TL;DR
Risk management becomes more concrete in Phase E because solution building blocks, work packages, and implementation choices are now being shaped. The goal is to maximize business benefit and minimize business loss by identifying, assessing, mitigating, reassessing, and governing risks.
Why risk becomes visible in Phase E
Earlier ADM phases identify concerns, readiness issues, and high-level risks.
In Phase E, the architecture starts moving toward concrete solutions and implementation planning. At this point, risks become easier to see because the work packages, solution options, dependencies, and delivery choices are more explicit.
Every business transformation effort has risk.
Basic risk terms
| Term | Meaning |
|---|---|
| Risk | The effect of uncertainty on objectives |
| Uncertainty | A deviation from what is expected, positive or negative |
| Probability or frequency | How likely the risk is to occur |
| Effect or impact | What happens if the risk occurs |
| Risk trigger | The event or condition that causes the risk to materialize |
A risk is uncertain. It is not a guaranteed event. It has a likelihood of occurring and an effect if it occurs.
Risk triggers
Risk triggers may come from inside or outside the transformation scope.
| Trigger source | Examples |
|---|---|
| Inside the transformation | delivery dependencies, skills gaps, technical complexity, scope change, stakeholder acceptance |
| Outside the transformation | other projects, legal changes, natural disasters, geopolitical instability, market changes |
Internal triggers are usually easier to identify because they are closer to the transformation work.
External triggers often require broader scanning and governance attention.
Risk management process
Risk management identifies and assesses potential positive or negative events at strategic, tactical, and operational levels.
flowchart LR I["Identify risks"] --> C["Classify risks"] C --> A["Initial risk assessment"] A --> M["Define mitigation actions"] M --> R["Residual risk assessment"] R --> G["Monitor and govern"]
The practical aim is to reduce:
- probability or frequency of occurrence
- effect or damage if the risk occurs
Initial vs residual risk
Risk management distinguishes between two levels.
| Risk level | Meaning |
|---|---|
| Initial risk | Risk categorization before mitigation actions are defined and implemented |
| Residual risk | Risk categorization after mitigation actions are implemented |
Mitigation should move unacceptable risks toward an acceptable residual level.
For example:
- reduce the effect from critical to negligible
- reduce the frequency from likely to unlikely
- combine both approaches where needed
Risk categories
Risks are often classified first by their impact on:
- time
- cost
- scope
Other useful risk categories include:
- client transformation risks
- relationship risks
- contractual risks
- technological risks
- scope and complexity risks
- environmental or corporate risks
- personnel risks
- client acceptance risks
The categories should fit the architecture engagement and the organization.
Business risk and cyber risk
TOGAF risk discussion uses risk concepts from SABSA.
Risk can be seen at any level of the enterprise architecture, but it is driven top-down from business value and its optimization.
| Risk type | Focus |
|---|---|
| Business risk | Risks in business architecture: value chains, capabilities, processes, business services |
| Cyber risk | Risks in the underlying IT: applications, infrastructure, platforms, and technical components |
Business risk and cyber risk should connect. Cyber risks matter because they threaten business value, service continuity, compliance, or transformation outcomes.
Positive and negative risk
Risk is usually associated with negative events, but risk can also involve positive outcomes.
For example, a new technology may create:
- opportunity for new business capability
- efficiency gain
- new service model
- innovation advantage
The enterprise architect’s role is to help create an operational environment where risks are optimized for maximum business benefit and minimum business loss.
Risk assessment
Risk assessment classifies transformation risk using:
- effect: impact on the organization
- frequency: likelihood during the transformation
Effect levels:
| Effect | Meaning |
|---|---|
| Catastrophic | Severe effect, potentially threatening the organization or transformation viability |
| Critical | Significant effect on important goals or parts of the transformation |
| Marginal | Noticeable effect that may threaten some goals |
| Negligible | Minimal effect, often limited to one line of business or a small area |
Frequency levels:
| Frequency | Meaning |
|---|---|
| Frequent | Expected to occur often |
| Likely | Expected to occur |
| Occasional | May occur sometimes |
| Seldom | Possible, but uncommon |
| Unlikely | Not expected in normal conditions |
Risk classification labels
TOGAF-style risk classification often uses four labels.
| Label | Meaning |
|---|---|
| E: Extremely high | Transformation effort is likely to fail with severe consequences |
| H: High | Significant failure of parts of the transformation; some goals may not be achieved |
| M: Moderate | Noticeable failure of parts of the transformation; some goals are threatened |
| L: Low | Some goals may not be fully successful |
High-effect and high-frequency risks tend to sit in the high-risk area. Low-effect and low-frequency risks tend to sit in the low-risk area.
Mitigation tries to move risks from E/H toward M/L by reducing effect, frequency, or both.
ADM usage
Risk management continues across later ADM phases.
| ADM phase | Risk management focus |
|---|---|
| Phase E: Opportunities and Solutions | Identify, classify, and mitigate risks associated with the planned transformation |
| Phase F: Migration Planning | Validate remaining risks, assign risks and mitigation actions to projects, and accept residual risk when concluding the Implementation and Migration Plan |
| Phase G: Implementation Governance | Maintain Risk Identification and Mitigation Assessment worksheets as governance artifacts; monitor risks and mitigation actions |
| Phase H: Architecture Change Management | Manage risks associated with the enterprise architecture capability and decide whether change requires a new ADM cycle |
In Phase G, critical risks that are not being mitigated may require a full or partial ADM cycle.
Risk worksheets
Use Risk Identification and Mitigation Assessment worksheets to capture:
- identified risks
- risk category
- trigger
- effect
- frequency
- initial risk level
- mitigation action
- owner
- residual risk level
- monitoring status
These worksheets become governance artifacts and should stay current during implementation.
Exam note
- Risk is the effect of uncertainty on objectives.
- Risk can be positive or negative.
- A risk has probability/frequency and effect/impact.
- Initial risk is assessed before mitigation; residual risk is assessed after mitigation.
- Risk management aims to maximize business benefit and minimize business loss.
- Phase E identifies, classifies, and mitigates transformation risks.
- Phase F validates and accepts residual risks.
- Phase G monitors risk and mitigation actions as part of implementation governance.
- Phase H manages risks to the enterprise architecture capability.