Does Enterprise Architecture Reduce Risk?

EA as a methodology is about establishing a target state and interim states and road map agreed by stakeholders for the support of the business to grow /shrink /change /react /etc. and influence projects to align with that roadmap. Success is not determined by whether the future was accurately predicted but by the benefit of alignment and optimization of effort and spend on maintenance / upgrades and development. As future is uncertain, ambiguous, complex and volatile; does Enterprise Architecture reduce business risks as well?

Enterprise Architecture reduces the risk of an Enterprise through framing ERM solutions. Enterprise Risk Management (ERM) assesses all risks of an enterprise and models them in a consistent fashion. The major components of an ERM framework are:
• Risk Taxonomy
• Identification of Risk
• Quantification of Risk
• Risk Measurement
• Responses to Risk 

Since EA can see both the forest and trees, analyzing the risks and synthesizing the responses should be one of critical business goals for EA. An architectural component does contribute in some way to the complex and tightly coupled risk equations of the business. It is a fundamental component of all architectures to identify where EA have the most positive impact in enterprise risk management, and weather comparison of the EA costs show ROI when compared to the value and probability of opportunities that are enabled and the value and probability of risks that are reduced:
• Strategy - high-level goals, aligned with and supporting the organization's mission
• Operations - effective and efficient use of resources
• Financial Reporting - reliability of operational and financial reporting
• Compliance - compliance with applicable laws and regulations

EA can reduce risk or create risks (for example, compliance or operations suddenly change) as you usually only concentrate on known risks. In general if EA is in line with all the risk management group, then EA can help reduce the risk, but at the end it is group or team effort with no one taking the sole credit. EA responds to a risk by taking any one of the actions:
• Risk Acceptance
• Risk Transfer
• Risk Reduction
• Risk Removal

All architectures must have risk analysis / threat modeling as a part of the design processes. If you don't do this then the specifications will be incomplete, the bridge will collapse and your business goals become irrelevant. EA should do impact analysis, and the effective EA frameworks can help identify the following things:
What: Listing the expected and unexpected events
How: Methods to mitigate the risks
Where: Locations that are susceptible to the risks
Who: List of persons who 'own' the risks
When: List of events that are responsible for the risks
Why: List of reasons behind the risks

Risk reduction is not a benefit of architecture; it is a core of the practice and a fundamental requirement. Much the same way we would not think that safety is a benefit of a bridge: it is expected. A very large part of the architecture design is involved in ensuring that risk is maintained at level appropriate to the business. EA mitigates risk as an additional business benefit or if one of the strategic goals are to manage risk within acceptable risk appetite thresholds then EA must comply.

Statistically, the high performance organizations usually have more effective ERM-risk management than their competitors; it doesn't mean they invest more to purchase ERM software, but they do have holistic GRC solutions, well embed risk management mechanism into key business processes. Therefore, EA should play significant role in business risk management, not about bit-byte detail, but identify loopholes or blind spots, reduce business risks in choosing to implement or fund the wrong projects. etc. to optimize business capability and achieve high performance result.

Posted in: EA,GRC