Introduction
Risk management is a critical component of the TOGAF Architecture Development Method (ADM), ensuring that potential risks associated with architecture and business transformation efforts are identified, classified, mitigated, and monitored throughout the transformation process. This guide provides a detailed interpretation of the risk management process as outlined in Chapter 9 of the TOGAF Framework, including the use of risk classification schemes and risk assessment worksheets.
Objectives of Risk Management in TOGAF ADM
The primary objectives of risk management in TOGAF ADM are:
- Identify Risks: Recognize potential risks associated with the architecture and business transformation efforts.
- Classify Risks: Categorize risks based on their impact and frequency.
- Mitigate Risks: Implement actions to reduce risks to an acceptable level.
- Monitor Risks: Continuously track and manage risks throughout the transformation process.
- Govern Risks: Ensure that risks are accepted and managed within the governance framework.
Key Concepts
- Initial Level of Risk: Risk categorization prior to determining and implementing mitigating actions.
- Residual Level of Risk: Risk categorization after implementing mitigating actions.
- Risk Mitigation: Ongoing effort to monitor and mitigate risks.
- Governance Framework: The framework within which risks are first accepted and then managed.
Risk Classification
Objective
Classify risks to expedite their mitigation and manage them effectively within the governance framework.
Steps to Complete
- Identify Risk Categories:
- Impact on Organization: Classify risks based on their impact on the organization, such as time (schedule), cost (budget), and scope.
- Architecture Domains: Classify risks by architecture domains, such as business, information, applications, and technology.
- Document Risk Classification:
- Create Risk Classification Document: Develop a formal document outlining the risk classification scheme.
- Review and Validate: Ensure that the risk classification is complete, accurate, and aligned with business goals.
- Get Approval: Present the risk classification to stakeholders and obtain approval.
- Communicate Risk Classification: Share the risk classification with the Enterprise Architecture team and other relevant stakeholders.
Risk Classification Scheme
The risk classification scheme, as shown in Figure 9-1, categorizes risks based on their effect and frequency. The scheme helps in assessing the corporate impact of risks.
| Corporate Risk Impact Assessment | |||||
| Effect | Frequent | Likely | Occasional | Seldom | Unlikely |
| Catastrophic | Extremely High Risk (E) | Extremely High Risk (E) | High Risk (H) | High Risk (H) | Moderate Risk (M) |
| Critical | Extremely High Risk (E) | High Risk (H) | High Risk (H) | Moderate Risk (M) | Low Risk (L) |
| Marginal | High Risk (H) | Moderate Risk (M) | Moderate Risk (M) | Low Risk (L) | Low Risk (L) |
| Negligible | Moderate Risk (M) | Low Risk (L) | Low Risk (L) | Low Risk (L) | Low Risk (L) |
Figure 1: Risk Classification Scheme
Risk Identification
Objective
Identify risks associated with the architecture transformation effort and determine strategies to address them.
Steps to Complete
- Conduct Maturity and Transformation Readiness Assessments:
- Identify Baseline and Target States: Use Capability Maturity Models (CMMs) to identify baseline and target states.
- Identify Risks: Determine the risks associated with not achieving the target state.
- Document Risks:
- Create Risk Management Plan: Develop a formal Risk Management Plan using templates from standard project management methodologies (e.g., PMBOK®, PRINCE2®).
- Review Risks: Ensure that the identified risks are complete, accurate, and aligned with business goals.
- Get Approval: Present the Risk Management Plan to stakeholders and obtain approval.
- Communicate Risks: Share the Risk Management Plan with the Enterprise Architecture team and other relevant stakeholders.
Initial Risk Assessment
Objective
Classify risks based on their effect and frequency and conduct a preliminary risk assessment.
Steps to Complete
- Classify Risks:
- Effect Criteria: Assess the impact of risks using criteria such as catastrophic, critical, marginal, and negligible.
- Frequency Criteria: Assess the frequency of risks using criteria such as frequent, likely, occasional, seldom, and unlikely.
- Combine Effect and Frequency:
- Preliminary Risk Assessment: Combine effect and frequency to conduct a preliminary risk assessment.
- Document Assessment: Create a detailed report of the initial risk assessment findings.
- Communicate Assessment:
- Review Assessment: Ensure that the initial risk assessment is complete, accurate, and aligned with business goals.
- Get Approval: Present the initial risk assessment to stakeholders and obtain approval.
- Communicate Assessment: Share the initial risk assessment with the Enterprise Architecture team and other relevant stakeholders.
Risk Mitigation and Residual Risk Assessment
Objective
Identify, plan, and conduct actions to reduce risks to an acceptable level and assess residual risks.
Steps to Complete
- Identify Mitigation Actions:
- Plan Mitigation: Develop a plan for mitigating identified risks.
- Conduct Mitigation: Implement the mitigation actions.
- Assess Residual Risks:
- Re-assess Effect and Frequency: After implementing mitigation actions, re-assess the effect and frequency of the risks.
- Recalculate Impacts: Determine whether the mitigation efforts have made an acceptable difference.
- Document Residual Risks:
- Create Risk Mitigation and Assessment Worksheet: Develop a formal worksheet documenting the risk mitigation and assessment process.
- Review Worksheet: Ensure that the worksheet is complete, accurate, and aligned with business goals.
- Get Approval: Present the worksheet to stakeholders and obtain approval.
- Communicate Residual Risks: Share the risk mitigation and assessment worksheet with the Enterprise Architecture team and other relevant stakeholders.
Risk Mitigation and Assessment Worksheet
The risk mitigation and assessment worksheet, as shown in Figure below, helps in documenting the risk mitigation efforts and assessing the residual risks.
| Risk ID | Risk | Preliminary Risk | Mitigation | Residual Risk | ||||
|---|---|---|---|---|---|---|---|---|
| Effect | Frequency | Impact | Effect | Frequency | Impact | |||
Figure 2: Sample Risk Identification and Mitigation Assessment Worksheet
Conduct Residual Risk Assessment
Objective
Re-assess the effect and frequency of risks after mitigation actions have been implemented and determine the residual risk.
Steps to Complete
- Re-assess Risks:
- Evaluate Mitigation Efforts: Determine whether the mitigation efforts have reduced the corporate impact.
- Document Findings: Create a detailed report of the residual risk assessment findings.
- Communicate Residual Risks:
- Review Assessment: Ensure that the residual risk assessment is complete, accurate, and aligned with business goals.
- Get Approval: Present the residual risk assessment to stakeholders and obtain approval.
- Communicate Assessment: Share the residual risk assessment with the Enterprise Architecture team and other relevant stakeholders.
Risk Monitoring and Governance
Objective
Monitor and govern residual risks to ensure that the enterprise is dealing with residual rather than initial risks.
Steps to Complete
- Approve Residual Risks:
- IT Governance Framework: Ensure that residual risks are approved by the IT governance framework.
- Corporate Governance: Obtain business acceptance of residual risks through corporate governance.
- Monitor Mitigation Actions:
- Execute Mitigation Actions: Carefully monitor the execution of mitigation actions.
- Maintain Governance Artifacts: Keep the risk identification and mitigation assessment worksheets up-to-date as governance artifacts.
- Identify Critical Risks:
- Implementation Governance: Identify critical risks that are not being mitigated and may require another full or partial ADM cycle.
- Communicate Governance: Share the risk monitoring and governance process with the Enterprise Architecture team and other relevant stakeholders.
Conclusion
Risk management is an integral part of Enterprise Architecture. Practitioners are encouraged to use their corporate risk management methodology or extend it using the guidance in this chapter. In the absence of a formal corporate methodology, architects can use the guidance in this chapter as a best practice. By following the key activities involved in risk management, including risk classification, identification, initial risk assessment, risk mitigation, residual risk assessment, and risk monitoring and governance, organizations can ensure that their architecture transformation efforts are aligned with business goals and strategic drivers. This process sets the foundation for successful architecture development and deployment, driving business value and transformation.
References
- Powerful TOGAF ADM Toolset
- TOGAF ADM Software
- Best TOGAF Software with Agile & UML – Visual Paradigm Enterprise
- TOGAF ADM Software: Act and Generate ADM Deliverables
- The Best TOGAF Software
- TOGAF® Tool for Enterprise Architecture – ArchiMetric
- Visual Paradigm TOGAF ADM Tool: Empowering Your Enterprise Architecture Teams – Visual Paradigm Guides
- TOGAF ADM Tutorial
- Step-by-Step Enterprise Architecture Tutorial with TOGAF
- Streamline Your Enterprise Architecture with Visual Paradigm’s TOGAF ADM Tools – Visual Paradigm Guides