EA as a methodology is about establishing a target state and
interim states and road map agreed by stakeholders for the support of the
business to grow /shrink /change /react /etc. and influence projects to align with
that roadmap. Success is not determined by whether the future was accurately
predicted but by the benefit of alignment and optimization of effort and spend
on maintenance / upgrades and development. As future is uncertain,
ambiguous, complex and volatile; does Enterprise Architecture reduce business
risks as well?
• Risk Taxonomy
• Identification of Risk
• Quantification of Risk
• Risk Measurement
• Responses to Risk
Since EA can see both the forest and trees, analyzing the risks and synthesizing the responses should be one of critical business goals for EA. An architectural component does contribute in some way to the complex and tightly coupled risk equations of the business. It is a fundamental component of all architectures to identify where EA have the most positive impact in enterprise risk management, and weather comparison of the EA costs show ROI when compared to the value and probability of opportunities that are enabled and the value and probability of risks that are reduced:
• Strategy - high-level goals, aligned with and supporting the organization's mission
• Operations - effective and efficient use of resources
• Financial Reporting - reliability of operational and financial reporting
• Compliance - compliance with applicable laws and regulations
EA can reduce risk or
create risks (for example, compliance or operations suddenly change) as you usually only concentrate on known
risks. In general if EA is in line with all the risk management group, then
EA can help reduce the risk, but at the end it is group or team effort with no
one taking the sole credit. EA responds to a risk by taking any one of the
actions:
• Risk Acceptance
• Risk Transfer
• Risk Reduction
• Risk Removal
• Risk Acceptance
• Risk Transfer
• Risk Reduction
• Risk Removal
All architectures
must have risk analysis / threat modeling as a part of the design processes.
If you don't do this then the specifications will be incomplete, the bridge
will collapse and your business goals become irrelevant. EA should do impact
analysis, and the effective EA frameworks can help identify the following things:
What: Listing the expected and unexpected events
How: Methods to mitigate the risks
Where: Locations that are susceptible to the risks
Who: List of persons who 'own' the risks
When: List of events that are responsible for the risks
Why: List of reasons behind the risks
What: Listing the expected and unexpected events
How: Methods to mitigate the risks
Where: Locations that are susceptible to the risks
Who: List of persons who 'own' the risks
When: List of events that are responsible for the risks
Why: List of reasons behind the risks
Risk reduction is not
a benefit of architecture; it is a core of the practice and a fundamental
requirement. Much the same way we would not think that safety is a benefit
of a bridge: it is expected. A very large part of the architecture design is
involved in ensuring that risk is maintained at level appropriate to the
business. EA mitigates risk as an additional business benefit or if
one of the strategic goals are to manage risk within acceptable risk appetite
thresholds then EA must comply.
Statistically, the high performance organizations usually have more effective ERM-risk management than their competitors; it doesn't mean they invest more to purchase ERM software, but they do have holistic
0 comments:
Post a Comment