If you intend to effectuate a Digital Transformation (and you probably should,) you need to define your target Enterprise and Business Architectures, model and document them and then plan how you will transition your business to implement them. As part of that journey, you should plan to adopt an Agile Enterprise Risk Management (AERM) approach, which links your risk register and your EA and BA models. If you fail to adopt AERM, you may have your risk management capabilities fall behind your evolving company’s needs and needlessly expose yourself to unplanned-for, unmitigated risks.
Architecture, the Cloud and Agile/DevOps
Your Enterprise and Business Architectures must be designed around delivering digital products and services, in addition to your traditional ones. The architectures you implement must be driven by your business strategy and address products and services, value streams, capabilities and enablers—people, processes, technology, information repositories and physical assets.
Your Technical Architecture must provide for two different sets of requirements—one driven by user interactions and the other driven by application transactions. Jeanne Ross, in Designed for Digital, refers to these as the Digital Platform and the Operational Backbone, respectively. Both are best implemented on a Cloud infrastructure, both need to interoperate reliably and both should communicate via REST API standards.
Cloud infrastructure provides significant capabilities that can be exploited by both the Operational Backbone and the Digital Platform. Elasticity is an important feature of Cloud. It provides options for rapid expansion or contraction of capacity, throughput and processing power, makes it easy to distribute or create redundant and parallel processing options and provides a rich set of services for routing and managing transactional volumes, including a variety of routers, load balancers and API gateways.
These capabilities have advantages for the Digital Platform, as well. They provide simple options for creating parallel implementation spaces, which work quite well in conjunction with Agile/DevOps development. For instance, A-B testing involves creating different versions of a service and then routing users to one or the other to see which performs better based on user preference. Cloud infrastructure’s elastic and dynamic routing capabilities make it much easier and cheaper to implement and operate. When the test is complete, one of the redundant environments can be discarded and the cost to operate it terminated.
So, Cloud infrastructures and DevOps are among the current technological developments that enable rapid change to Enterprise and Business architectures. When they are exercised to their maximum potential, they can create management challenges that test companies’ ability to control their risks.
Risk Management in the Transformed Realm
A thorough Risk Assessment and management plan depends on your ability to trace the chain of dependencies from targeted Market Segments to the Products and Services you offer to the Value Streams in which they’re produced to the Capabilities on which those depend to the Enablers that are exercised to produce the desired output from them.
Common models for classifying risks involve the likelihood they’ll occur and their impact if they do; however, context is critical for discerning how important individual risks may be. A flat tire when you’re running errands over a weekend is an annoyance; one when you’re on your way to an important business meeting may be a disaster. A new product line just being introduced underperforming its sales projections may be taken in stride; if the same thing happens to an anchor product, that can be catastrophic. An asteroid hitting the earth has a vanishingly small likelihood of occurring but a monumental impact (sorry for the pun.)
Your architecture models depict the chains of dependencies that make it possible to deliver value to your customers. You may well have built redundancy into your architecture to allow you to work around a failed element, such as a plant that gets hit by a hurricane or a supplier that goes out of business. What companies often miss is what happens when changes are made. A non-critical element in one chain may be a critical element in another when it is shared, for example.
If a contemplated change alters the risk profile of an element, it can impact the risk profile of all of the chains of which it is a part. The proverb For Want of a Nail describes the loss of a nation resulting from cascading events traceable back to a nail falling out of a horseshoe. Dependency chains, such as those that drive your company’s value propositions, are likely sources of them.
Disciplined Transformation requires that you identify and trace all of the changes required to your architecture to accomplish a transition from state to state. AERM depends upon your identifying how those changes create new risks or effect existing ones and dependence on shared entities creates correlated risks that are often overlooked because they are not easily identified. Obviously, if you have no architecture models at all, then such linkages and dependencies are even more likely to be missed.
I believe that risk measures must account for inherent or organic risk in each entity in your EA and BA models and must also account for interactions among them. These include transference or reinforcement and contingent or cascading risks resulting from dependencies.
In a future post, I will present a model that can help to identify such nuances and enable you to address them appropriately.