioning system: Less of a perspective than the others, this is the existence of a functioning system, composed of physical elements in particular locations.

Zachman recognized that all the views are looking at different aspects of the problem: data, activities, locations, people and organizations and the roles they play, timing, and motivation.  These aspects correspond to the journalist's six interrogatives: What, How, Where, Who, When and Why. With six points of view and six aspects for each, John created a matrix. Table 1 shows how this matrix provides a comprehensive picture of knowledge that constitutes the entire IT industry.
For example, a logical data model describes the architect's perspective on data (Row 3, Column 1), while the design of a login screen is an example from Row 4 (Designer's view), Column 4 (People and Organizations).

Mapping Basel II and SOX to the Zachman Framework

In an effort to better understand how Basel II and SOX overlap and to classify the types of requirements they demand, the Basel II Accord and the SOX Act were analyzed to extract specific requirements that were mapped to the appropriate boxes within the Framework.

For example, the Stewardship role belongs in the People aspect and in the Architect's view, Row 3, Column 4. Corporate Governance and KPIs are recorded in Row 2, Column 6 (the model for Business Motivation).

Table 2 describes how many of the requirements of Basel II and SOX map to cells in the Framework.

This matrix is only a starting point for investigation, but it provides a framework for partitioning individual tasks and provides the beginnings of a road map that can aid analysts as they develop more concise and on-target business requirements. It may also be used as a map showing regulators how compliance was achieved.

Governance and Transparency

Two of the Basel II and SOX core principles focus on transparency and governance. Both of these principles translate into concrete steps that must be accomplished by the IT groups of financial institutions.

Transparency: The Process Column (Rows 4 & 6). One of the primary components of transparency is the ability to clearly ascertain how, why and from where any data element on a report originated. For the Basel II calculations, it is necessary for a supervisor or auditor to trace systems that contributed to a specific risk-weighted capital amount back to the source. This tracing is known as data lineage and forms an important pillar of these requirements.

Governance and Stewardship: The People Column (Rows 2 & 3). Governance and stewardship are discussed in many sections of both SOX and Basel II. These concepts boil down to establishing appropriate risk management processes and controls, to be able to measure risk-weighted capital and to insure reconciliation between risk and finance. Basel II stipulates that adequate documentation must exist and that validation must occur for the risk models, the calculations and the data used within the models. Governance and stewardship discussed under SOX and the Accord mandate that the data used in the processes be of high quality and vouched for by senior executives. This requirement is the basis for the establishment of data stewards.

One direct outgrowth of this process is the need to assess data quality. In order to respond to this requirement, metrics must be defined, created and used. The stewards must oversee the use and results of these metrics to insure the data quality cycle is effective. This process is an ongoing cycle of assessment, validation, reconciliation and improvement.

While data governance is of key interest to the IT staff, many of the details in the regulations deal with corporate governance - in particular, the policies, strategies and tactics necessary to be put into place to improve corporate controls and behavior. This cell (Row 2, Column 6) is analyzed in "The Model for Business Motivation - Business Governance in a Volatile World."9

Storing This Information

All the previous discussion leads to the realization that the enterprise needs to store meta data to support the response to these regulations. This implies the need for a meta data repository whose design is guided by the Zachman Framework. The appropriate use of a meta data repository helps to establish a common understanding of all the items and viewpoints that comprise an IT project.

Partitioning by these cells, each with specific and agreed-upon definitions, allows all the participants in the projects to better understand each other and provides a unified and easily accessible location to retrieve and analyze the requisite data.

The Zachman Framework is a proven and useful tool for dividing complex information projects into manageable parts. Mapping Basel II and SOX requirements to the Zachman Framework makes it easier to determine what kind of information needs to be collected by the enterprise and supported by an enterprise repository. This makes it easier for both end users and IT to support the concepts and proscriptions implied by SOX and Basel II. This same procedure can easily be extended to other large problems and should help IT departments convey important tasks to management.

Table 2: Mapping Basel II and Sarbanes-Oxley to the Zachman Framework

References:

  1. Zachman, John. The Zachman Framework for Enterprise Architecture. http://www.zifa.com/.
  2. The American Institute of Certified Public Accountants. http://www.aicpa.org/. Full text of SOX is available from: http://www.sec.gov/
  3. Links and articles about the Patriot Act: http://www.epic.org/privacy/terrorism/usapatriot/.
  4. The Bank for International Settlement: http://www.bis.org/index.htm.
  5. Basel II: http://www.bis.org/bcbs/index.htm.
  6. OECD, The Organisation for Economic Co-operation and Development: http://www.oecd.org/home/
  7. Yugay, Irina and Victor Klimchenko. "SOX Mandates Focus on Data Quality & Integration," DM Review, February, 2004.
  8. Zachman, John. "A framework for information systems architecture." IBM Systems Journal 26, no. 3 (1987): IBM Publication G321-5298.
  9. Business Rules Group: http://BusinessRulesGroup.org/.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access