Enterprise Architecture Risk Assessment
Enterprise Architecture Risk Assessment
An enterprise architecture risk assessment is intended to evaluate actual solutions that have known characteristics and organizational requirements and impacts, while an organizational support framework is required to deliver and sustain the solution. More specifically, the enterprise architecture risk assessment will examine the solution from a variety of perspectives, including:
• The technical characteristics of the solution, and whether the technology is compliant with your IT architecture standards and principles. Furthermore, the risk assessment will confirm whether the solution fulfills all the defined business requirements, and identify those that are not part of the scope of effort.
• The organizational aspects around the solution to ensure that all required roles are appropriately resourced.
• The compliance aspects around the solution to ensure that appropriate engagement with the PMO, Security, Enterprise Architecture and other Governance groups has been undertaken, and required activities and deliverables have been recognized.
• The enterprise aspects around the solution to ensure that information sensitivity, data source dependencies, and the impact on existing infrastructure and business processes are understood.
The outcome of an enterprise architecture risk assessment is typically a report identifying any factors that may be a significant impediment to success, weighting these factors and, where appropriate, recommending mitigating actions. In order to evaluate various technology areas (as opposed to specific solutions in-flight or implemented), research is conducted and a technical white paper is completed for a given technology that takes into account organizational benefits, impacts, and risk areas. In regards to the evaluation of specific proposed commercial solutions which have not yet been acquired, a System Selection Support service provides a vehicle for the IT architecture team to provide assistance and deliverable templates for enumerating and weighting evaluation criteria. An organization will also be required to evaluate the architectural fitness-to-task of a specific solution in-flight, which will require a review of solution architecture design specifications. The completion of a detailed security risk assessment for a specific solution in-flight or deployed, the Information Security team must provide a technical information security risk assessment. The IT architecture team works closely with the security team on all security-related architectural concerns.
IT Architects provides a service to conduct an enterprise architecture risk assessment. The process followed to complete enterprise architecture risk assessment enumerates gaps and assigns severity levels to them. An Enterprise Architecture Risk Assessment Survey is completed with various actors and stakeholders for a specific solution, project, or application/technology area. The purpose of this survey is to effectively define a profile of the solution and/or application/technology area, as well as the supporting organizational processes associated with it that will help the risk assessment team identify areas that may need extra attention in the analysis phase. Furthermore, this effort also serves as a baseline against which to “fact-check” in order to ensure that reality aligns with perception, and alert the stakeholders if there are anomalies or “blind spots” that could lead them astray. After the survey is completed, the risk assessment team must analyze the results and decide on a plan for follow-up. The follow-up will include the review of solution, project, or application/technology area documentation and probably further focused interviews with relevant actors and stakeholders. An essential part of the follow-up process is the identification and risk Impact weighting of any gaps or issues that were encountered. The final step of the risk assessment is the Enterprise Architecture Risk Assessment Report. This report will recap the findings of the risk assessment team, including the severity of risk to the solution, project, or application/technology area, and any recommended mitigations. IT Architects provides a standard or customized template as a framework for authoring this report.
(Note: IT Architects also provides a Solution Architecture Notebook (SAN) review service to understand future solution impacts and alignment to the existing information technology landscape. A SAN is a solution architecture design specification for a future solution, which defines functional and technical capabilities of the solution, and includes business and technology risks.)