EA Voices

I just stumbled by accident accross a nice video: RSA Animate – The Internet in Society: Empowering or Censoring Citizens? And there is one key take-away for me in that video: Never confuse the intended use of technology (good architecture) with the a…

In this blog post, Marc Lankhorst discussed  the value of EA in managing risk, compliance and security in the enterprise. He suggested a number of next steps. Two next steps are discussed in more detail in this blog:

• Capture and visualize risk and security aspects of your organization. Visualize hazards, risks and mitigation measures in relation to the overall architecture and business strategy.
• Measure and visualize the impact of risks and use these insights for decision making. Visualize data from e.g. penetration tests and use this to decide at the business level about necessary IT measures.

 

Enterprise Risk Management approach overview

The two steps from above are incorporated in an Enterprise Risk Management approach, visualized in Figure 1. This approach helps in understanding the consequences of risk & security policies, because the definition of risks and control measures on strategic level are step by step detailed into operational control measures.

 

Figure 1: Enterprise Risk Management approach

 

This is a model driven and cyclic approach which can be started on multiple points in the cycle, depending whether you are using a more top-down approach or a more bottom-up approach. Each phase will be explained briefly below:

1. Assess risks. In this step, the risks that the enterprise has to cope with are identified and documented. This covers multiple risk types: these can be IT related (like cyber-attacks) risks, but also business related risks. Furthermore, risks can be based on identified threats (see step 6).
2. Specify required control measures. For each risk is identified which control measures are required. Some risks may require extensive control measures (because of the high impact of the risk), as others may require less control measures. The combination of risks and control measures can be modelled with elements of the ArchiMate motivation extension (Assessment, Goal and Requirement) which makes the relation between these aspects clear. Furthermore, it can be incorporated in your existing EA models by linking risks and control measures to ArchiMate core elements. More details on this approach will be presented in a follow up blog.
3. Implement control measures. The required control measures needs to be implemented. This is the step where the shift from design to implementation is made. Control measures can be implemented in several ways: some may be IT control measures like firewalls or authentication mechanisms. Others can be business focused control measures like the four-eyes principle.
4. Execute & monitor. The implemented control measures needs to be executed. Furthermore, monitoring on operational level is necessary to get statistics of the performance and effectiveness of implemented controls. An example is to use pentesting on the technical infrastructure. With pentesting you look with a systematic and automated approach for weak spots in the infrastructure. Results of pentests are used to analyze vulnerabilities in the infrastructure and define new control measures.
5. Analyze vulnerabilities. From executing & monitoring you obtained the necessary insights about performance and effectiveness of implemented controls for example via pentesting). In this step this data is analyzed to determine which vulnerabilities there are and how dangerous these are. The link is made between vulnerabilities and identified risks from step 2, by using the existing EA models. This gives insights in how well the risks are managed or that new or improved control measures are needed.
6. Identify threats. In this step threats from the external or internal environment are identified. Threats from the internal environment can be based on the results of the previous step (analyze vulnerabilities). The identification of new threats can lead to new or changed risk assessments in step 1.

 

Top down vs bottom up

The approach described above can be applied top down or bottom up. In a top down approach will be started with the identification of threats and assessment of risks, which serve as a basis for design and implementation of control measures. A bottom up approach would typically start at the monitor & execute step: investigating the current implementation with pentests or other mechanisms and use this information to determine vulnerabilities in the current landscape.
Which approach fits best in your organization, depends on a number of aspects. In general, organizations with a more mature EA approach can follow more easily a top down approach.

Benefits of this approach

This approach includes the following benefits:

• Systematic analysis of threats and vulnerabilities
• Integrated design of control measures
• EA models support business impact analysis of technical risks / vulnerabilities
• Translate business risk & security decisions into effective enterprise changes. This requires a strong cooperation between business and IT.

These benefits help to embed security more in the business layer of your organization and will help to make well informed decisions based on operational risk impact and costs. 

Learn more about Security Architecture in our webinar, September 18th. Or Join our Security Architecture training course in the Netherlands, October 2nd. 

In this blog I elaborate about the Business Process Model and Notation (BPMN) standard, which advantages it brings you and how you should use this standard in a powerful manner. BPMN is the de facto international standard for modeling business processes. Version 2.0 was released in 2011 and the standard is maintained by the Object Management Group. It is an extensive standard with formal semantics which enables you to describe your business processes up to the level of automating the processes by a process engine. For my work I use BPMN 2.0 to create process models and I think it is a powerful notation for describing business processes. However, you need to keep some cautions in mind. By presenting the advantages and some guidelines of applying the standard, I hope to make you enthusiastic for this beautiful standard!

Why use BPMN 2.0?

First of all, I would like to present three major advantages of using BPMN 2.0:

• Like English is a language used for verbal and written communication all over the world, BPMN is an international graphical ‘language’   (standard) that is used to communicate all over the process world. Since it is universally adopted as a process modeling standard, stakeholders outside the organization like auditors, partnering organizations and system implementers understand this standard. This   enables you to communicate about your business processes in a clear and consistent manner.

• BPMN 2.0 is tool- and vendor independent. The standard is free to use and has a standardized underlying XML-scheme which makes you flexible with respect to contracting tool vendors when using tool support for describing or executing your business processes.

• BPMN 2.0 is a very rich standard with a lot of different concepts. It enables you to describe your processes in great detail and use the right semantics for each of the details. The nature of the language enables you to bridge the gap from IT to business (and vice versa) and can be used to execute processes directly in an automation engine. Especially the many possibilities of modeling event driven behavior makes BPMN very powerful compared to other modelling languages.

BPMN 2.0: Handle with care

However, some firm critics exist because BPMN 2.0 should be too complicated for business  stakeholders. I can understand that the BPMN 2.0 standard does become complicated when you ‘just simply’ start using the standard and all of the included concepts. Therefore, I want to   present you some valuable tips to apply BPMN in practice:

• Keep it pragmatic: The above mentioned richness of BPMN is also the seam side (and often expressed criticism) of the language; the richness of BPMN seduces people to create theoretical perfect models, which are no longer understood by stakeholders. Realize that a lot of the BPMN concepts are intended for expressing automation details (i.e. process execution) or exceptional situations. Since approximately 90 % of BPMN 2.0 users only use the standard to visually describe their business processes instead of execute the process directly in a process engine, I strongly advise you to keep the amount of concepts used for your process models limited.

• Less is more: The bottom line is easy; the on the eye endless amount of concepts are not part of the standard to communicate to business stakeholders. To a certain level BPMN is quite intuitively to understand, but a tremendous amount of concepts should not be used to communicate to business stakeholders. Think about your own language; how many of the words in your own language (count them in a dictionary) do you use to communicate to a three-year-old kid to make him something clear? And your kid already had three years to  learn that language! Most of the business stakeholders simply do not speak BPMN on a mature level so you should adapt the use of the language to your target audience. Only use those concepts that are essential to communicate your message!

• Consistency results in clarity: Except for communicating BPMN process models to  business stakeholders, applying BPMN in a simple manner also has the advantage of securing consistency in the different process models created in your organization. This requires clear conventions between the users of the standard: which concepts do we use, how do we use them and how do we name them in a recognizable way? Besides that, conventions with respect to lay-out are important for bringing your message in an unambiguous way to your business stakeholders.

Hopefully this offers you my perspective on using BPMN 2.0. Although BPMN is a great standard, the creation of BPMN models is not an end in itself. Above presented tips may help you to use  BPMN in an effective manner. The ultimate goal of creating process models is to deliver value   to your stakeholder(s). Since value is expressed in terms of benefits that are perceived by the stakeholder, the stakeholder is the starting point of creating process models. The starting point is therefore to identify your stakeholder and what information he needs in a process model! If   you do so, I am sure that BPMN brings you the value you are looking for!

Learn more about BPMN during our BPMN Foundation training course. Do you have any additional do’s or don’ts for using BPMN 2.0? Please share by leaving a comment! 

In this blog I elaborate about the Business Process Model and Notation (BPMN) standard, which advantages it brings you and how you should use this standard in a powerful manner. BPMN is the de facto international standard for modeling business processes. Version 2.0 was released in 2011 and the standard is maintained by the Object Management Group. It is an extensive standard with formal semantics which enables you to describe your business processes up to the level of automating the processes by a process engine. For my work I use BPMN 2.0 to create process models and I think it is a powerful notation for describing business processes. However, you need to keep some cautions in mind. By presenting the advantages and some guidelines of applying the standard, I hope to make you enthusiastic for this beautiful standard!

Why use BPMN 2.0?

First of all, I would like to present three major advantages of using BPMN 2.0:

• Like English is a language used for verbal and written communication all over the world, BPMN is an international graphical ‘language’   (standard) that is used to communicate all over the process world. Since it is universally adopted as a process modeling standard, stakeholders outside the organization like auditors, partnering organizations and system implementers understand this standard. This   enables you to communicate about your business processes in a clear and consistent manner.

• BPMN 2.0 is tool- and vendor independent. The standard is free to use and has a standardized underlying XML-scheme which makes you flexible with respect to contracting tool vendors when using tool support for describing or executing your business processes.

• BPMN 2.0 is a very rich standard with a lot of different concepts. It enables you to describe your processes in great detail and use the right semantics for each of the details. The nature of the language enables you to bridge the gap from IT to business (and vice versa) and can be used to execute processes directly in an automation engine. Especially the many possibilities of modeling event driven behavior makes BPMN very powerful compared to other modelling languages.

BPMN 2.0: Handle with care

However, some firm critics exist because BPMN 2.0 should be too complicated for business  stakeholders. I can understand that the BPMN 2.0 standard does become complicated when you ‘just simply’ start using the standard and all of the included concepts. Therefore, I want to   present you some valuable tips to apply BPMN in practice:

• Keep it pragmatic: The above mentioned richness of BPMN is also the seam side (and often expressed criticism) of the language; the richness of BPMN seduces people to create theoretical perfect models, which are no longer understood by stakeholders. Realize that a lot of the BPMN concepts are intended for expressing automation details (i.e. process execution) or exceptional situations. Since approximately 90 % of BPMN 2.0 users only use the standard to visually describe their business processes instead of execute the process directly in a process engine, I strongly advise you to keep the amount of concepts used for your process models limited.

• Less is more: The bottom line is easy; the on the eye endless amount of concepts are not part of the standard to communicate to business stakeholders. To a certain level BPMN is quite intuitively to understand, but a tremendous amount of concepts should not be used to communicate to business stakeholders. Think about your own language; how many of the words in your own language (count them in a dictionary) do you use to communicate to a three-year-old kid to make him something clear? And your kid already had three years to  learn that language! Most of the business stakeholders simply do not speak BPMN on a mature level so you should adapt the use of the language to your target audience. Only use those concepts that are essential to communicate your message!

• Consistency results in clarity: Except for communicating BPMN process models to  business stakeholders, applying BPMN in a simple manner also has the advantage of securing consistency in the different process models created in your organization. This requires clear conventions between the users of the standard: which concepts do we use, how do we use them and how do we name them in a recognizable way? Besides that, conventions with respect to lay-out are important for bringing your message in an unambiguous way to your business stakeholders.

Hopefully this offers you my perspective on using BPMN 2.0. Although BPMN is a great standard, the creation of BPMN models is not an end in itself. Above presented tips may help you to use  BPMN in an effective manner. The ultimate goal of creating process models is to deliver value   to your stakeholder(s). Since value is expressed in terms of benefits that are perceived by the stakeholder, the stakeholder is the starting point of creating process models. The starting point is therefore to identify your stakeholder and what information he needs in a process model! If   you do so, I am sure that BPMN brings you the value you are looking for!

Learn more about BPMN during our BPMN Foundation training course. Do you have any additional do’s or don’ts for using BPMN 2.0? Please share by leaving a comment! 

In this blog I elaborate about the Business Process Model and Notation (BPMN) standard, whichadvantages it brings you and how you should use this standard in a powerful manner. BPMN is the de facto international standard for modeling business processe…