With any business transformation or architecture there will always be a degree of risk involved. The key is to determine, classify and reduce any risks as much as possible before starting. This is so that any risks identified are able to be tracked for the duration of the transformation process.
Levels of risk
TOGAF identifies two levels of risk:
- Initial Level of Risk
- Residual Level of Risk
Initial Level of Risk
The Initial Level of Risk is where any risks are categorised prior to determining and implementing mitigating actions
Residual Level of Risk
The Residual Level of Risk is where any risks are categorised after the implementation of mitigating actions.
The Risk Management Process
The Risk Management Process is comprised of the following steps:
- Risk classification
- Risk identification
- Initial risk assessment
- Risk mitigation and residual risk assessment
- Risk monitoring
During Phase A or the Architecture Vision Phase any risks are identified a part of the initial Business Transformation Readiness Assessment.
In Phase G or the Implementation Governance Phase a risk identification worksheet is maintained as a governance artifact; an example of a Risk Identification Worksheet is shown below (Courtesy of the opengroup.org).
When maintaining the Risk Identification Worksheet Table ensure that ‘Unlikely’ and ‘Likely’ pertain to the probability or risk and not the frequency of risk.
Risk Mitigation Assessment
In Phase G (The Implementation Governance Phase) a Risk Mitigation Assessment worksheet is maintained as an governance artifact. It is in Phase G where risk monitoring is conducted. The purpose of Risk Mitigation is to identify, plan and conduct specific actions which will limit any risks to an acceptable level.