Risk Architecture with SABSA Domain Framework

Everything we do has an upside and downside. Risk architecture tells us to minimize the uncertainty of reaching our objectives.

SABSA Domain models simplify your stakeholders' decision making and ensure good architecture governance. Each domain shares a risk appetite and decision authority. It clarifies who expects benefits and owns the downside.

SABSA Domain models simplify risk architecture for all enterprise architects.

Risk Architecture

Risk. Downside. Benefit. Uncertainty.

Risk Architecture uses these words, without meaning threat. Risk management is about managing uncertainty. It is about getting the upside you want within your expected possibility of a downside.

Everything we do in business carries an upside, and a downside. Our activity has expected upsides and anticipated downsides. This is risk. Risk is the effect of uncertainty on meeting your objective.

Risk architecture is all about ensuring your risk stays within your risk appetite. Enterprise risk management is about managing the uncertainty that you will reach an objective.

Enterprise Architect and Risk

Enterprise architects have a significant role in managing risk. We develop an enterprise architecture to improve our organization. We expect an upside. However, there is the possibility of downside. As good architects, we need to reduce the uncertainty of reaching the improvement objective.

Enterprise architects are accountable for including risk and security in everything they do. Good enterprise architects will use established practices like SABSA's Domain models to improve their enterprise architecture.

Security Architect and Risk

Security architects and Information Security Teams are too often cast as the department of no. One reason is poor risk management. They see themselves as protectors. Working to eliminate downside. The only way to eliminate downside is to eliminate the possibility of the upside. From an Enterprise Risk Management standpoint, even that protection is impossible. While we can eliminate direct downside, indirect downsides remain.

Security architects are the specialists who have a critical role in developing an enterprise risk architecture, or security architecture. Security architects will work across all architecture domains with business architects, IT architects, and every domain architect.

Security architecture is a cross-cutting concern. It is the only architecture domain that requires the other domains.

Risk Architecture

Risk Architecture using SABSA Domain Model

SABSA Domain Framework helps you isolate risks and decision makers

The most common problem exploring risk is the separation of benefit recipient and downside owner. A simple example is gambling when someone else will cover the loss. Odds of a billion to one look good when someone else will pay the loss. The other extreme is when someone else will gain the benefit. Even a 500% sure-thing looks like a bad idea when you have to pay the stake and someone else earns the rewards.

The SABSA Domains supports the risk architecture by simplifying reality. Organizations are complex environments. Multiple levels, business units, geographies and roles co-exist. Each part has a complex web of interactions and inter-dependencies.

SABSA Domain models define and visualise the risk ownership, governance and policy structures. We have noticed that architects either immediately grasp Domains are a flexible logic construct or try to map to a rigid structure. SABSA Domains are logical constructs.

Formally, a SABSA Domain is 'a set of elements, area of knowledge or activity, subject to the common dominion of a single accountable authority.' In less formal terms, a domain is a part of an organization. As a logical construct, you can draw the domain boundaries around anything.

We have created SABSA Domain models based on

  • Nations, jurisdictions, departments, teams, etc…
  • Services, functions, processes, technology, etc…
  • Products, business partners, etc...

When building a SABSA Domain model, identify the source of confusion and start building clear boundaries. Ensure that everything inside a Domain shares common trust, policy, and risk appetite. Whenever these things change, you need a new Domain. Ensure you keep the core of the model constant. If you are building a model based on processes, stay with processes. Don't drift from process, to department, to product.

Keep in mind that all Domains have relationships. They are part of something larger, can be broken into something smaller, and have peers. Whenever a Doman is broken into sub-domains, it delegates risk appetite or performance targets to the specialist domain.

Every Domain is a point of decision authority. That authority controls how the Domains trusts, policy, and risk appetite.

SABSA Domain Model

Enterprise Risk Management with SABSA Domain

Direct and Indirect Benefits and Downsides

With a SABSA Domain model and a risk architecture, you enable Enterprise Risk Management. Risk Management is about benefit and downside. Ensuring that you pursue upside with an appropriate possibility of downside. Ensuring you do not have excessive uncertainty.

In a simple example, all upside, downside, and uncertainty are tied to a decision or action. The real work has complex direct and indirect effects. Launching a product has upside potential. It can also be an expensive failure. The simple example ties upside and downside to the launch. Consider competitive activity. Consider the brand consequence of failing to launch. Or liability risks of a poor product design and implementation.

The possibilities explode into what-ifs. Usually expressed in terms of downside. Every SABSA Domain has performance targets delegated to it. Performance targets are the outcome we expect the Domain to deliver. SABSA Business Attributes Profiles provides one way of expressing performance targets. Ensure the basis of your Domain model has appropriate performance targets.

With the performance targets and risk appetite, you can ensure changes, choices, and new actions are aligned. You ease enterprise risk management.

SABSA Domains and Enterprise Architecture Governance

We use SABSA Domain models to simplify enterprise architecture governance. Every domain is a point of decision authority. Within the domain, they expect it to deliver its performance targets within a risk appetite. Within the Domain policy, or decision, will be constant.

Since we started using SABSA, we cannot envision any other way to structure enterprise architecture governance or build the foundation of a risk architecture.

Risk architecture with direct & indirect benefit & downside

We often start with Open Fair™ to help with the analysis of our risk architecture.

Enterprise Risk Management

Improve your Risk Architecture with SABSA Domain Models

Enterprise architects support their stakeholders decision making and change. Improve your ability.

To build strong risk architecture and Domain models need you solid listening and analysis skills.

Specialized guidance for improving Risk Architecture by integrating SABSA with the best practice TOGAF Standard.

Develop your skills with SABSA to have a complete picture of the SABSA Domain Model.

Demonstrated Risk Architecture & Enterprise Architecture Case Study

Remove uncertainty that you will meet objectives. When the level of uncertainty is lower than your risk appetite, you are risk managed.

Scroll to Top