In my first blog post of 2014, I described how enterprise architecture delivers value in its relationship with other disciplines within the enterprise. I showed you the picture below, outlining this context of EA, and described the main focus areas of BiZZdesign’s EA service line in 2014:
Realizing the enterprise strategy.
Supporting strategic investment decisions.
Fostering enterprise agility.
Leveraging technological opportunities.
Controlling risk and ensuring compliance.
Figure 1. Enterprise Architecture in Context
In a subsequent blog post on value-driven enterprise architecture, I focused on the right-hand side of this picture, zooming on the first three of these topics, and addressed how EA provides business value by connecting the dots between strategy, capability-based planning, portfolio management, program management, and operational delivery and change processes.
Let us now have a look at the left-hand side of the figure, in particular the value of EA in managing risk, compliance and security in the enterprise (nr. 5 in the figure).
Strategic insight into risk
To be in control of the risks you run, the first thing you need is strategic insight in your organization from a risk management perspective. This requires having a consistent and up-to-date overview of your current landscape of products, processes, applications, and infrastructure, and all related risk & security aspects. Without such an overview, you are flying blind in the fog. C-level management cannot fulfill its responsibilities without knowing what the main risk-related issues are.
Having an understanding of these relationships also helps you in assessing the effects of business decisions. This provides the business with a clear insight in the enterprise risks related to, for example, introducing new products and initiatives, outsourcing business processes or IT systems, or assimilating another organization after a merger. Thus, they can weigh the risk propensity of the enterprise against the potential consequences.
Moreover, the propagation of risks throughout the enterprise is of great concern to executives and operational management. Risks in one area may entail risks in another. For example, what are the potential ripple effects of a system failure, break-in, power outage, fraud or other mishap on critical business processes, services, clients, partners, markets, …? Enterprise architecture helps you to create insight in these relations and dependencies, and thus avoid or mitigate potential disasters.
Business-driven security and risk management
A related area in which EA provides tangible business value is in aligning security and risk management with business goals and objectives. Many organizations find it difficult to decide on the right level of security measures, and business managers often see this as a technical issue that is left to the IT people. They, in turn, don’t want to take any risk and create gold-plated solutions that are quite secure but also very expensive (and often rather unfriendly towards users).
Better alignment between business goals, architectural decisions and technical implementation helps the organization to spend its security budget wisely, focused on business-relevant risks. This may even lead to both cost savings and lower risks at the same time, because you do not invest in overly strong security measures for unimportant stuff, leaving more budget to protect the things your enterprise really cares about.
Moreover, security is not something that can be ‘tacked on’ afterwards. Inherently insecure architectures and systems are very difficult to fix later on. Rather, security and risk management should be designed in from the start, using the business goals of the enterprise to decide on appropriate measures.
Regulatory compliance and auditing
Another common reason for having a mature EA practice, especially in heavily regulated sectors such as banking and insurance, is regulatory compliance. Central banks and other regulatory bodies mandate or at least strongly recommend that financial institutions have a well-established EA practice, to ensure they are in control of their operation. They may even audit these architectures or use them in other ways to assess the risks the organization runs. Of course, internal auditors, CISO’s, and risk managers benefit from using EA artifacts as well. The insights into enterprise-wide relations and dependencies that these provide are important inputs for their tasks.
Implementing standards and policies such as SEPA, Solvency II, Basel III and others requires enterprise-wide coordination, visibility and traceability from boardroom-level decisions on e.g. risk appetite of the organization, down to the implementation of measures and controls in business processes and IT systems. Enterprise architecture as a practice, and enterprise architecture models that capture these relations, are indispensable to manage the wide-ranging impact of such developments.
To benefit fully from the use of enterprise architecture in the context of security, compliance and risk management, we suggest that you focus on the following:
Align security and risk management with business strategy. Always view security and risk measures from the perspective of the business value they add.
Capture and visualize risk and security aspects of your organization. Visualize hazards, risks and mitigation measures in relation to the overall architecture and business strategy.
Measure and visualize the impact of risks and use these insights for decision making. Visualize data from e.g. penetration tests and use this to decide at the business level about necessary IT measures.
Prioritize security projects. Calculate the business value and impact of security projects and use this to make a prioritization of IT measures.
Use effective tool support. Software for fast and clear modeling, analyzing and visualizing provides the necessary insights. For example, BiZZdesign Architect, our easy-to-use, powerful tool for enterprise architecture and enterprise risk & security management.