RiskTech Forum

The Art Of War And How It Applies To Enterprise Architecture-backed Risk Management

Posted: 28 February 2013  |  Source:

“If you know the enemy and know  yourself, you need not fear the  result of a hundred battles. If you  know yourself but not the enemy,  for every victory gained you will  also suffer a defeat. If you know  neither the enemy nor yourself,  you will succumb in every battle.”

This quote comes from a translation of the Art of War by Sun  Tzu, written in China in what is  estimated to be 512 BC. It could  seem farfetched to assert that  this ancient quote is appropriate  in today’s business environment,  but it is actually a good metaphor  for the challenges and rewards  of enterprise architecture (EA)- backed risk management.

To adapt it to the business context, let’s pacify and update the  quote by removing battles and  enemies: battles will be business  challenges and enemies will be  risks threatening the success of  your operations. Simply put, Sun  Tzu posits that knowing your risks  is not enough to ensure your success. Knowledge of the processes  that may create the risks is also  crucial for success. Incidentally,  considering risks in a vacuum is  also only half a solution.

Obviously, the “succumb in every  battle” outcome brought about by  ignorance of both the processes  and the risks needs no further  explanation. It is the “every victory for a defeat” outcome that  deserves particular attention.  Let’s take a hypothetical situation where you would consider  your risks only with no concern  for the business processes. Paying attention to the risks will allow  you to put controls in place and  thus limit the risks, but doing so  without considering how the risks  affect your processes, or which  processes may have created the  risks, is inefficient. Some risks  are more important than others  because they affect key business  processes. Without a mapping  of your risks alongside your processes, you would have to treat  every risk as if it is critical. This  obviously means spending more  resources than needed in managing the risks and, to follow the  metaphor, not having enough soldiers as you should for the next  battle.

How to win a hundred battles  then? Mastering your processes  is the first step, mapping them,  establishing objectives, threats,  controls, procedures, etc. Building and drawing your company’s architecture, the road map that  will lead you to your objectives, is  the stepping stone. Business blueprints, creating a common understanding of the organization, and  recognizing strategic and tactical  business demands, will give you  the ability to monitor and upgrade  performance. That is what enterprise architecture is. The second  step would be to add the risks  to this blueprint, this conceptual  construct. Because your process  is real and not just a concept,  there are risks that could jeopardize it. Once more, awareness,  control, and planning will do the  trick, curbing the potential impact  or the probability that your process will be derailed. You could  even go one step further and  integrate all the factors that may  influence performance and strategy: competitors, technology, supply chain, regulations, etc. You’d  be beyond enterprise architecture  and into business architecture.

By combining EA and risk management, you face the real threats  to your objectives with the appropriate answer, knowledge of what  you have and what you want,  awareness of the threats… You  are equipped for battle. Furthermore, EA and risk management  will feed each other. Better EA  means more appropriate risk management (because the risks will be better identified in context) and better risk management will give you tools to drive performance.