Risk Management

With any business transformation or architecture there will always be a degree of risk involved. The key is to determine, classify and reduce any risks as much as possible before starting. This is so that any risks identified are able to be tracked for the duration of the transformation process.

Levels of risk

TOGAF identifies two levels of risk:

  1. Initial Level of Risk
  2. Residual Level of Risk

Initial Level of Risk

The Initial Level of Risk is where any risks are categorised prior to determining and implementing mitigating actions

Residual Level of Risk

The Residual Level of Risk is where any risks are categorised after the implementation of mitigating actions.

The Risk Management Process

The Risk Management Process is comprised of the following steps:

  1. Risk classification
  2. Risk identification
  3. Initial risk assessment
  4. Risk mitigation and residual risk assessment
  5. Risk monitoring

Risk Identification

During Phase A or the Architecture Vision Phase any risks are identified a part of the initial Business Transformation Readiness Assessment.

In Phase G or the Implementation Governance Phase a risk identification worksheet is maintained as a governance artifact; an example of a Risk Identification Worksheet is shown below (Courtesy of the opengroup.org).

Risk Identification Worksheet

When maintaining the Risk Identification Worksheet Table ensure that ‘Unlikely’ and ‘Likely’ pertain to the probability or risk and not the frequency of risk.

Risk Mitigation Assessment

In Phase G (The Implementation Governance Phase) a Risk Mitigation Assessment worksheet is maintained as an governance artifact. It is in Phase G where risk monitoring is conducted. The purpose of Risk Mitigation is to identify, plan and conduct specific actions which will limit any risks to an acceptable level.