Aggregated enterprise architecture wisdom
The New York times reported that data scientists spend significant time transforming raw data so that it can be analyzed by algorithms implemented in software. A number of startups are
The post NYT Report: ‘Janitor work’ Big Part Hurdle to Insights — What Can EAs Do About This? appeared first on Enterprise Architecture Professional Journal.
Technology is playing a much bigger role in customer’s lives, and is changing the way senior management view the IT department. Historically the CIO’s role was to keep the lights running, now however, IT is considered to not only be the key to unlocking new revenue, but also a way of keeping up with the Read More
When does EA start to care about sociocultural influences? Nick Malik stresses this point. But should we care?True, reality is “messier” than the boxes and lines of an enterprise architecture because it is invariably more complex than the models t…
IASA’s blogs on “Phrases architects have to stop using”.
But should they?
1. “Serve the business” is true if you see IT as a service provider.
1.1 The business can and does increasingly select today external partners that provide ser…
Call for Book Chapters Beyond IT Strategy: Digital Strategies for the 21st Century In the 21st century, the presence of technology is ubiquitous. Computers have moved from batch processing in the back-office through word processing in the front office to being the medium that glues together organisations, supply chains, and customers. Being digital across any […]
Until quite recently, IT security was the exclusive domain of security specialists. However, in the last couple of years, organizations have started to realize that IT-related risks cannot be seen in isolation, and should be considered as an integral part of Enterprise Risk and Security Management (ERSM). ERSM includes methods and techniques used by organizations to manage all types of risks related to the achievements of their objectives.
It is only natural to place ERSM in the context of Enterprise Architecture (EA), which provides a holistic view on the structure and design of the organization. Therefore, it is not surprising that EA methods such as TOGAF include chapters on risk and security (although the integration of these topics in the overall approach is still open for improvement), and a security framework such as SABSA shows a remarkable similarity to the Zachman framework for EA. And as a corollary, it also makes perfect sense to use the ArchiMate language to model risk and security aspects.
The previous blog post in this series outlined a method for EA-based ERSM with ArchiMate. This article proposes an initial mapping of risk and security concepts to ArchiMate concepts, and illustrates how these concepts can be used as a basis for performing an organization-wide risk assessment.
Most of the concepts used in ERSM standards and frameworks can easily be mapped to existing ArchiMate concepts. And since ERSM is concerned with risks related to the achievement of business objectives, these are primarily concepts from the motivation extension.
Any core element represented in the architecture can be an asset, i.e., something of value susceptible to loss that the organization wants to protect. These assets may have vulnerabilities, which may make them the target of attack or accidental loss.
A threat may result in threat events, targeting the vulnerabilities of assets, and may have an associated threat agent, i.e., an actor or component that (intentionally or unintentionally) causes the threat. Depending on the threat capability and vulnerability, the occurrence of a threat event may or may not lead to a loss event.
Risk is a (qualitative or quantitative) assessment of probable loss, in terms of the loss event frequency and the probable loss magnitude (informally, ‘likelihood times impact’).
Based on the outcome of a risk assessment, we may decide to either accept the risk, or set control objectives (i.e., high-level security requirements) to mitigate the risk, leading to requirements for control measures. The selection of control measures may be guided by predefined security principles. These control measures are realized by any set of core elements, such as business process (e.g., a risk management process), application services (e.g., an authentication service) or nodes (e.g., a firewall).
ArchiMate mapping of risk concepts
Using one of the extension mechanisms as described in the ArchiMate standard, risk-related attributes can be assigned to these concepts. The Factor Analysis of Information Risk (FAIR) taxonomy, adopted by The Open Group, provides a good starting point for this.
If sufficiently accurate estimates of the input values are available, quantitative risk analysis provides the most reliable basis for risk-based decision making. However, in practice, these estimates are often difficult to obtain. Therefore, FAIR proposes a risk assessment based on qualitative (ordinal) measures, e.g., threat capability ranging from ‘very low’ to ‘very high’, and risk ranging from ‘low’ to ‘critical’. The following picture shows how these values can be linked to elements in an ArchiMate model, and how they can be visualized in ‘heat maps’:
The level of vulnerability (Vuln) depends on the threat capability (TCap) and the control strength (CS). Applying control measures with a high control strength reduces the vulnerability level.
The loss event frequency (LEF) depends on both the threat event frequency (TEF) and the level of vulnerability. A higher vulnerability increases the probability that a threat event will trigger a loss event.
The level of risk is determined by the loss event frequency and the probable loss magnitude (PLM).
Qualitative risk assessment
The example below shows a simple application of such an assessment. A vulnerability scan of the payment system of an insurance company has shown that the encryption level of transmitted payment data is low (e.g., due to an outdated version of the used encryption protocol). This enables a man-in-the-middle attack, in which an attacker may modify the data to make unauthorized payments, e.g., by changing the receiving bank account. For a hacker with medium skills (medium threat capability) and no additional control measures, this leads to a very high vulnerability (according to the vulnerability matrix above). Assuming a low threat event frequency (e.g., on average one attempted attack per month), according to the loss event frequency matrix, the expected loss event frequency is also low. Finally, assuming a high probable loss magnitude, the resulting level of risk is high. As a preventive measure, a stronger encryption protocol may be applied. By modifying the parameters, it can be shown that increasing the control strength to ‘high’ or ‘very high’, the residual risk can be reduced to medium. Further reduction of this risk would require other measures, e.g., measures to limit the probable loss magnitude.
Risk analysis example
By linking risk-related properties to ArchiMate concepts, risk analysis can be automated with the help of a modeling tool. In this way, it becomes easy to analyze the impact of changes in these values throughout the organization, as well as the effect of potential control measures to mitigate the risks. For example, the business impact of risks caused by vulnerabilities in IT systems or infrastructure can be visualized in a way that optimally supports security decisions made by managers.
In the Harvard Business Review of July-August 2014, the article “Four paths of business model innovation” by Karan Girotra and Serguei Netessini was published. A very interesting read, especially for managers looking for a framework identifying opportunities to rethink their existing business model.
They describe business model innovation as: “At its simplest, it demands neither new technologies nor the creation of brand-new markets: It’s about delivering existing products that are produced by existing technologies to existing markets. And because it often involves changes invisible to the outside world, it can bring advantages that are hard to copy.”
Contrary to the visual, model based approach that is presented by Alexander Osterwalder’s Business Model Canvas, Girotra and Netessini present a set of questions to consider as a manager. According to them, a business model is “essentially a set of key decisions that collectively determine how a business earns its revenue, incurs its costs, and manages its risks. We view innovations to the model as changes to those decisions: what your offerings will be, when decisions are made, who makes them, and why. Successful changes along these dimensions improve the company’s combination of revenue, costs, and risks.”
In this post I will consider Girotra and Netessini’s framework in the context of the Business Model Canvas and discuss the value arising from the differences between these two approaches.
The first question asked by Girotra and Netessini is about your offering. In terms of the business model canvas this focusses on the Value Proposition or the combination of multiple propositions you offer. Also the Key Resources and Customer Segments are reviewed when answering this question and considering the options presented.
The authors suggest one should consider to “Focus narrowly” on a very small set of products and services. Your proposition is clear, you will have a strong focus, and since you will need a relative stable revenue stream, product selection is key. The downside is that you are not fulfilling all customer needs and you will miss potential revenue from related items.
Secondly, the authors suggest to “Search for commonalities across products”. Reusing key resources in the different propositions you bring to the market increases your buying power, lowers risks and improves flexibility.
Thirdly, a “Hedged Portfolio” is an option to consider. Aiming at different markets and/or delivering alternative propositions makes you less vulnerable for fluctuation in demand. You lower the risks in your business model.
The second question asked by Girotra and Netessini is about timing. Entrepreneurs are used to taking decisions when not all information is available or clear. This brings risks to the table. Time is not an aspect made explicit in the Business Model Canvas. The aspects discussed under the WHEN-questions are mainly related to revenue and costs.
The authors present a series of options. You might be able to “postpone decisions”. E.g. dynamic pricing based on real-time demand information is an important chance to optimize revenue streams. Combining historical customer data, profiling customers and applying predictive analytics is opening new opportunities.
Another option you might want to consider is to “change the order of your decisions”. Is it really necessary that costs are ahead of revenue? Are there opportunities to move fixed costs towards variable costs, lowering capex and risk. If you choose to make your cost structure flexible, the ability to rapidly adapt to changing demand is a challenge you here: Are you able to scale up on time if demands is rising?
By “splitting up key decisions” you move away from a single all-or-nothing decision. In line with the Lean start-up movement, Girotra and Netessini see the upside of pivoting. A step-by-step implementation approach is very helpful in understanding and adjusting your business model quickly.
The third question asked by Girotra and Netessini is about people. Both inside your organization and in the network with customers and suppliers lie opportunities to improve speed and quality of decision making. Although cost and revenue are important to take into account, focus here is on Key Partners, Key Activities and Key Resources.
The authors present a series of options regarding decision makers. First thing to consider is the option to “appoint a better informed decision maker”. Inside your organization you are advised to move decision making to the lowest level possible, where employees are closer to primary business activities. Employee empowerment going back to sociotechnical systems already gave directions to implement this. But even outsourcing decisions to outside the company, where suppliers monitor and adjust the stocks of their customers is an option for some. Here, new possibilities arise from well implemented (Big) Data Management and, again, predictive analytics.
Can you “pass the decision risk to the party that can best manage the consequences”? For instance, can you move inventory costs and risks to your suppliers? In these cases, you need to be able to integrate incentives (see third point under WHY).
An aspect that I found hard to understand is the suggested option to “select the decision maker with the most to gain”. The authors use an example of a value proposition that has proven to be a hard sell. In those cases the seller can consider to lower the risk of the buyer to step in. Maybe you can share the created advantage with the customer (no-cure-no-pay) instead of asking a fixed price? This seems to be an open door and the example is more about pricing instead of decision maker selection.
The fourth question asked by Girotra and Netessini seems to be about the ultimate goal and vision, but it’s not. In this part of the framework, the focus is on the composition of the Value Proposition and the Revenue Streams and again, timing is important.
The authors present a series of options. Can you “change the revenue stream”? Instead of buying or selling a product, you consider what is important for you or your customer to do with the product. You charge for the time the product is used instead of charging for the product itself. This brings opportunities to align incentives in the value network.
By “synchronizing the time horizons” the downsides of traditional competitive bidding rituals can be overcome. Competitive bidding typically gives you low price and moderate quality, and if you are in the game for a longer relation, synchronizing timeframes is a great opportunity. Girotra an Netessini describe how intermediaries can add value here.
Finally, “integrating incentives” for all actors in a value network will benefit outcome for the consumer. In the recent US health reform, all parties involved in a patient’s treatment agreed to measure performance according to the outcome for the patient. From my own practice, a large telecom provider rewarded its main IT-provider on the basis of its own customer satisfaction. No more fining and discussions, but a true partnership!
Although one can apply the business model canvas to a network, Girotra and Netessini have a stronger focus on the value network. This helps business managers, innovators and business architects to consider the forces in the network and design a better model for the value chain as a whole and/or the individual business as a part of the network. Risk is a prominent factor in the approach presented by Girotra and Netessini and the process of developing, evolving and implementing the model is a key aspect in the four questions asked. Time is explicitly mentioned in the proposed approach, which is not taken into account in Osterwalder’s business model canvas.
On the other hand, Girotra an Netessini state that their four paths are about existing products, markets and technologies, but in some of their examples new technologies (e.g. dynamic pricing tools for airlines and the Objective Logistics solution making a difference in a Boston restaurant) play a crucial role in fully benefiting from the innovation. The four paths are oriented on optimizing business models, rather than designing a complete new business model.
If you are starting from scratch or you are in pursuit of a disruptive change, the questions that are presented in the Harvard Business Review article will not really help you. But during a creative phase supported with the business model canvas, and before implementing the newly designed model, the proposed questions will be very beneficial to optimizing your model.
Girotra an Netessini are not discussing the opportunities arising from innovation in Customer Relations and Channels. This can lead to missing business model innovation opportunities from these particular angles. I suggest adding a fifth path of business model innovation to their approach, with three aspects to consider. With the “open question starters” What, When, Who and Why already addressed, HOW is the logical first word in this suggested add-on:
HOW can we reach and involve customers in our value network?
Change and add channels in the different stages of customer interaction;
Describe the relations you want with your customer segments;
Look at service and interaction as a competitive edge.
In following blog posts I will elaborate on these questions and the considerations arising from them.
Starting a business architecture practice is definitely hard work, but building a sustainable practice is even harder. The data I am seeing is that 60% of business architecture initiatives are failing. The biggest challenge in moving from startup to sustainable practice is that the enablers for starting and propelling a startup forward are not the […]
Organizations do not work, in real life, like they work on paper. On paper, there are departments (all shaped like a neat rectangle) and business processes with neat inflows and outflows of responsibility and information. On paper, you improve things by modeling things on paper, and then moving things around, on paper, then teaching people to follow the process that your neat paper diagrams represent.
In real life, there are human beings and the tools that they use. Sometimes the tools move information from one person to another. Sometimes, they just aid in communication. People meet and get to know other people, and they learn to trust some, and distrust others. Some folks have different measures and motivations and just “pass by” one another. Some subset of these people will have shared cultural values and expectations. There may be many cultures in an organization: both because the organization is in multiple places, and because people from multiple places join an organization. Also, “business culture” arises as leaders achieve successes and people learn to use certain “cultural expectations” to get things done efficiently.
Reality is a lot messier than pretty rectangles.
Enterprise Architects apply science and engineering and aesthetics to the challenge of organizational change. We are unique in that most other “change artists” are not focused on engineering and some even ignore science. (see Daniel Pink’s TED Talk on the Surprising Science of Motivation). Few even know how to spell aesthetics. Yet, when you are dealing with systems that contain and include people, you have to use aesthetics, and you are ill prepared for success if you ignore science. Engineering is a mindset as much as a class of methods. It involves applying the things that science has discovered and using that understanding to build great (and sometimes terrible) things. Engineers build on ideas and use them, often experimenting on systems that are too complex and intertwined for “pure science” to get arms around.
As Enterprise Architecture is such a young science, we have relied to heavily on the “boxes and lines” model of enterprises, and not enough on the messy but important sociocultural view of an enterprise. We find it easier to document, and model, and even simulate, processes as though people were interchangeable and their relationships didn’t matter.
That is just lazy.
It is time to get up off our collective butts and start working out ways to understand sociocultural influences, relationships, and architectures. We have to build ways to detect, measure, and consider these structures when we measure capabilities, or improve processes, or suggest automations, or evaluate business models, or any of the two dozen things that EA’s do.
The value of EA often comes to an executive in the form of a reasoned opinion that is based on data that no one else is looking at. Let’s consider the possibility that examining sociocultural influences can provide interesting opinions that an executive will find valuable.
We should consider sociocultural information if:
Think about it. Do you believe that any of those statements are false? I can find ample examples for each one. So if sociocultural interactions matter, why are we not tracking them, learning from them, using them to make decisions?
It’s only hard because we haven’t tried.
(This post inspired by the many similar pleas shared by J.D. Beckingham in social media).
By The Open Group The word “platform” has become a nearly ubiquitous term in the tech and business worlds these days. From “Platform as a Service” (PaaS) to IDC’s Third Platform to The Open Group Open Platform 3.0™ Forum, the … Continue reading →
Last week I talked about Enterprise Information Management. This week I would like to talk about 5 Must-Have Characteristics to Enable Enterprise Architecture Successfully.
A lot of organizations have tried to implement Enterprise Architecture in I…
Organizations do not work, in real life, like they work on paper. On paper, there are departments (all shaped like a neat rectangle) and business processes with neat inflows and outflows of responsibility and information. On paper, you improve things by modeling things on paper, and then moving things around, on paper, then teaching people…